Akmods does not sign compiled module when using rpm-ostree

[travier]

This issue is re-created from old content of https://github.com/fedora-silverblue/issue-tracker/issues/272, which has been removed from GitHub following the author's request (no details) according to GitHub support.

See the (old) archive at: https://web.archive.org/web/20220531094412/https://github.com/fedora-silverblue/issue-tracker/issues/272

---

Describe the bug

When using rpm-ostree, akmods does not sign compiled module with keys found in /etc/pki/akmods.

To Reproduce

• # /usr/sbin/kmodgenca
• # mokutil --import /etc/pki/akmods/certs/public_key.der
• Reboot and enroll
• Overlay an akmods module package(like nvidia driver)
• Reboot

Expected behavior

Modules will get signed with the keys, just like when I run akmods manually.

OS version:

BootedDeployment:
● fedora:fedora/36/x86_64/silverblue
                   Version: 36.20220511.0 (2022-05-11T00:48:12Z)
                BaseCommit: 5c70836453ffbd07757cabeb4c1de5389b95d45d7ec6fe8d2397084e1587fcd7
              GPGSignature: Valid signature by 53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4
           LayeredPackages: fish nvidia-driver

[travier]

This is due to the fact that rpm-ostree install commands run a in fresh deployment and do not share the keys from the host /etc/ to sign the modules.

Workarounds:

• Use Universal Blue NVIDIA images: https://universal-blue.org/images/nvidia/
• https://github.com/CheariX/silverblue-akmods-keys
• https://github.com/nelsonaloysio/build-kmod-nvidia-signed-rpm

[travier]

Updated the doc in https://github.com/fedora-silverblue/silverblue-docs/pull/161

[OptimoSupreme]

Just out of curiosity, is there a plan for this issue to be resolved?