Reenable CONFIG_MODULE_SIG_ALL=y

kernel.spec

@@ -11,7 +11,7 @@
 %define sublevel	10
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		6
+%define rpmrel		7
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -782,9 +782,11 @@ sed -i '/CONFIG_MODULE_SIG/d' .config
 echo CONFIG_MODULE_SIG=y >> .config
 # Disallow loading not signed modules
 echo CONFIG_MODULE_SIG_FORCE=y >> .config
-# Do not sign all built modules automatically because we strip
-# and sign them later, otherwise signatures wil be stripped
-echo CONFIG_MODULE_SIG_ALL=n >> .config
+# If %%build_debig is true, automatic signatures will be stripped,
+# then modules will be resigned, otherwise automatic signatures
+# will not be stripped and modules will not be resigned.
+# Without this option being on, keys do not get into vmlinuz.
+echo CONFIG_MODULE_SIG_ALL=y >> .config
 # Use SHA-512 algo
 echo CONFIG_MODULE_SIG_SHA512=y >> .config
 # Set path to the key that will be generated later by openssl
@@ -1060,7 +1062,7 @@ rm -f %{temp_modules}/debug_module_list
 # endif build_debug
 %endif
 
-%if %{enhanced_security}
+%if %{enhanced_security} && %{build_debug}
 # Sign modules (after stripping)
 # scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
 find %{temp_modules}/%{kver_full}/kernel -name '*.ko' | sort -u | \