ci: Sign the kernel modules

It turns out, everything is already in place to enable kernel module signing. All that's necessary is to provide a certificate and private key at the correct path; if those are present, the modules files will be signed during `modules_install`.
2025-11-16 06:30:09 -06:00
parent cdc38a9f5a
commit 2b7954bb52
2 changed files with 10 additions and 1 deletions
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@@ -32,7 +32,12 @@ pipeline {

                    stage('Build') {
                        steps {
-                            sh '. ci/build.sh'
+                            withCredentials([file(
+                                credentialsId: 'kmod-signing-cert',
+                                variable: 'SIGNING_KEY',
+                            )]) {
+                                sh '. ci/build.sh'
+                            }
                        }
                    }
                }
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -1,6 +1,10 @@
 #!/bin/sh

 if [ $(id -u) -eq 0 ]; then
+    kver=$(rpm -q --qf %{VERSION}-%{RELEASE}.%{ARCH} kernel-devel)
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.x509
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.pem
+
    exec setpriv --clear-groups --reuid 1000 --regid 1000 --inh-caps=-all \
        sh -ex ci/build.sh
 fi