Re: [PATCH] MODSIGN: Change default key details [ver #2]

From: Linus Torvalds
Date: Sun May 03 2015 - 21:45:50 EST


On Sat, May 2, 2015 at 2:46 AM, Abelardo Ricart III <aricart@xxxxxxxxxx> wrote:
> endif
>
> -signing_key.priv signing_key.x509: x509.genkey
> +signing_key.priv signing_key.x509: | x509.genkey

Hmm. Thinking some more about this, I'm not entirely convinced.

With this change, if we change kernel/Makefile to have a different
keysigning authority etc, it won't re-generate the keys, because the
old keys still exist. No? That would be wrong.

I'd much rather see "x509.genkey" be generated with a move-if-changed
pattern, so that it only changes if (a) it didn't exist before or (b)
it actually has new content.

On a tangentially related issue: I figured out why I get those (very
annoying) "X.509 certificate list changed" messages. I made it print
out *what* changed:

X.509 certificate list changed from ./signing_key.x509 to signing_key.x509

Note the "./" difference.

Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/