# KSigner

A secure boot kernel signing utility

## Overview

This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes:

- Automatic key generation and MOK enrollment
- Automatic kernel signing via libdnf5 actions plugin
- Support for signing individual or all kernels
- Configurable through `/etc/ksigner/ksigner.conf`
- Comprehensive logging and status reporting

## Installation

### Building the RPM

1. Install build dependencies:
```bash
# RHEL/CentOS/Rocky/Alma
sudo dnf install rpm-build rpmdevtools
# Create build environment
rpmdev-setuptree
```

2. Build the package:
```bash
# Create source tarball
make dist

# Build RPM
make rpm

# Or build source RPM
make srpm
```

3. Install the package:
```bash
sudo dnf install noarch/ksigner*.rpm
# Alternatively
sudo rpm -ivh ksigner*.rpm
```

### Dependencies

The following packages will be automatically installed as dependencies:
- `openssl` - Key generation and certificate operations
- `mokutil` - Machine Owner Key management
- `sbsigntools` - Kernel signing utilities
- `hmaccalc` - HMAC generation for signed kernels
- `sudo` - Privilege escalation
- `bash` (>= 4.0) - Shell scripting features
- `dnf5` - RPM package management
- `libdnf5-plugin-actions` - DNF transaction actions

## Quick Start

1. **Install the package** (as shown above)

2. **Set up signing keys**:
```bash
sudo ksigner setup
```

3. **Optionally, enable automatic kernel signing**:
```bash
sed -i 's/^# *\(AUTO_SIGN=true\)/\1/' /etc/ksigner/ksigner.conf
```

4. **Reboot and enroll MOK keys**:
   - Reboot your system
   - In the MOK management interface: Enroll MOK → Continue → Yes → Enter password → OK

5. **Sign kernels**:
```bash
# Sign latest kernel
sudo ksigner sign

# Sign all kernels
sudo ksigner sign-all

# Check status
sudo ksigner status
```

## Configuration

Edit `/etc/ksigner/ksigner.conf` to customize behavior

```conf
# Automatically sign kernels when they are installed
# AUTO_SIGN=true
```

## Commands

- `ksigner setup` - Create and install signing keys
- `ksigner sign [kernel_file]` - Sign a kernel (latest if no file specified)
- `ksigner sign-all` - Sign all available kernels
- `ksigner status` - Show signing key status
- `ksigner version` - Show version information

## File Locations

- **Configuration**: `/etc/ksigner/ksigner.conf`
- **Public Key**: `/etc/pki/sbsign/certs/MOK.pem`
- **Private Key**: `/etc/pki/sbsign/private/MOK.priv`
- **DER Key**: `/etc/pki/sbsign/certs/MOK.der`
- **Log File**: `/var/log/ksigner.log`
- **Action File**: `/etc/dnf/libdnf5-plugins/actions.d/ksigner.action`

## Security Notes

- Private keys are stored with restrictive permissions (600)
- MOK enrollment requires manual confirmation to prevent unauthorized access
- All operations require root privileges
- HMAC files are generated for integrity verification

## Troubleshooting

### Check Status
```bash
sudo ksigner status
```

### View Logs
```bash
sudo tail -f /var/log/ksigner.log
```

### Verify MOK Enrollment
```bash
sudo mokutil --list-enrolled
```

### Re-enroll Keys
If keys become corrupted or lost:
```bash
sudo ksigner setup
# Then reboot and re-enroll MOK
```

## License

This software is released under the MIT License. See LICENSE file for details.

## Contributing

Contributions are welcome! Please submit pull requests or issues through the project repository.

## Support

For support, please:
1. Check the man page: `man ksigner`
2. Review logs in `/var/log/ksigner.log`
3. Use the status command: `sudo ksigner status`
4. File issues in the project repository