Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Otherwise SecureBoot signatures may be stripped too. We used to exclude shared libraries from this strip as they were supposed to be covered by another brp script (brp-strip-shared), however it turned out the latter was never really used, so we removed the exclusion in commit 0ab151a. As it turns out, that was a little too ambitious, since we may now inadvertently strip SecureBoot signatures from kernel modules too, provided that they're made during the build, prior to the invocation of brp-strip. Note that this regression currently does *not* affect the following two cases on Fedora/RHEL systems with redhat-rpm-config installed: - in-tree kernel modules; these are built from kernel.spec which already contains a hack ensuring that module signing only happens *after* any stripping (see %__modsign_install_post in kernel.spec) - out-of-tree kernel modules built with debuginfo enabled; this is because brp-strip is only called when %debug_package is set to %{nil} Any other combinations may be affected, depending on the macros and .spec files used, so let's fix this by effectively "reverting" said commit for .ko files only. Fixes: rhbz#1967291
- Loading branch information
cfdb830
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was known and expected behavior that we have been working around since we started signing things many years ago. Now they just aren't getting stripped.