Merge: redhat: use the same cert as UKI's to sign addons

CKI KWF Bot · CKI KWF Bot · commit 250662760536 · 2025-10-28T10:12:48.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-10/-/merge_requests/1658 JIRA: https://issues.redhat.com/browse/RHEL-124088 Addons' cert should be the same as UKI's. Otherwise it breaks full disk encryption of Azure CVM by changing PCR7 where volume key is sealed. Signed-off-by: Li Tian <litian@redhat.com> Approved-by: Emanuele Giuseppe Esposito <eesposit@redhat.com> Approved-by: Jan Stancek <jstancek@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
@@ -2800,6 +2800,11 @@ BuildKernel() {
 %endif
 
         %pesign -s -i $KernelUnifiedImage -o $KernelUnifiedImage.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
+        for addon in "$KernelAddonsDirOut"/*; do
+            %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c $UKI_secureboot_cert -n $UKI_secureboot_name
+            rm -f $addon
+            mv $addon.signed $addon
+        done
 # 0%{?fedora}%{?eln}
 %endif
         if [ ! -s $KernelUnifiedImage.signed ]; then
@@ -2808,12 +2813,6 @@ BuildKernel() {
         fi
         mv $KernelUnifiedImage.signed $KernelUnifiedImage
 
-      for addon in "$KernelAddonsDirOut"/*; do
-        %pesign -s -i $addon -o $addon.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}
-        rm -f $addon
-        mv $addon.signed $addon
-      done
-
       mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer
       cp -a $UKI_secureboot_cert $RPM_BUILD_ROOT%{_datadir}/doc/kernel-keys/$KernelVer/secureboot-uki-%{_arch}.cer
 
