From a7f7bf859830f69cfd048d4651c3d4673beceb1d Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Mon, 18 Nov 2019 21:25:13 +0300
Subject: [PATCH] Explicitly enable CONFIG_SYSTEM_EXTRA_CERTIFICATE (is enabled
 in Kconfig by default)

---
 kernel.spec | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel.spec b/kernel.spec
index ac1cb67..d0b59ca 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	11
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		2
+%define rpmrel		3
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -795,6 +795,9 @@ echo CONFIG_MODULE_SIG_KEY="%{certs_signing_key_rnd}" >> .config
 # Set path to one PEM file with all keys that the kernel must trust
 sed -i '/CONFIG_SYSTEM_TRUSTED_KEYS/d' .config
 echo CONFIG_SYSTEM_TRUSTED_KEYS="%{certs_public_keys}" >> .config
+# Reserve area for inserting a certificate without recompiling
+sed -i '/CONFIG_SYSTEM_EXTRA_CERTIFICATE/d' .config
+echo CONFIG_SYSTEM_EXTRA_CERTIFICATE=y >> .config
 
 # Memory wiping
 # Introduced in kernel 5.3 by commit 6471384af2a6530696fc0203bafe4de41a23c9ef