kbuild: Fix module signature generation

Rusty had clearly not actually tested his module signing changes that I (trustingly) applied as commit e2a666d5 ("kbuild: sign the modules at install time"). That commit had multiple bugs: - using "${#VARIABLE}" to get the number of characters in a shell variable may look clever, but it's locale-dependent: it returns the number of *characters*, not bytes. And we do need bytes. So don't use "${#..}" expansion, do the stupid "wc -c" thing instead (where "c" stands for "bytes", not "characters", despite the letter. - Rusty had confused "siglen" and "signerlen", and his conversion didn't set "signerlen" at all, and incorrectly set "siglen" to the size of the signer, not the size of the signature. End result: the modified sign-file script did create something that superficially *looked* like a signature, but didn't actually work at all, and would fail the signature check. Oops. Tssk, tssk, Rusty. But Rusty was definitely right that this whole thing should be rewritten in perl by somebody who has the perl-fu to do so. That is not me, though - I'm just doing an emergency fix for the shell script. Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

kbuild: Fix module signature generation
Rusty had clearly not actually tested his module signing changes that I (trustingly) applied as commit e2a666d5 ("kbuild: sign the modules at install time"). That commit had multiple bugs: - using "${#VARIABLE}" to get the number of characters in a shell variable may look clever, but it's locale-dependent: it returns the number of *characters*, not bytes. And we do need bytes. So don't use "${#..}" expansion, do the stupid "wc -c" thing instead (where "c" stands for "bytes", not "characters", despite the letter. - Rusty had confused "siglen" and "signerlen", and his conversion didn't set "signerlen" at all, and incorrectly set "siglen" to the size of the signer, not the size of the signature. End result: the modified sign-file script did create something that superficially *looked* like a signature, but didn't actually work at all, and would fail the signature check. Oops. Tssk, tssk, Rusty. But Rusty was definitely right that this whole thing should be rewritten in perl by somebody who has the perl-fu to do so. That is not me, though - I'm just doing an emergency fix for the shell script. Cc: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
b05e585d · Linus Torvalds · 16757372 · b05e585d
隐藏空白更改
内联并排

Showing with 3 addition and 2 deletion

scripts/sign-file scripts/sign-file +3 -2

未找到文件。
--- a/scripts/sign-file
+++ b/scripts/sign-file
@@ -81,11 +81,12 @@ openssl dgst $dgst -binary $mod || exit $?
 # the signature with no metadata attached.
 #
 openssl rsautl -sign -inkey $key -keyform PEM -in $mod.dig -out $mod.sig || exit $?
+siglen=`stat -c %s $mod.sig`

 SIGNER="`perl $keyid_script $x509 signer-name`"
 KEYID="`perl $keyid_script $x509 keyid`"
-keyidlen=${#KEYID}
-siglen=${#SIGNER}
+keyidlen=$(echo -n "$KEYID" | wc -c)
+signerlen=$(echo -n "$SIGNER" | wc -c)

 #
 # Build the signed binary