kernel-{build,install}.eclass: exclude any generated keys from binpkgs

The kernel build system supports generating a new module signing key if the
CONFIG_MODULE_SIG_KEY is set to the default value (MODULES_SIGN_KEY is not set)
and no key exists at that default location.

This results in the unfortunate situation where private key material ends up
in generated binary packages. That is almost never what you want since binary
packages are usually readable by regular users. To avoid this we move the key
out of the ED in the install phase, and move it back in the preinst phase after
the binary package has been built.

This also means that when distributing built binary packages to other systems
the signing key will now never be installed onto all those other systems, which
is probably what you want anyway.

Note, there is no change for folks who use externally managed keys, i.e. for
everyone who has MODULES_SIGN_KEY, MODULE_SIGN_CERT set.

Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/40017
Signed-off-by: Nowa Ammerlaan <nowa@gentoo.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index f70556ad41f5..1cc2bd0bb737 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -607,6 +607,15 @@ kernel-install_pkg_preinst() {
 	[[ ! -d ${kernel_dir} ]] &&
 		die "Kernel directory ${kernel_dir} not installed!"
 
+	# We moved this in order to omit it from the binpkg, move it back
+	if [[ -r "${T}/signing_key.pem" ]]; then
+		# cp instead of mv to set owner to root in one go
+		(
+			umask 066 &&
+				cp "${T}/signing_key.pem" "${kernel_dir}/certs/signing_key.pem"
+		) || die
+	fi
+
 	# perform the version check for release ebuilds only
 	if [[ ${PV} != *9999 ]]; then
 		local expected_ver=$(dist-kernel_PV_to_KV "${PV}")