Sign modules using an ephemeral key; bump ABI for every upload (!1600) · Merge requests · Debian kernel team / linux · GitLab

Ben Hutchings requested to merge benh/linux:mod-sign-ephemeral-6.1 into debian/6.1/bookworm Aug 07, 2025

Backport @waldi's changes to use an ephemeral signing key:

Drop not needed extra step to add debug links
Sign modules using an ephemeral key
Not longer request Secure Boot signing for modules
Don't trust Secure Boot key any longer
Part of "Merge main image build and install into one target"
Store build time signing key encrypted

Backport my changes to check the kernel config for Secure Boot:

d/b/buildcheck.py, d/rules.real: Run buildcheck.py in setup as well
d/b/buildcheck.py: Check config of kernel to be signed

Generate a unique ABI name for every upload, without changing the current format:

d/rules: Include target suite as an input to gencontrol.py
Generate kernel ABI name suffix automatically if not configured
d/c/defines: Delete ABI name suffix
d/salsa-ci.yml: Ignore pycodestyle error E241

Edited Aug 16, 2025 by Ben Hutchings