From 363368c67045657b012a2756f54b4c04de01e4ef Mon Sep 17 00:00:00 2001
From: Benjamin Sherman <benjamin@holyarmy.org>
Date: Fri, 12 Jan 2024 14:33:41 -0600
Subject: [PATCH] fix: preserve linux kmod signature in zfs-kmod rpm spec

This change provides rpm spec macros to sign the zfs and spl kmods as
the final step after the %install scriptlet. This is needed since the
find-debuginfo.sh script strips out debug symbols plus signatures.

Kernel module signing only occurs when the required files are present
as typically required in the Linux source tree:
- certs/signing_key.pem
- certs/signing_key.x509

The method for overriding the default __spec_install_post macro is
inspired by (and largely copied from) the Fedora kernel.spec.

Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Benjamin Sherman <benjamin@holyarmy.org>
Closes #15744
---
 rpm/generic/zfs-kmod.spec.in | 24 ++++++++++++++++++++++++
 rpm/redhat/zfs-kmod.spec.in  | 24 ++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/rpm/generic/zfs-kmod.spec.in b/rpm/generic/zfs-kmod.spec.in
index 3c73e2ff2d..4cc075585d 100644
--- a/rpm/generic/zfs-kmod.spec.in
+++ b/rpm/generic/zfs-kmod.spec.in
@@ -150,6 +150,30 @@ for kernel_version in %{?kernel_versions}; do
 done
 
 
+# Module signing (modsign)
+#
+# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
+# the signature off of the modules.
+# (Based on Fedora's kernel.spec workaround)
+%define __modsign_install_post \
+    sign_pem="%{ksrc}/certs/signing_key.pem"; \
+    sign_x509="%{ksrc}/certs/signing_key.x509"; \
+    if [ -f "${sign_x509}" ]\
+    then \
+        echo "Signing kernel modules ..."; \
+        for kmod in $(find ${RPM_BUILD_ROOT}%{kmodinstdir_prefix}/*/extra/ -name \*.ko); do \
+            %{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
+        done \
+    fi \
+%{nil}
+
+# hack to ensure signing happens after find-debuginfo.sh runs
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}}\
+    %{__arch_install_post}\
+    %{__os_install_post}\
+    %{__modsign_install_post}
+
 %install
 rm -rf ${RPM_BUILD_ROOT}
 
diff --git a/rpm/redhat/zfs-kmod.spec.in b/rpm/redhat/zfs-kmod.spec.in
index f59551c0b4..9c836786ba 100644
--- a/rpm/redhat/zfs-kmod.spec.in
+++ b/rpm/redhat/zfs-kmod.spec.in
@@ -72,6 +72,30 @@ fi
         %{?kernel_llvm}
 make %{?_smp_mflags}
 
+# Module signing (modsign)
+#
+# This must be run _after_ find-debuginfo.sh runs, otherwise that will strip
+# the signature off of the modules.
+# (Based on Fedora's kernel.spec workaround)
+%define __modsign_install_post \
+        sign_pem="%{ksrc}/certs/signing_key.pem"; \
+        sign_x509="%{ksrc}/certs/signing_key.x509"; \
+        if [ -f "${sign_x509}" ]\
+        then \
+            echo "Signing kernel modules ..."; \
+            for kmod in $(find %{buildroot}/lib/modules/%{kverrel}/extra/ -name \*.ko); do \
+                    %{ksrc}/scripts/sign-file sha256 ${sign_pem} ${sign_x509} ${kmod}; \
+            done \
+        fi \
+%{nil}
+
+# hack to ensure signing happens after find-debuginfo.sh runs
+%define __spec_install_post \
+        %{?__debug_package:%{__debug_install_post}}\
+        %{__arch_install_post}\
+        %{__os_install_post}\
+        %{__modsign_install_post}
+
 %install
 make install \
         DESTDIR=${RPM_BUILD_ROOT} \