radon/ksigner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update readme

Browse Source
This commit is contained in:
Radon 2025-09-23 19:09:31 -05:00
parent 155a49f097
commit d882455619
1 changed files with 5 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -1,4 +1,3 @@
```bash
# Enable/disable automatic signing on kernel updates# Kernel Signer # Enable/disable automatic signing on kernel updates# Kernel Signer
A secure boot kernel signing utility for Red Hat based systems (RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux, etc.). A secure boot kernel signing utility for Red Hat based systems (RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux, etc.).
@ -8,7 +7,7 @@ A secure boot kernel signing utility for Red Hat based systems (RHEL, CentOS, Fe
This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes: This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes:
- Automatic key generation and MOK enrollment - Automatic key generation and MOK enrollment
- Support for signing individual or all kernels - Support for signing individual or all kernels
- Configurable through `/etc/ksigner/ksigner.conf` - Configurable through `/etc/ksigner/ksigner.conf`
- Comprehensive logging and status reporting - Comprehensive logging and status reporting
@ -17,11 +16,9 @@ This package provides a comprehensive solution for signing Linux kernels with cu
### Building the RPM ### Building the RPM
1. Install build dependencies: 1. Install build dependencies:
```bash ```bash
# RHEL/CentOS/Rocky/Alma # RHEL/CentOS/Rocky/Alma
sudo dnf install rpm-build rpmdevtools sudo dnf install rpm-build rpmdevtools
# Create build environment # Create build environment
rpmdev-setuptree rpmdev-setuptree
``` ```
@ -47,7 +44,7 @@ sudo rpm -ivh ksigner*.rpm
The following packages will be automatically installed as dependencies: The following packages will be automatically installed as dependencies:
- `openssl` - Key generation and certificate operations - `openssl` - Key generation and certificate operations
- `mokutil` - Machine Owner Key management - `mokutil` - Machine Owner Key management
- `sbsigntools` - Kernel signing utilities - `sbsigntools` - Kernel signing utilities
- `hmaccalc` - HMAC generation for signed kernels - `hmaccalc` - HMAC generation for signed kernels
- `sudo` - Privilege escalation - `sudo` - Privilege escalation
@ -86,26 +83,15 @@ Edit `/etc/ksigner/ksigner.conf` to customize behavior:
# Enable/disable automatic signing on kernel updates # Enable/disable automatic signing on kernel updates
SIGN_ON_UPDATE=true SIGN_ON_UPDATE=true
# Type of automatic signing (sign, sign-lts, sign-all, sign-all-lts) # Type of automatic signing (sign, sign-all)
AUTO_SIGN_TYPE="sign-lts" AUTO_SIGN_TYPE="sign-all"
# Define which kernel versions are considered LTS
LTS_VERSIONS=(
"6.12"
"6.6"
"6.1"
"5.15"
"5.10"
)
``` ```
## Commands ## Commands
- `ksigner setup` - Create and install signing keys - `ksigner setup` - Create and install signing keys
- `ksigner sign [kernel_file]` - Sign a kernel (latest if no file specified) - `ksigner sign [kernel_file]` - Sign a kernel (latest if no file specified)
- `ksigner sign-lts [kernel_file]` - Sign an LTS kernel
- `ksigner sign-all` - Sign all available kernels - `ksigner sign-all` - Sign all available kernels
- `ksigner sign-all-lts` - Sign all LTS kernels
- `ksigner status` - Show signing key status - `ksigner status` - Show signing key status
- `ksigner version` - Show version information - `ksigner version` - Show version information
@ -119,7 +105,7 @@ Logs are written to `/var/log/ksigner.log`.
- **Configuration**: `/etc/ksigner/ksigner.conf` - **Configuration**: `/etc/ksigner/ksigner.conf`
- **Public Key**: `/etc/pki/sbsign/certs/MOK.pem` - **Public Key**: `/etc/pki/sbsign/certs/MOK.pem`
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv` - **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der` - **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
- **Log File**: `/var/log/ksigner.log` - **Log File**: `/var/log/ksigner.log`
- **Update Hook**: `/etc/kernel/postinst.d/zz-ksigner` - **Update Hook**: `/etc/kernel/postinst.d/zz-ksigner`