Skip to content

Add configuration option for enabling and disabling module signing #575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
scaronni merged 1 commit into from
Jan 27, 2026
Merged

Add configuration option for enabling and disabling module signing #575

scaronni merged 1 commit into from
Jan 27, 2026

Conversation

@ArrayBolt3
Copy link
Contributor

@ArrayBolt3 ArrayBolt3 commented Jan 27, 2026

In some situations (such as when building a redistributable system image), it is desirable to suppress module signing and the generation of a Machine Owner Key, even if the system supports module signing. Introduce a new configuration option, "try_sign_modules", which allows one to explicitly enable or disable the module signing system. As publicly redistributable images are often built in a chroot, and should virtually never have a MOK generated at image build time, disable module signing by default when running in a chroot.

Fixes: #574

(Note: This is entirely untested so far, I intend on testing it manually and am hoping that submitting this as a PR will trigger the CI to test it. My experience with Github Actions is lacking...)

@ArrayBolt3
Copy link
Contributor Author

ArrayBolt3 commented Jan 27, 2026

Argh, apparently Github makes it unreasonably difficult to enable the CI tests for a fork. Figured it out now, thankfully, will run the tests in my fork.

@ArrayBolt3
Add configuration option for enabling and disabling module signing
71c0a05 
In some situations (such as when building a redistributable system
image), it is desirable to suppress module signing and the generation of
a Machine Owner Key, even if the system supports module signing.
Introduce a new configuration option, "try_sign_modules", which allows
one to explicitly enable or disable the module signing system. As
publicly redistributable images are often built in a chroot, and should
virtually never have a MOK generated at image build time, disable module
signing by default when running in a chroot.

Fixes: dkms-project#574
@ArrayBolt3 ArrayBolt3 force-pushed the arraybolt3/try_sign_modules branch from 60f947d to 71c0a05 Compare January 27, 2026 05:09
@scaronni scaronni added this to the 3.3.1 milestone Jan 27, 2026
@scaronni scaronni merged commit f7cf59e into dkms-project:main Jan 27, 2026
31 checks passed
@scaronni
Copy link
Member

scaronni commented Jan 27, 2026

Thank you!

@ArrayBolt3
Copy link
Contributor Author

ArrayBolt3 commented Jan 28, 2026

Just did the remaining manual testing by installing the dkms-test-dkms package in a Debian Sid chroot, after installing DKMS with this PR integrated. As expected, signing and key generation is skipped by default, but can be forced on with try_sign_modules=true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.3.1

Development

Successfully merging this pull request may close these issues.

DKMS should not generate a MOK by default when running inside a chroot

2 participants

@ArrayBolt3 @scaronni