Enable/disable automatic signing on kernel updates# Kernel Signer

A secure boot kernel signing utility for Red Hat based systems (RHEL, CentOS, Fedora, Rocky Linux, AlmaLinux, etc.).

Overview

This package provides a comprehensive solution for signing Linux kernels with custom keys for Secure Boot environments. It includes:

• Automatic key generation and MOK enrollment
• Support for signing individual or all kernels
• Configurable through /etc/ksigner/ksigner.conf
• Comprehensive logging and status reporting

Installation

Building the RPM

1. Install build dependencies:

# RHEL/CentOS/Rocky/Alma
sudo dnf install rpm-build rpmdevtools
# Create build environment
rpmdev-setuptree

2. Build the package:

# Create source tarball
make dist

# Build RPM
make rpm

# Or build source RPM
make srpm

3. Install the package:

sudo rpm -ivh ksigner*.rpm

Dependencies

The following packages will be automatically installed as dependencies:

• openssl - Key generation and certificate operations
• mokutil - Machine Owner Key management
• sbsigntools - Kernel signing utilities
• hmaccalc - HMAC generation for signed kernels
• sudo - Privilege escalation
• bash (>= 4.0) - Shell scripting features

Quick Start

1. Install the package (as shown above)

2. Set up signing keys:

sudo ksigner setup

3. Reboot and enroll MOK keys:

   • Reboot your system
   • In the MOK management interface: Enroll MOK → Continue → Yes → Enter password → OK

4. Sign kernels:

# Sign latest kernel
sudo ksigner sign

# Sign all kernels
sudo ksigner sign-all

# Check status
sudo ksigner status

Configuration

Edit /etc/ksigner/ksigner.conf to customize behavior:

# Enable/disable automatic signing on kernel updates
SIGN_ON_UPDATE=true

# Type of automatic signing (sign, sign-all)
AUTO_SIGN_TYPE="sign-all"

Commands

• ksigner setup - Create and install signing keys
• ksigner sign [kernel_file] - Sign a kernel (latest if no file specified)
• ksigner sign-all - Sign all available kernels
• ksigner status - Show signing key status
• ksigner version - Show version information

Automatic Kernel Signing

When SIGN_ON_UPDATE=true in the configuration, kernels are automatically signed when installed via package manager. The hook script /etc/kernel/postinst.d/zz-ksigner handles this process.

Logs are written to /var/log/ksigner.log.

File Locations

• Configuration: /etc/ksigner/ksigner.conf
• Public Key: /etc/pki/sbsign/certs/MOK.pem
• Private Key: /etc/pki/sbsign/private/MOK.priv
• DER Key: /etc/pki/sbsign/certs/MOK.der
• Log File: /var/log/ksigner.log
• Update Hook: /etc/kernel/postinst.d/zz-ksigner

Security Notes

• Private keys are stored with restrictive permissions (600)
• MOK enrollment requires manual confirmation to prevent unauthorized access
• All operations require root privileges
• HMAC files are generated for integrity verification

Troubleshooting

Check Status

sudo ksigner status

View Logs

sudo tail -f /var/log/ksigner.log

Verify MOK Enrollment

sudo mokutil --list-enrolled

Re-enroll Keys

If keys become corrupted or lost:

sudo ksigner setup
# Then reboot and re-enroll MOK

License

This software is released under the MIT License. See LICENSE file for details.

Contributing

Contributions are welcome! Please submit pull requests or issues through the project repository.

Support

For support, please:

1. Check the man page: man ksigner
2. Review logs in /var/log/ksigner.log
3. Use the status command: sudo ksigner status
4. File issues in the project repository