diff --git a/kernel-i586.config b/kernel-i586.config
index 713f5a3..f845265 100644
--- a/kernel-i586.config
+++ b/kernel-i586.config
@@ -3079,12 +3079,16 @@ CONFIG_INPUT_YEALINK=m
 CONFIG_INSTRUCTION_DECODER=y
 CONFIG_INT3406_THERMAL=m
 CONFIG_INT340X_THERMAL=m
-CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
-CONFIG_INTEGRITY_AUDIT=y
-CONFIG_INTEGRITY_PLATFORM_KEYRING=y
-CONFIG_INTEGRITY_SIGNATURE=y
-CONFIG_INTEGRITY_TRUSTED_KEYRING=y
 CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+# For now allow to add any public keys, not only the ones signed
+# by a CA known to the kernel (ROSA CA)
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850339#20
+# TODO: =y?
+CONFIG_INTEGRITY_TRUSTED_KEYRING=n
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
 CONFIG_INTEL_ATOMISP2_PM=m
 CONFIG_INTEL_BXT_PMIC_THERMAL=m
 CONFIG_INTEL_BXTWC_PMIC_TMU=m
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index 120d819..5c8edfe 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -3110,9 +3110,16 @@ CONFIG_INPUT_YEALINK=m
 CONFIG_INSTRUCTION_DECODER=y
 CONFIG_INT3406_THERMAL=m
 CONFIG_INT340X_THERMAL=m
-CONFIG_INTEGRITY_AUDIT=y
-# CONFIG_INTEGRITY_SIGNATURE is not set
 CONFIG_INTEGRITY=y
+CONFIG_INTEGRITY_AUDIT=y
+CONFIG_INTEGRITY_SIGNATURE=y
+CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
+# For now allow to add any public keys, not only the ones signed
+# by a CA known to the kernel (ROSA CA)
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850339#20
+# TODO: =y?
+CONFIG_INTEGRITY_TRUSTED_KEYRING=n
+CONFIG_INTEGRITY_PLATFORM_KEYRING=y
 CONFIG_INTEL_ATOMISP2_PM=m
 CONFIG_INTEL_BXT_PMIC_THERMAL=m
 CONFIG_INTEL_BXTWC_PMIC_TMU=m
diff --git a/kernel.spec b/kernel.spec
index e88652d..17c47bf 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -24,7 +24,7 @@
 %define sublevel	72
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		1
+%define rpmrel		2
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}