Fix trixie signing (sonic-net#52)

tirupatihemanth · saiarcot895 · commit 94a430ff927b · 2025-11-23T00:15:23.000-08:00
* Fix deb13 signing

* [Debian 13] Fix Signing
diff --git a/build_debian.sh b/build_debian.sh
@@ -714,8 +714,9 @@ if [[ $SECURE_UPGRADE_MODE == 'dev' || $SECURE_UPGRADE_MODE == "prod" ]]; then
                                                              -k ${FILESYSTEM_ROOT}/usr/lib/modules
 
         # verifying vmlinuz file.
-        sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH} \
-                                                             -c $SECURE_UPGRADE_SIGNING_CERT
+        sudo ./scripts/secure_boot_signature_verification.sh -e $FILESYSTEM_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}+deb13-sonic-${CONFIGURED_ARCH} \
+                                                             -c $SECURE_UPGRADE_SIGNING_CERT \
+                                                             -k $FILESYSTEM_ROOT
     fi
     echo "Secure Boot support build stage: END."
 fi
diff --git a/scripts/signing_kernel_modules.sh b/scripts/signing_kernel_modules.sh
@@ -54,9 +54,8 @@ if [ ! -f ${PEM_PRIVATE_KEY} ]; then
     exit 1
 fi
 
-kbuild_ver_major="$(cut -d '.' -f 1 <<< "$LINUX_KERNEL_VERSION")"."$(cut -d '.' -f 2 <<< "$LINUX_KERNEL_VERSION")"
 if [ -z ${LOCAL_SIGN_FILE} ]; then
-    LOCAL_SIGN_FILE="/usr/lib/linux-kbuild-${kbuild_ver_major}/scripts/sign-file"
+    LOCAL_SIGN_FILE="/usr/lib/linux-kbuild-${LINUX_KERNEL_VERSION}/scripts/sign-file"
 fi
 
 if [ ! -f ${LOCAL_SIGN_FILE} ]; then
@@ -66,7 +65,7 @@ if [ ! -f ${LOCAL_SIGN_FILE} ]; then
 fi
 
 if [ -z ${LOCAL_EXTRACT_CERT} ]; then
-    LOCAL_EXTRACT_CERT="/usr/lib/linux-kbuild-${kbuild_ver_major}/certs/extract-cert"
+    LOCAL_EXTRACT_CERT="/usr/lib/linux-kbuild-${LINUX_KERNEL_VERSION}/certs/extract-cert"
 fi
 
 if [ ! -f ${LOCAL_EXTRACT_CERT} ]; then
diff --git a/scripts/signing_secure_boot_dev.sh b/scripts/signing_secure_boot_dev.sh
@@ -100,7 +100,7 @@ done
 ## vmlinuz signing
 ######################
 
-CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}-${CONFIGURED_ARCH}
+CURR_VMLINUZ=$FS_ROOT/boot/vmlinuz-${LINUX_KERNEL_VERSION}+deb13-sonic-${CONFIGURED_ARCH}
 
 # clean old files
 clean_file ${CURR_VMLINUZ}-signed
@@ -116,6 +116,6 @@ mv ${CURR_VMLINUZ}-signed ${CURR_VMLINUZ}
 #########################
 # Kernel Modules signing
 #########################
-./scripts/signing_kernel_modules.sh -l $LINUX_KERNEL_VERSION -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}/usr/lib/modules
+./scripts/signing_kernel_modules.sh -l ${LINUX_KERNEL_VERSION}+deb13 -c ${PEM_CERT} -p ${PEM_PRIV_KEY} -k ${FS_ROOT}
 
 echo "$0 signing & verifying EFI files and Kernel Modules DONE"
