diff --git a/kernel.spec b/kernel.spec
index 6a0163a..dad954b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -11,7 +11,7 @@
 %define sublevel	25
 
 # Release number. Increase this before a rebuild.
-%define rpmrel		3
+%define rpmrel		5
 %define fullrpmrel	%{rpmrel}
 
 %define rpmtag		%{disttag}
@@ -53,6 +53,7 @@
 %endif
 # User Mode Linux, https://habr.com/ru/company/itsumma/blog/459558/
 %bcond_without uml
+%bcond_with gost_keys
 
 # Kernel flavour
 %if %{enhanced_security}
@@ -988,9 +989,11 @@ EOF
 cat "%{certs_key_config_rnd}"
 
 libressl req -new -nodes -utf8 -batch \
+%if %{with gost_keys}
 	-newkey gost2001 \
 	-pkeyopt dgst:streebog512 -pkeyopt paramset:A \
 	-streebog512 \
+%endif
 	-days 109500 \
 	-x509 -config "%{certs_key_config_rnd}" \
 	-outform PEM \
@@ -998,12 +1001,14 @@ libressl req -new -nodes -utf8 -batch \
 	-keyout "%{certs_signing_key_priv_rnd}"
 
 # Verify
+%if %{with gost_keys}
 libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
 	| grep -E 'Signature Algorithm:.*GOST R 34.10-2012'
 libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
 	| grep -E 'Digest Algorithm:.*GOST R 34-11-2012'
 libressl x509 -in "%{certs_signing_key_priv_rnd}" -text -noout \
 	| grep -E 'Public Key Algorithm:.*GOST R 34.10-2012'
+%endif
 
 # Strip public part from the generated PEM
 sed -n \
@@ -1019,11 +1024,11 @@ sed -i %{src_dir}/scripts/Makefile \
 %endif
 	-e "s,-lcrypto,${libressl_cflags},g"
 
-%if %{with additional_keys}
-# Add additional public keys to the list of trusted keys for kernel modules
+%if %{with additional_keys} && !%{with gost_keys}
+# Add additional public RSA keys to the list of trusted keys for kernel modules
 # Build kernel --without additional_keys if you do not want to trust them
-##cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
-##	>> "%{certs_public_keys}"
+cat %{expand:%(for i in `seq 1 12`; do echo "%%SOURCE$((200+${i}))" | tr "\n" " "; done)} \
+	>> "%{certs_public_keys}"
 %endif #endif additional_keys
 cat %{certs_public_keys}
 %endif #endif enhanced_security
@@ -1205,12 +1210,18 @@ _libressl_sign(){
 	  return 0
 	fi
 	f="$1"
+%if %{with gost_keys}
+	# This is an incorrect signature, GOST support is needed in CMS (?!)
 	libressl dgst -streebog512 \
 		-sign "%{certs_signing_key_priv_rnd}" "$f" \
 		> "${f}.sig"
 	%{src_dir}/scripts/sign-file -s "${f}.sig" streebog512 \
 		"%{certs_signing_key_priv_rnd}" "$f"
 	rm "${f}.sig"
+%else
+	%{src_dir}/scripts/sign-file sha512 \
+		"%{certs_signing_key_priv_rnd}" "%{certs_signing_key_priv_rnd}" "$f"
+%endif
 	unset f
 }
 export -f _libressl_sign