From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id ED74A158094 for ; Mon, 27 Jun 2022 20:03:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 188E6E0AC1; Mon, 27 Jun 2022 20:03:02 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 72708E0843 for ; Mon, 27 Jun 2022 20:03:00 +0000 (UTC) Date: Mon, 27 Jun 2022 16:02:55 -0400 From: Kenton Groombridge To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [PATCH] linux-mod.eclass: support module signing Message-ID: <20220627200255.bsikofgbnpc4lgjp@fuuko> References: <20220621181959.920941-1-concord@gentoo.org> <84e99a74d64f0d9dd326af0f2c54b9d5717b2f8d.camel@gentoo.org> <9317f3aa1815d9ef219625794c06a8fb3057d707.camel@gentoo.org> <20220627183531.palnmdpvgzf44ssk@fuuko> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="2xjylw2kocooc2rk" Content-Disposition: inline In-Reply-To: X-Archives-Salt: 04b52099-b8c5-4e85-aa11-b3c4dbb44916 X-Archives-Hash: a283741bd3beed291ad025a4886d31f9 --2xjylw2kocooc2rk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > > Why can't we do both in pkg_preinst? I am thinking it would be best > > if > > we drop the current compression implementation and rework your old > > code > > to handle both compression and signing since the signing code is more > > or > > less already complete. >=20 > i'm not sure if sign-file can sign compressed modules. sign-file will not error when signing a compressed module, but the kernel will not be able to load it. > if we let kernel build handle compression - we have to sign prior to > compression. > if we compress modules ourselves then yes, we could sign first indeed. >=20 > but preinst has it's own issues, you've already seen floppym's remark. >=20 --2xjylw2kocooc2rk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAABCgB9FiEEP+u3AkfbrORB/inCFt7v5V9Ft54FAmK6DOxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNG RUJCNzAyNDdEQkFDRTQ0MUZFMjlDMjE2REVFRkU1NUY0NUI3OUUACgkQFt7v5V9F t572IBAAirS7TsdF7GCJYRyDqzXyWDkNsZ7u6OtjEfpC8UdLqhBVQTCRv9joMh3C hl0WW2YDmprL8TWeXGh4r35EheMfokJFxgn6e+wxbfI6QIrSjUz2DbsKMJj/KZNr BmMXPeC/6XymIGXRG83mvvzL2dfdbTCR1YpQDUCQasQ8bvAFedrExXrodINV9Wt8 1KNeQ3oJe0On5MjAN76lpuCHCL9PcaEoplDVXoUdXvNhkaOcVILXBkRhnAPumYT6 y4vVAQ1Vlr7WKr9yah4npt4boeN4WfrhfFSJteGFQJBxmgKz+t0wlHHZ1C/x0ck4 YitQw4qDC6L1wYMMdpgeW3GfCpRpJXz/ljP7khQTU/AwL6ZgzBdYYNwNF5XuofVq DNs8n7X8wVlVjfHmU2sXPRQqb1UIG1F3y1zJwOLxmjF0HxrmBStswVbcU9jlECk6 MY0p30pXPdfWAnCrfptZtWKBj/jFuDWpvH/+6AW3y5Dle3vp+EQyyXkYsuCWF6QC QF3pvw0vXEKw2Mp6mNZ199mVNV2ws7s/nGWo8xefxF3Ss+zn2oHAwI1Ae+mG1Fjr /ozfBLN1B0jaF+YpTSGxCRlx2yfmWhbJFPmds8Ol2yidfuVxO05P7u7H9QtKbNxr ROc7OzqfyPqg/9aCO5bEWyfEt7+YLcHi3O83Rouju5wpJBaEvUg= =zMi4 -----END PGP SIGNATURE----- --2xjylw2kocooc2rk--