zfs-kmod.spec: preserve signature in linux kmod built by make rpm-kmod

[bsherman]

Motivation and Context

When the linux kernel source tree is configured with a signing key and certificate, kmods are automatically signed. So, if properly configured, one would expect the existing zfs make rpm-kmod to result in rpms which contain signed spl.ko and zfs.ko kmods. However, because of a known issue with the rpm build process, when rpmbuild strips debug symbols from binaries, it also strips signatures.
This PR corrects that issue, ensuring that signing occurs after the debug symbols and signatures are stripped, thus providing rpms with signed kmods.

Description

This is an rpm spec, packaging-only change. It provides rpm spec macros to sign the zfs and spl kmods as the final step after the %install scriptlet. This is needed since the find-debuginfo.sh script strips out debug symbols plus signatures.

Kernel module signing only occurs when the required files are present as typically required in the linux source tree:

• certs/signing_key.pem
• certs/signing_key.x509

This method for overriding the default __spec_install_post macro is inspired by (and largely copied from) the Fedora kernel.spec.

How Has This Been Tested?

This has been tested in both Fedora 39 and AlmaLinux 9 x86_64 container image environments.

With all typical build requirements for linux kernel, zfs, and rpm per the docs, make rpm-kmod was executed with and without the expected signing_key pair.

As expected, when the signing_key was present, the resulting kmod-zfs-VERSION.rpm contained kmods with a signature:

bash-5.2# modinfo zfs.ko|grep sign
signer:         Default Company Ltd
signature:      11:F7:64:99:0F:8D:FD:DC:92:DC:59:5B:E9:BE:FC:D4:E1:04:00:27:
bash-5.2# 

Also as expected, when the signing_key was absent, no signature was found on the kmods in the resulting rpm:

bash-5.2# modinfo zfs.ko|grep sign
bash-5.2# 

In the Fedora test, I have also loaded the signed kmod into the kernel and used it.

Note: by default ./configure in the above case uses the generic rpm spec.

On AlmaLinux 9, the same test was performed using ./configure --with-spec=redhat in order to test the build of a kABI tracking kmod.

The same, expected results were found.

Since this is a rpm packaging-only change, this should not effect any other code area.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the OpenZFS code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• I have run the ZFS Test Suite with this change applied.
• All commit messages are properly formatted and contain Signed-off-by.

[tonyhutter]

I was able to reproduce this on Almalinux 9 and verified that the modules were signed when ZFS was built with this PR (and the signatures were present).

To reproduce on Alma 9:

mkdir cert
cd cert

# Grab fedora's x509.genkey config file to use as a template.
# You can edit this if you want.
wget https://raw.githubusercontent.com/jmesmon/fedora-kernel-pkg/master/x509.genkey

openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -x509 -config x509.genkey -outform DER -out signing_key.x509 -keyout signing_key.pem

sudo cp signing_key.pem signing_key.x509 /usr/src/kernels/$(uname -r)/certs/

# Go to your zfs source
cd ~/zfs

# To build for Centos/Alma/RHEL
./autogen.sh && ./configure --with-spec=redhat && make rpm-kmod