If the pre-compiled drivers in your repo are singed for use with secure boot where is the public x509 “Cert”, either “.der”, “.pem”, “.crt” that gets installed with mokutil? I am trying to come up with an efficient scailable auto patching solution for our destop machines that have Nvidia cards. Please note this is about secure boot kernel module driver signing, not the .rpm package gpg signing. Please help. Thanks, mm
Hi there Mike,
I’m not sure if nvidia signs their pre-compiled drivers. But my guess, is not.
Because this would kind of defeat the purpose of secure boot. You should be the one that signs the modules, with keys you have placed your trust in.
Please consult this site: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel for more information, if you like.
I hope this helps you.