signing DKMS Modules

72-dkms-signing.hook

[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/src/*/dkms.conf
Target = usr/lib/modules/*-up/build/include/
Target = usr/lib/modules/*-up/modules.alias

[Action]
Description = Signing DKMS modules
Depends = dkms
When = PostTransaction
Exec = /usr/local/bin/DKMS-signing.sh
NeedsTargets

DKMS-signing.sh

#!/usr/bin/bash
#
# signing DKMS Modules
#

kernlocalver="-up"

signkey="/mnt/SundP/kernel-signing/dkms-kernel-up-key.pem"

kernelr=$( dkms status -k "*$kernlocalver" | head -n1 | grep -Eo '[3-9].([0-9]|\.){3,}-[0-9]-up' )
kernelp="/usr/lib/modules/$kernelr"

for i in $( dkms status -k "*$kernlocalver" | grep installed | grep -Eo '^[[:alnum:]]([[:alnum:]]|_|-|\.)*' ); do

  modver=$( dkms status -k "*$kernlocalver" | grep "$i" | awk '{ print $2 }' | sed 's/,$//' )

  for ii in $( grep -Eo '^BUILT_MODULE_NAME.*$' /usr/src/"$i"-"$modver"/dkms.conf | grep -Eo '\"[[:alnum:]]([[:alnum:]]|_|-|\.)*\"' | sed 's/"//g' ); do

      pathm=$( grep -Eo '^DEST_MODULE_LOCATION.*$' /usr/src/"$i"-"$modver"/dkms.conf | head -n1 | grep -Eo '\"/([[:alnum:]]|/).*\"' | sed 's/"//g' | sed 's/\/$//' )
      modxz="$kernelp$pathm/$ii.ko.xz"
      mod="$kernelp$pathm/$ii.ko"
      #ls "$modxz"
      if [ ! -f "$modxz" ]; then
        echo "$modxz not available"
        continue
      fi
      # extract
      unxz "$modxz"
      if ! grep "~Module signature appended~" "$mod" >/dev/null 2>&1; then
        echo "Sign $mod"
        # sign
        "/usr/lib/modules/$kernelr/build/scripts/sign-file" sha512 "$signkey" "$signkey" "$mod"
      fi
      #compress
      xz "$mod"
      # Fix DKMS status check
      if ! diff -q /var/lib/dkms/"$i"/"$modver"/"$kernelr"/x86_64/module/"$ii".ko.xz "$modxz" >/dev/null 2>&1; then
        cp "$modxz" /var/lib/dkms/"$i"/"$modver"/"$kernelr"/x86_64/module/
      fi
  done
done