diff --git a/certs/Makefile b/certs/Makefile
index f4c25b67aad9..39fb3a53bfe3 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -60,6 +60,7 @@ $(obj)/signing_key.pem: $(obj)/x509.genkey
 	@$(kecho) "### needs to be run as root, and uses a hardware random"
 	@$(kecho) "### number generator if one is available."
 	@$(kecho) "###"
+# TODO: fix for LibreSSL/OpenSSL + GOST (Streebog)
 	$(Q)openssl req -new -nodes -utf8 -$(CONFIG_MODULE_SIG_HASH) -days 36500 \
 		-batch -x509 -config $(obj)/x509.genkey \
 		-outform PEM -out $(obj)/signing_key.pem \
diff --git a/init/Kconfig b/init/Kconfig
index bd7d650d4a99..eef670c9571b 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2070,6 +2070,14 @@ config MODULE_SIG_SHA512
 	bool "Sign modules with SHA-512"
 	select CRYPTO_SHA512
 
+config MODULE_SIG_STREEBOG256
+	bool "Sign modules with STREEBOG-256"
+	select CRYPTO_STREEBOG
+
+config MODULE_SIG_STREEBOG512
+	bool "Sign modules with STREEBOG-512"
+	select CRYPTO_STREEBOG
+
 endchoice
 
 config MODULE_SIG_HASH
@@ -2080,6 +2088,8 @@ config MODULE_SIG_HASH
 	default "sha256" if MODULE_SIG_SHA256
 	default "sha384" if MODULE_SIG_SHA384
 	default "sha512" if MODULE_SIG_SHA512
+	default "streebog256" if MODULE_SIG_STREEBOG256
+	default "streebog512" if MODULE_SIG_STREEBOG512
 
 config MODULE_COMPRESS
 	bool "Compress modules on installation"
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f57..010c5f02ff5e 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -41,9 +41,7 @@
  * signing with anything other than SHA1 - so we're stuck with that if such is
  * the case.
  */
-#if defined(LIBRESSL_VERSION_NUMBER) || \
-	OPENSSL_VERSION_NUMBER < 0x10000000L || \
-	defined(OPENSSL_NO_CMS)
+#if defined(OPENSSL_NO_CMS) || OPENSSL_VERSION_NUMBER < 0x10000000L
 #define USE_PKCS7
 #endif
 #ifndef USE_PKCS7