From 722ec1fea554d8c995168593074d524a98866ff8 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Mon, 18 Nov 2019 00:12:28 +0300
Subject: [PATCH] Reenable CONFIG_MODULE_SIG_ALL=y

---
 kernel.spec | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/kernel.spec b/kernel.spec
index 54ada30..ba29abd 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	10
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		6
+%define rpmrel		7
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -782,9 +782,11 @@ sed -i '/CONFIG_MODULE_SIG/d' .config
 echo CONFIG_MODULE_SIG=y >> .config
 # Disallow loading not signed modules
 echo CONFIG_MODULE_SIG_FORCE=y >> .config
-# Do not sign all built modules automatically because we strip
-# and sign them later, otherwise signatures wil be stripped
-echo CONFIG_MODULE_SIG_ALL=n >> .config
+# If %%build_debig is true, automatic signatures will be stripped,
+# then modules will be resigned, otherwise automatic signatures
+# will not be stripped and modules will not be resigned.
+# Without this option being on, keys do not get into vmlinuz.
+echo CONFIG_MODULE_SIG_ALL=y >> .config
 # Use SHA-512 algo
 echo CONFIG_MODULE_SIG_SHA512=y >> .config
 # Set path to the key that will be generated later by openssl
@@ -1060,7 +1062,7 @@ rm -f %{temp_modules}/debug_module_list
 # endif build_debug
 %endif
 
-%if %{enhanced_security}
+%if %{enhanced_security} && %{build_debug}
 # Sign modules (after stripping)
 # scripts/sign-file [-dp] <hash algo> <key> <x509> <module> [<dest>]
 find %{temp_modules}/%{kver_full}/kernel -name '*.ko' | sort -u | \