diff --git a/kernel.spec b/kernel.spec
index a285253..8039029 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	28
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		1
+%define rpmrel		2
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -53,13 +53,16 @@
 %endif
 # User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
 %bcond_without uml
-%bcond_with gost_sign
 
 # "Nickel" is a special brand for certified distros
+# gost_sign will probably be enabled outside of Nickel later,
+# but for now let's better do not make such experiments in stable platforms
 %if %{mdvver} == 201900 || %{mdvver} == 201905
 %bcond_without nickel
+%bcond_without gost_sign
 %else
 %bcond_with nickel
+%bcond_with gost_sign
 %endif
 
 # Kernel flavour
@@ -1299,13 +1302,8 @@ _libressl_sign(){
 	fi
 	f="$1"
 %if %{with gost_sign}
-	# This is an incorrect signature, GOST support is needed in CMS (?!)
-	libressl dgst -streebog512 \
-		-sign "%{certs_signing_key_priv_rnd}" "$f" \
-		> "${f}.sig"
-	%{src_dir}/scripts/sign-file -s "${f}.sig" streebog512 \
-		"%{certs_signing_key_priv_rnd}.GOST" "$f"
-	rm "${f}.sig"
+	%{src_dir}/scripts/sign-file streebog512 \
+		"%{certs_signing_key_priv_rnd}.GOST" "%{certs_signing_key_priv_rnd}.GOST" "$f"
 %else
 	%{src_dir}/scripts/sign-file sha512 \
 		"%{certs_signing_key_priv_rnd}.RSA" "%{certs_signing_key_priv_rnd}.RSA" "$f"