I want to install This driver without disabling secure boot as I’m in a dual boot system with Windows and its required for some programs, but according to its instructions, I have to sign the driver in order to make it work, I’ve successfully installed NVIDIA’s proprietary drivers using this guide, but the more I look the more questions I have, which can be summed with the following bullet points:
Is installing any driver has the same procedure as this nvidia driver tutorial (be aware that this is for fedora 36 which has automated some stuff regarding the signing), or this is just a special case for nvidia?
Do I have to sign a new key every time I install a new driver/module? and Is it possible to screw other modules up while installing this driver ?
How to sign and install this driver ?
Why isn’t DKMS mentioned neither in fedora nor RPMfusion’s documentation ? does Fedora use another system for these stuff? I should also note that I barely understand those stuff.
If the package you are installing does not have the akmod part with it then it will not automatically build nor sign the module. VirtualBox and the nvidia driver, both from the rpmfusion repo, include an akmod package that handles automatically building the signed module.
What you downloaded from github likely does not have that feature so it will require you to do the manual steps, both to build and to sign the modules.
Also, since you are doing that manually, you will be required to repeat the build and sign steps for those modules with every kernel update. The module must be built to match the kernel.
Accordingly, it would make things simpler if you document the steps to follow so they are easy to repeat.
You can use the same key as was used for the nvidia drivers, but it is tedious to do the same thing over and over with every kernel update.
You can install dkms from the standard Fedora repository. WIth the package comes the file /usr/share/doc/dkms/README.md, and this file explains that generated modules will be signed, and also how to enroll the key in the Machine Owner Key storage (MOK).
Packages from Rpmfusion uses akmods instead. The akmods package also comes with README files explaining about signing.
You failed to provide the content of ./sign-file so we don’t know what that script actually does.
Also. it seems you put the keys into the kernel subdir that is specific to that kernel which requires the keys be either copied over each time a kernel is updated and a new module generated or a new signature needs to be generated each time the kernel is updated.
(the post tells how to generate the key and to install it to bios)
If you were to generate your key in this way the same key could be used for both manually signing the module the way you do and for using it with akmod packages that build the module with akmods. It would only require modifying the path to the keys.
Generating one key is all that is required with the public key at /etc/pki/akmods/certs/public_key.der and the private key at /etc/pki/akmods/private/private_key.der
I don’t have to provide because It is comes with kernel If you check it. It is for sign I didn’t put there manually. (/usr/src/kernels/$(uname -r)/scripts/ it is in here)
Also I showed this because I used this way before f36 released without automatic and and It was works fine. I tested and used so many times when I had to run for each kernel update and sign the drivers.
I already know how to automatic but question was about how sign manually and I showed the way without akmod or dkms (plus dkms is old using akmod is better to control)
I merely suggested a way that you could realistically use the same keys as are used by akmods when a new module is signed and avoid creating new keys or copying them from another location when doing updates.
I had not checked, but I see that sign-files is a binary so my question was invalid. My bad!
BTW, akmods has been available and in use for quite some time, not just with F36. It also does not rely on dkms.
That variable for pointing just a path for example (/home/fedora/somefolder) you can use whatever you want. If you want you can even change it. I posted for “example” so you can understand easily. I didn’t use actual path of mine.
Simply go to Fedora User Docs/F36/System Administrator Guide/Kernel, module and driver configuration/Working with kernel modules => everything is clearly explained in detail being a feature to use EFI secure boot with Fedora and Microsoft signature among others things. There is a detail in real life about NVIDIA that baffles me …
The Ubunto repositories does provide Virtualbox, and the drivers are automatically compiled using the dkms facility. The resulting drivers are automatically signed.
The Arch distribution, according to its wiki pages, also uses dkms to install third party kernel modules.