Re: [PATCH] kbuild: Use objtree for module signing key path

Next message: Vladimir Zapolskiy: "Re: [PATCH] media: qcom: camss: Use a macro to specify the initial buffer count"
Previous message: Vladimir Zapolskiy: "Re: [PATCH v4 1/2] dt-bindings: media: qcom,qcs8300-camss: Add missing power supplies"
In reply to: mike . malyshev: "[PATCH] kbuild: Use objtree for module signing key path"
Next in thread: Nathan Chancellor: "Re: [PATCH] kbuild: Use objtree for module signing key path"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nicolas Schier

Date: Wed Oct 15 2025 - 15:22:29 EST

On Wed, Oct 15, 2025 at 04:34:52PM +0000, mike.malyshev@xxxxxxxxx wrote:
> From: Mikhail Malyshev <mike.malyshev@xxxxxxxxx>
>
> When building out-of-tree modules with CONFIG_MODULE_SIG_FORCE=y,
> module signing fails because the private key path uses $(srctree)
> while the public key path uses $(objtree). Since signing keys are
> generated in the build directory during kernel compilation, both
> paths should use $(objtree) for consistency.
>
> This causes SSL errors like:
> SSL error:02001002:system library:fopen:No such file or directory
> sign-file: /kernel-src/certs/signing_key.pem
>
> The issue occurs because:
> - sig-key uses: $(srctree)/certs/signing_key.pem (source tree)
> - cmd_sign uses: $(objtree)/certs/signing_key.x509 (build tree)
>
> But both keys are generated in $(objtree) during the build.
>
> This complements commit 25ff08aa43e37 ("kbuild: Fix signing issue for
> external modules") which fixed the scripts path and public key path,
> but missed the private key path inconsistency.
>
> Fixes out-of-tree module signing for configurations with separate
> source and build directories (e.g., O=/kernel-out).
>
> Signed-off-by: Mikhail Malyshev <mike.malyshev@xxxxxxxxx>
> ---
> scripts/Makefile.modinst | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

Thanks!

Tested-by: Nicolas Schier <nsc@xxxxxxxxxx>

I am going to wait a few days for possible tags and other feedback.

--
Nicolas