From 2b7954bb52a5f388faed58451386c14173fce688 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 16 Nov 2025 06:30:09 -0600
Subject: [PATCH] ci: Sign the kernel modules

It turns out, everything is already in place to enable kernel module
signing.  All that's necessary is to provide a certificate and private
key at the correct path; if those are present, the modules files will be
signed during `modules_install`.
---
 ci/Jenkinsfile | 7 ++++++-
 ci/build.sh    | 4 ++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile
index 113ed2a..40daa1f 100644
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@@ -32,7 +32,12 @@ pipeline {
 
                     stage('Build') {
                         steps {
-                            sh '. ci/build.sh'
+                            withCredentials([file(
+                                credentialsId: 'kmod-signing-cert',
+                                variable: 'SIGNING_KEY',
+                            )]) {
+                                sh '. ci/build.sh'
+                            }
                         }
                     }
                 }
diff --git a/ci/build.sh b/ci/build.sh
index 0c11384..64db21f 100644
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -1,6 +1,10 @@
 #!/bin/sh
 
 if [ $(id -u) -eq 0 ]; then
+    kver=$(rpm -q --qf %{VERSION}-%{RELEASE}.%{ARCH} kernel-devel)
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.x509
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.pem
+
     exec setpriv --clear-groups --reuid 1000 --regid 1000 --inh-caps=-all \
         sh -ex ci/build.sh
 fi