add auto signing via dnf5 actions plugin

Makefile

@@ -1,9 +1,11 @@
 NAME = ksigner
 VERSION = $(shell cat VERSION)
 RELEASE = $(shell cat RELEASE)
+MONTH = $(shell date +%B)
+YEAR = $(shell date +%Y)
 SOURCEDIR = .
 BUILDDIR = build
-SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 README.md LICENSE
+SOURCES = src/ksigner src/ksigner.conf docs/ksigner.8 src/dnf/ksigner.actions README.md LICENSE
 CLEANFILES = $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8 noarch *.tar.gz *.rpm *.src.rpm
 
 .PHONY: all clean dist rpm srpm install
@@ -19,14 +21,20 @@ $(BUILDDIR):
 %.spec: %.spec.in VERSION RELEASE
 	sed -e 's/@VERSION@/$(VERSION)/g' \
 	    -e 's/@RELEASE@/$(RELEASE)/g' \
+	    -e 's/@MONTH@/$(MONTH)/g' \
+            -e 's/@YEAR@/$(YEAR)/g' \
 	    $< > $@
 
 src/%: src/%.in VERSION RELEASE
 	sed -e 's/@VERSION@/$(VERSION)/g' \
+	    -e 's/@MONTH@/$(MONTH)/g' \
+            -e 's/@YEAR@/$(YEAR)/g' \
 	    $< > $@
 
 docs/%: docs/%.in VERSION RELEASE
 	sed -e 's/@VERSION@/$(VERSION)/g' \
+	    -e 's/@MONTH@/$(MONTH)/g' \
+            -e 's/@YEAR@/$(YEAR)/g' \
 	    $< > $@
 
 dist: $(BUILDDIR) $(NAME).spec src/$(NAME) docs/$(NAME).8
@@ -53,6 +61,8 @@ install:
 	install -d $(DESTDIR)/etc/ksigner
 	install -d $(DESTDIR)/etc/kernel/postinst.d
 	install -d $(DESTDIR)/usr/share/man/man8
+	install -d $(DESTDIR)/etc/dnf/libdnf5-plugins/actions.d
 	install -m 755 src/ksigner $(DESTDIR)/usr/bin/
+	install -m 755 src/dnf/ksigner.actions $(DESTDIR)/etc/dnf/libdnf5-plugins/actions.d/
 	install -m 644 src/ksigner.conf $(DESTDIR)/etc/ksigner/
 	install -m 644 docs/ksigner.8 $(DESTDIR)/usr/share/man/man8/

VERSION

@@ -1 +1 @@
-0.1.1
+0.2.0

docs/ksigner.8.in

@@ -1,4 +1,4 @@
-.TH KSIGNER 8 "September 2025" "ksigner @VERSION@" "System Administration"
+.TH ksigner 8 "@MONTH@ @YEAR@" "ksigner @VERSION@" "System Administration"
 
 .SH NAME
 ksigner \- Secure Boot kernel signing utility
@@ -12,6 +12,7 @@ ksigner \- Secure Boot kernel signing utility
 .B ksigner
 is a utility for signing Linux kernels with custom keys for Secure Boot environments.
 It supports signing individual kernels or all available kernels.
+The utility includes libdnf5-plugin-actions integration for automatic kernel signing.
 
 .SH COMMANDS
 .TP
@@ -41,7 +42,7 @@ Show the current status of signing keys and MOK enrollment.
 .SH FILES
 .TP
 .I /etc/ksigner/ksigner.conf
-Main configuration file.
+Main configuration file. Contains key paths, automatic signing settings, and LTS version definitions.
 
 .TP
 .I /etc/pki/sbsign/certs/MOK.pem
@@ -57,7 +58,11 @@ Public signing key in DER format for MOK import.
 
 .TP
 .I /var/log/ksigner.log
-Log file.
+Log file for automatic signing operations.
+
+.TP
+.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions
+Kernel update hook script for automatic signing.
 
 .SH CONFIGURATION
 The behavior of ksigner can be customized through the configuration file
@@ -68,6 +73,20 @@ Key configuration options include:
 .B KEY_LIFETIME_DAYS
 Number of days the signing keys should remain valid (default: 36500, approximately 100 years).
 
+.TP
+.B AUTO_SIGN
+Enable or disable automatic kernel signing when kernels are installed via package manager.
+Set to "true" to enable, "false" to disable (default: true). Only works on DNF5 systems.
+
+.SH SYSTEMD INTEGRATION
+The package includes systemd service files for integration with the system:
+
+.SH AUTOMATIC KERNEL SIGNING
+When AUTO_SIGN (AUTO_SIGN=true) is enabled in the configuration, new kernels are automatically signed
+when they are installed through the package manager. The kernel update hook script
+.I /etc/dnf/libdnf5-plugins/actions.d/ksigner.actions
+is executed after kernel package installation and performs the configured signing operation.
+
 .SH EXAMPLES
 .TP
 Set up signing keys for the first time:
@@ -89,6 +108,20 @@ Sign all kernels:
 Check the status of signing keys:
 .B ksigner status
 
+.SH AUTOMATIC KERNEL SIGNING
+On systems using DNF5, ksigner can automatically sign newly installed kernels
+through a post-transaction hook. This feature is controlled by the
+.B AUTO_SIGN
+setting in the configuration file.
+
+When automatic signing is enabled, kernels are signed immediately after installation
+via the package manager. All signing operations are logged to
+.IR /var/log/ksigner.log .
+
+Note: Automatic signing requires that signing keys have been set up previously using
+.B ksigner setup
+and that the MOK has been enrolled.
+
 .SH REQUIREMENTS
 The following packages must be installed for ksigner to function:
 .IP \(bu 4
@@ -103,6 +136,8 @@ hmaccalc - for generating kernel HMAC files
 sudo - for privilege escalation
 .IP \(bu 4
 bash (version 4.0 or later) - for shell scripting features
+.IP \(bu 4
+libdnf5-plugin-actions - for automatic kernel signing (Fedora systems only)
 
 .SH SECURITY CONSIDERATIONS
 .IP \(bu 4

ksigner.spec.in

@@ -15,6 +15,8 @@ Requires:       sbsigntools
 Requires:       hmaccalc
 Requires:       sudo
 Requires:       bash >= 4.0
+Requires:	dnf5
+Requires:	libdnf5-plugin-actions
 
 %description
 A utility for signing Linux kernels with custom keys for Secure Boot.
@@ -24,7 +26,7 @@ Supports signing individual kernels or all kernels.
 %setup -q
 
 %build
-# Nothing to build - shell script
+# Nothing to build
 
 %install
 # Create directories
@@ -33,6 +35,7 @@ install -d %{buildroot}%{_sysconfdir}/ksigner
 install -d %{buildroot}%{_unitdir}
 install -d %{buildroot}%{_sysconfdir}/kernel/postinst.d
 install -d %{buildroot}%{_mandir}/man8
+install -d %{buildroot}%{_sysconfdir}/dnf/libdnf5-plugins/actions.d
 
 # Install main script
 install -m 755 ksigner %{buildroot}%{_bindir}/ksigner
@@ -43,6 +46,9 @@ install -m 644 ksigner.conf %{buildroot}%{_sysconfdir}/ksigner/ksigner.conf
 # Install man page
 install -m 644 ksigner.8 %{buildroot}%{_mandir}/man8/ksigner.8
 
+# Install dnf5 plugin
+install -m 755 ksigner.actions %{buildroot}%{_sysconfdir}/dnf/libdnf5-plugins/actions.d/ksigner.actions
+
 %post
 echo "==========================================="
 echo "Kernel Signer has been installed."
@@ -58,8 +64,11 @@ echo "==========================================="
 %{_bindir}/ksigner
 %config(noreplace) %{_sysconfdir}/ksigner/ksigner.conf
 %{_mandir}/man8/ksigner.8*
+%{_sysconfdir}/dnf/libdnf5-plugins/actions.d/ksigner.actions
 
 %changelog
-* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - 1.0.1-1
+* Wed Sep 24 2025 RadioactivePb <radioactivepb@gmail.com> - 0.2.0-1
+- Added libdnf5 actions plugin for automatic kernel signing
+* Tue Sep 23 2025 RadioactivePb <radioactivepb@gmail.com> - 0.1.1-1
 - Initial RPM release
 - Added configuration file support

src/dnf/ksigner.actions

@@ -0,0 +1,3 @@
+post_transaction:kernel*:in::/usr/bin/sh -c echo\ tmp.kernel_exists=\$\(\[\ -f\ /boot/vmlinuz-\${pkg.version}-\${pkg.release}.\${pkg.arch}\ \]\ \&\&\ echo\ 1\ \|\|\ echo\ 0\)
+post_transaction:kernel*:in::/usr/bin/sh -c \[\ \"\${tmp.kernel_exists}\"\ =\ \"1\"\ \]\ \&\&\ echo\ tmp.config_check=\$\(grep\ -q\ \^AUTO_SIGN=true\ /etc/ksigner/ksigner.conf\ 2\>/dev/null\ \&\&\ echo\ 1\ \|\|\ echo\ 0\)
+post_transaction:kernel*:in::/usr/bin/sh -c \[\ \"\${tmp.config_check}\"\ =\ \"1\"\ \]\ \&\&\ \[\ \"\${tmp.kernel_exists}\"\ =\ \"1\"\ \]\ \&\&\ /usr/bin/ksigner\ sign\ /boot/vmlinuz-\${pkg.version}-\${pkg.release}.\${pkg.arch}\ \>\>/var/log/ksigner.log\ 2\>\&1

src/ksigner.conf

@@ -15,3 +15,7 @@ KEY_DER="MOK.der"
 
 # Log file
 LOG_FILE="/var/log/ksigner.log"
+
+# Automatic kernel signing via DNF post-transaction hook
+# Uncomment the following line to enable
+# AUTO_SIGN=true

src/ksigner.in

@@ -45,7 +45,7 @@ usage() {
 
 version() {
 	echo "ksigner version @VERSION@"
-	echo "Copyright (C) 2025"
+	echo "Copyright (C) @YEAR@"
 	echo "This is free software; see the source for copying conditions."
 }