Update to 4.9.1 kernel, and start verifying signed kernel

Signed-off-by: Sven <sven@osbuild.local.lan>
2025-09-01 12:56:25 +00:00 · 2017-01-09 00:26:49 +00:00
parent c3f38b0b54
commit bf457e66cc
7 changed files with 25 additions and 49 deletions
--- a/scripts/build-kernel
+++ b/scripts/build-kernel
@@ -9,7 +9,6 @@ source scripts/version
 export CCACHE_DIR="${HOME}/.kernel-ccache"
 export CC="ccache gcc"
 export PATH="/usr/lib/ccache:$PATH"
-KERNEL=$(basename ${KERNEL_URL})
 DIR=${VERSION}
 FIRMWARE=$(readlink -f scripts/firmware)
 MODULE_LIST=$(readlink -f modules.list)
--- a/scripts/download
+++ b/scripts/download
@@ -6,37 +6,19 @@ cd $(dirname $0)/..

 source scripts/build-common

-check()
-{
-    local hash=$1
-    local file=$2
+mkdir -p ${ARTIFACTS}
+cd ${ARTIFACTS}

-    if [ ! -e "$file" ]; then
-        return 1
-    fi
+if [ ! -e "${KERNEL_TAR}" ]; then
+    curl -sL ${KERNEL_URL}${KERNEL_TAR} > ${KERNEL_TAR}
+fi
+curl -sL ${KERNEL_URL}${KERNEL_SIGN} > ${KERNEL_SIGN}

-    CURRENT=$(sha1sum $file | awk '{print $1}')
+# grab gregkh's stable signing key 
+gpg2 --keyserver hkp://keys.gnupg.net --recv-keys 6092693E

-    [ "$hash" = "$CURRENT" ]
-}
-
-download()
-{
-    mkdir -p ${ARTIFACTS}
-
-    local url=$2
-    local file=${ARTIFACTS}/$(basename $2)
-    local hash=$1
-
-    if ! check $hash $file; then
-        curl -sL $url > $file
-    fi
-
-    if ! check $hash $file; then
-        echo "ERROR: $file does not match checksum $hash, got $CURRENT" 1>&2
-        return 1
-    fi
-}
-
-# Download Kernel source
-download ${KERNEL_SHA1} ${KERNEL_URL}
+if ! xz -cd ${KERNEL_TAR} | gpg2 --verify ${KERNEL_SIGN} - ; then
+    echo "ERROR: ${KERNEL_TAR} signing error" 1>&2
+    return 1
+fi
+echo "${KERNEL_TAR} probably ok"
--- a/scripts/extract
+++ b/scripts/extract
@@ -6,20 +6,19 @@ cd $(dirname $0)/..
 source scripts/build-common
 source scripts/version

-KERNEL=$(basename ${KERNEL_URL})
 DIR=${VERSION}

 mkdir -p ${BUILD}
 cd ${BUILD}

 if [ ! -e ${DIR} ]; then
-    echo Extracting ${ARTIFACTS}/${KERNEL}
+    echo Extracting ${ARTIFACTS}/${KERNEL_TAR}
    TEMP=$(mktemp -d -p ${BUILD})
    mkdir ${TEMP}/${DIR}
    trap "rm -rf ${TEMP}" exit

-    ls -lah ${ARTIFACTS}/${KERNEL}
-    tar xf ${ARTIFACTS}/${KERNEL} -C ${TEMP}/${DIR} --strip-components=1
+    ls -lah ${ARTIFACTS}/${KERNEL_TAR}
+    tar xf ${ARTIFACTS}/${KERNEL_TAR} -C ${TEMP}/${DIR} --strip-components=1
    mv ${TEMP}/${DIR} ${DIR}
 fi

--- a/scripts/package-kernel
+++ b/scripts/package-kernel
@@ -25,7 +25,6 @@ done
 export CCACHE_DIR="${HOME}/.kernel-ccache"
 export CC="ccache gcc"
 export PATH="/usr/lib/ccache:$PATH"
-KERNEL=$(basename ${KERNEL_URL})
 FIRMWARE=$(readlink -f scripts/firmware)
 MODULE_LIST=$(readlink -f modules.list)
 MODULE_EXTRA_LIST=$(readlink -f modules-extra.list)