Sign a module after kernel compilation

I’ve built a kernel in tmpfs, then I rebooted.

Now I see a message when I compile the 3rd party module,


How can I get it signed? The key pair generated during rpmbuild is lost already I guess

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

This was surprisingly lacking in documentation. I found this file, module-signing.txt, which is part of the RHEL6 Kernel Documentation. In this document it shows how to generate signing keys, assuming you want to sign all your modules as part of a kernel build:

cat >genkey <<EOF
%secring kernel.sec
Key-Type: DSA
Key-Length: 512
Name-Real: A. N. Other
Name-Comment: Kernel Module GPG key
make scripts/bin2c
gpg --homedir . --batch --gen-key genkey
gpg --homedir . --export --keyring keyname |
 scripts/bin2c ksign_def_public_key __initdata >crypto/signature/key.h

Also the article from Linux Journal titled: Signed Kernel Modules has some good details and steps on how to do pieces of this, but I couldn’t find the user space tools, extract_pkey and mod that it references.

You might want to poke around Greg Kroah’s site, you may find something useful in one of his presentations.


Solution 2

Go to the kernel source directory and do (example):

./scripts/sign-file sha512 ./signing_key.priv ./signing_key.x509 /lib/modules/3.10.1/kernel/drivers/char/my_module.ko

Check what is the digest algorithm your kernel is using by opening .config and reading it in CONFIG_MODULE_SIG config values:


Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply