ci: Sign the kernel modules

It turns out, everything is already in place to enable kernel module
signing.  All that's necessary is to provide a certificate and private
key at the correct path; if those are present, the modules files will be
signed during `modules_install`.

ci/Jenkinsfile

@@ -32,7 +32,12 @@ pipeline {
 
                     stage('Build') {
                         steps {
-                            sh '. ci/build.sh'
+                            withCredentials([file(
+                                credentialsId: 'kmod-signing-cert',
+                                variable: 'SIGNING_KEY',
+                            )]) {
+                                sh '. ci/build.sh'
+                            }
                         }
                     }
                 }

ci/build.sh

@@ -1,6 +1,10 @@
 #!/bin/sh
 
 if [ $(id -u) -eq 0 ]; then
+    kver=$(rpm -q --qf %{VERSION}-%{RELEASE}.%{ARCH} kernel-devel)
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.x509
+    ln -s "${SIGNING_KEY}" /usr/src/kernels/${kver}/certs/signing_key.pem
+
     exec setpriv --clear-groups --reuid 1000 --regid 1000 --inh-caps=-all \
         sh -ex ci/build.sh
 fi