KSigner

A secure boot kernel signing utility for Fedora.

Overview

This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes:

• Automatic key generation and MOK enrollment
• Automatic kernel signing via libdnf5 actions plugin
• Support for signing individual or all kernels
• Configurable through /etc/ksigner/ksigner.conf
• Comprehensive logging and status reporting

Installation

Building the RPM

1. Install build dependencies:

# RHEL/CentOS/Rocky/Alma
sudo dnf install rpm-build rpmdevtools
# Create build environment
rpmdev-setuptree

2. Build the package:

# Create source tarball
make dist

# Build RPM
make rpm

# Or build source RPM
make srpm

3. Install the package:

sudo dnf install noarch/ksigner*.rpm
# Alternatively
sudo rpm -ivh ksigner*.rpm

Dependencies

The following packages will be automatically installed as dependencies:

• openssl - Key generation and certificate operations
• mokutil - Machine Owner Key management
• sbsigntools - Kernel signing utilities
• hmaccalc - HMAC generation for signed kernels
• sudo - Privilege escalation
• bash (>= 4.0) - Shell scripting features
• dnf5 - RPM package management
• libdnf5-plugin-actions - DNF transaction actions

Quick Start

1. Install the package (as shown above)

2. Set up signing keys:

sudo ksigner setup

3. Optionally, enable automatic kernel signing:

sudo sed -i 's/^# *\(AUTO_SIGN=true\)/\1/' /etc/ksigner/ksigner.conf

4. Reboot and enroll MOK keys:

   • Reboot your system
   • In the MOK management interface: Enroll MOK → Continue → Yes → Enter password → OK

5. Sign kernels:

# Sign latest kernel
sudo ksigner sign

# Sign all kernels
sudo ksigner sign-all

# Check status
sudo ksigner status

Configuration

Edit /etc/ksigner/ksigner.conf to customize behavior

# Automatically sign kernels when they are installed
# AUTO_SIGN=true

Commands

• ksigner setup - Create and install signing keys
• ksigner sign [kernel_file] - Sign a kernel (latest if no file specified)
• ksigner sign-all - Sign all available kernels
• ksigner status - Show signing key status
• ksigner version - Show version information

File Locations

• Configuration: /etc/ksigner/ksigner.conf
• Public Key: /etc/pki/sbsign/certs/MOK.pem
• Private Key: /etc/pki/sbsign/private/MOK.priv
• DER Key: /etc/pki/sbsign/certs/MOK.der
• Log File: /var/log/ksigner.log
• Action File: /etc/dnf/libdnf5-plugins/actions.d/ksigner.action

Security Notes

• Private keys are stored with restrictive permissions (600)
• MOK enrollment requires manual confirmation to prevent unauthorized access
• All operations require root privileges
• HMAC files are generated for integrity verification

Troubleshooting

Check Status

sudo ksigner status

View Logs

sudo tail -f /var/log/ksigner.log

Verify MOK Enrollment

sudo mokutil --list-enrolled

Re-enroll Keys

If keys become corrupted or lost:

sudo ksigner setup
# Then reboot and re-enroll MOK

License

This software is released under the MIT License. See LICENSE file for details.

Contributing

Contributions are welcome! Please submit pull requests or issues through the project repository.

Support

For support, please:

1. Check the man page: man ksigner
2. Review logs in /var/log/ksigner.log
3. Use the status command: sudo ksigner status
4. File issues in the project repository