kernel.spec: add conditional to include rhel trusted certificates

eric-ch · eric-ch · commit cb1381d642d2 · 2025-07-16T18:37:25.000-04:00
JIRA: https://issues.redhat.com/browse/RHEL-78808 Upstream Status: https://gitlab.com/cki-project/kernel-ark.git commit a33e9393045ef6da5326df79af93cfa263fdb194 Author: Eric Chanudet <echanude@redhat.com> Date: Fri Jun 27 17:19:10 2025 -0400 kernel.spec: add conditional to include rhel trusted certificates rhel build flavors add additional certificates (DUP, kpatch, nvidiagpu) to the system trusted keyring by default if the kernel or modules are signed. Condition that inclusion should a build want to, for example, sign modules, but not add said certificates to the kernel system keyring. This configuration is only used by automotive, no change to other artifacts. Signed-off-by: Eric Chanudet <echanude@redhat.com> Signed-off-by: Eric Chanudet <echanude@redhat.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
@@ -111,6 +111,9 @@ Summary: The Linux kernel
 # Sign modules on all arches
 %global signmodules 1
 
+# Add additional rhel certificates to system trusted keys.
+%global rhelkeys 1
+
 # Compress modules only for architectures that build modules
 %ifarch noarch
 %global zipmodules 0
@@ -454,6 +457,7 @@ Summary: The Linux kernel
 %define with_kabidw_base 0
 %define signkernel 0
 %define signmodules 1
+%define rhelkeys 0
 %endif
 
 
@@ -2018,12 +2022,16 @@ done
 %if %{signkernel}%{signmodules}
 
 # Add DUP and kpatch certificates to system trusted keys for RHEL
+truncate -s0 ../certs/rhel.pem
 %if 0%{?rhel}
+%if %{rhelkeys}
 %{log_msg "Add DUP and kpatch certificates to system trusted keys for RHEL"}
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem
+# rhelkeys
+%endif
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
