The last few days, I tried to automatically sign DKMS modules for my own Kernel builds. I add
-up as my localversion. The pacman hook and the signing script rely on that, but it can be changed easily.
I add my own version of
x509.genkey to the
certs folder and let the Kernel-build generate a fresh key that is only used to sign the in-tree modules. I don't store it after the build.
I also add a cert file
dkms-kernel-cert.pem to the
certs folder. This file only contains the certificate ( public key ) and is added to the default keyring via
The private key with the cert was generated manually and is stored. I use this key to sign the dkms modules. I like this way because with it I don't need to store the private key in to many locations.
It is also possible to save multiple certs in one file and add them to the Kernel keyring.
The dmesg will print a line for all loaded keys that are added to the keyring.
The pacman hooks is basically the dkms-install hook. Since it will have the same target, but I narrowed the target down to my own Kernel build. This hook will start the
DKMS-signing.sh script. I named the hook
72-dkms-signing.hook , because it needs to run after the dkms-install hook.
DKMS-signing.sh script is a little bit ugly, but it works for me. Things like, grepping thru a binary file, a for loop in a for loop or semi-optimal working regex's aren't nice, so it needs some extra work.
The hook and the signing script: https://gist.github.com/xabbu/cada05287d55f1903094775b8ae5bc02
I noticed dkms isn't happy if the module in
/usr/lib/modules/... is different to the one stored by it in
/var/lib/dkms/... . So the script copies the signed module back to
I tried the script only with modules I use myself. It might break horrible with other modules. I use 8192eu, acpi_call, broadcom-wl, vboxhost and wireguard.
I found that it is possible to add multiple signatures to a module. Multiple signatures will not break the module, but only the last one is checked by the Kernel.
I also added
CONFIG_MODULE_SIG_FORCE=y to my config. This prevents loading of unsigned and invalid signed modules. But it was more a test, since it can't be turned off.