Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild

Fall back to "US" when `locale country_ab2` returns empty (as seen with
LANG=C), preventing an empty countryName in the generated OpenSSL
config.

Fixes: rhbz#2416536

95-akmodsposttrans.install

@@ -41,19 +41,13 @@ fi
 
 case "${COMMAND}" in
 	add)
-		# needs to run in background as rpmdb might be locked otherwise
-		if [ -e /bin/systemctl ] ; then
-			# Exit early if system-update.target is active - rhbz#1518401
-			/bin/systemctl is-active system-update.target &>/dev/null
-			RET=$?
+		# Exit early if system-update.target is active - rhbz#1518401
+		/usr/bin/systemctl -q is-active system-update-pre.target system-update.target
+		RET=$?
 
-			[ $RET == 0 ] && exit 0
+		[[ $RET == 0 ]] && exit 0
 
-			/bin/systemctl restart akmods@${KERNEL_VERSION}.service --no-block >/dev/null 2>&1
-		else
-			nohup /usr/sbin/akmods --from-kernel-posttrans --kernels ${KERNEL_VERSION} > /dev/null 2>&1 &
-		fi
-		exit 0
+		/bin/systemctl restart "akmods@${KERNEL_VERSION}.service" --no-block >/dev/null 2>&1
 		;;
 	remove)
 		# Nothing to do

README

@@ -1,9 +1,12 @@
 Akmods startup script will rebuild akmod packages during system
-boot while its background daemon will build them for kernels right
+boot, while its background daemon will build them for kernels right
 after they were installed.
 
-The akmods systemd service is enabled by default.
+The akmods systemd service provides both, and is enabled by default.
 
 The akmods-shutdown service is disabled by default but can, in some
-circumstantes, provide an additional chance to build and install a kernel
-module.
+circumstances, provide an additional chance to build and install a kernel
+module. Users who would prefer longer shutdowns over delayed startups
+may wish to consider enabling it with the following command:
+
+    sudo systemctl enable --now akmods-shutdown.service

README.secureboot

@@ -0,0 +1,51 @@
+Secure boot is a setup using UEFI firmware to check cryptographic
+signatures on the bootloader and associated OS kernel to ensure they
+have not been tampered with or bypassed in the boot process.
+
+This verification can be extended to Kernel and its modules.
+It's default case in Fedora with UEFI and Secure boot enabled.
+
+Fedora Project have signed kernels and also main modules with Fedora
+Key, but 3rd party modules as NVidia, VirtualBox, etc. need to be signed
+to load.
+
+Akmods provides an enroll process to sign third party modules with your
+own keypair.
+
+At the first run of the akmods.service, certificate and keypair will be
+created with default value using the '/usr/sbin/kmodgenca' script.
+
+You may also wish to manually create your own certificate and keypair
+with `/usr/sbin/kmodgenca` command.
+If '/usr/sbin/kmodgenca' is launched with the '-a' parameter, it will
+use default values to complete the cacert.config file, and to generate
+automatically the cert and the private key.
+If '/usr/sbin/kmodgenca' is launched without parameters, user will be
+prompted to complete manually the cacert.config file, then the cert and
+the private key will be automatically generated.
+If the cert and the private key files already exist,
+'/usr/sbin/kmodgenca' will exit unless the '-f' parameter is used.
+
+The cert and the private key are stored respectively in
+/etc/pki/akmods/certs and /etc/pki/akmods/private/ directories.
+
+Now you need to enroll the public key in MOK, this process is described
+below.
+- Ask MOK to enroll new keypair with certificate with the command
+  `mokutil --import /etc/pki/akmods/certs/public_key.der`.
+- mokutil asks to generate a password to enroll the public key.
+- Rebooting the system is needed for MOK to enroll the new public key.
+- On next boot MOK Management is launched and you have to choose
+  "Enroll MOK".
+- Choose "Continue" to enroll the key or "View key 0" to show the keys
+  already enrolled.
+- Confirm enrollment by selecting "Yes".
+- You will be invited to enter the password generated above.
+  WARNING: keyboard is mapped to QWERTY!
+- The new key is enrolled, and system ask you to reboot.
+
+You can confirm the enrollment of the new keypair once the system
+rebooted with:
+ `mokutil --list-enrolled
+or with:
+ `mokutil --test-key /etc/pki/akmods/certs/public_key.der`

akmods

@@ -1,4 +1,4 @@
-#!/bin/bash -
+#!/usr/bin/bash -
 ########################################################################
 #
 # akmods - Rebuilds and install akmod RPMs
@@ -37,7 +37,7 @@
 
 # global vars
 myprog="akmods"
-myver="0.5.6"
+myver="0.6.2"
 kmodlogfile=
 continue_line=""
 tmpdir=
@@ -47,6 +47,39 @@ verboselevel=2
 # So we always retry anyway
 alwaystry=1
 
+# Check Running plymouth
+no_plymouth=1
+last_message=""
+
+function check_plymouth() {
+	which plymouth > /dev/null 2> /dev/null
+	if [[ "$?" -eq 1 ]]
+	then
+		no_plymouth=1
+		return 0
+	fi
+
+	plymouth --ping
+	no_plymouth=$?
+}
+
+# new or del, msg
+akmods_echo_plymouth(){
+	if [[ "$no_plymouth" -eq 0 ]]
+	then
+		if [[ "$1" -eq 1 ]]
+		then
+			plymouth display-message --text="$2"
+			last_message=$2
+		else
+			if [ -z "${last_message}" ]; then
+				plymouth hide-message --text="$last_message" &
+				last_message=""
+			fi
+		fi
+	fi
+}
+
 akmods_echo()
 {
 	# where to output
@@ -58,7 +91,7 @@ akmods_echo()
 	shift
 
 	# output to console
-	if (( ${verboselevel} >= ${this_verbose} )) ; then
+	if (( verboselevel >= this_verbose )) ; then
 		if [[ "${1}" == "--success" ]] ; then
 			echo_success
 			continue_line=""
@@ -77,7 +110,7 @@ akmods_echo()
 		elif [[ "${1}" == "-n" ]] ; then
 			continue_line="true"
 		fi
-		echo "$@" >&${this_fd}
+		echo "$@" >&"${this_fd}"
 	fi
 
 	# no need to print the status flags in the logs
@@ -91,11 +124,11 @@ akmods_echo()
 	fi
 
 	# global logfile
-	echo "$(date +%Y/%m/%d\ %H:%M:%S) akmods: $@" >> "/var/cache/akmods/akmods.log"
+	echo "$(date +%Y/%m/%d\ %H:%M:%S) akmods: $*" >> "/var/log/akmods/akmods.log"
 
 	# the kmods logfile as well, if we work on a kmod
-	if [[ "${kmodlogfile}" ]] ; then
-		echo "$(date +%Y/%m/%d\ %H:%M:%S) akmods: $@" >> "${kmodlogfile}"
+	if [[ -n "${kmodlogfile}" ]] ; then
+		echo "$(date +%Y/%m/%d\ %H:%M:%S) akmods: $*" >> "${kmodlogfile}"
 	fi
 }
 
@@ -107,7 +140,7 @@ finally()
 	# remove lockfile
 	rm -f /var/cache/akmods/.lockfile
 
-	exit ${1:-128}
+	exit "${1:-128}"
 }
 
 # Make sure finally() is run regardless of reason for exiting.
@@ -115,7 +148,7 @@ trap "finally" ABRT HUP INT QUIT
 
 create_tmpdir()
 {
-	if ! tmpdir="$(mktemp -d -p /tmp ${myprog}.XXXXXXXX)/" ; then
+	if ! tmpdir="$(mktemp -d -p /tmp "${myprog}.XXXXXXXX")/" ; then
 		akmods_echo 2 1 "ERROR: failed to create tmpdir."
 		akmods_echo 2 1 --failure ; return 1
 	fi
@@ -128,7 +161,7 @@ create_tmpdir()
 remove_tmpdir()
 {
 	# remove tmpfiles
-	if [[ "${tmpdir}" ]] && [[ -d "${tmpdir}" ]] ; then
+	if [[ -n "${tmpdir}" ]] && [[ -d "${tmpdir}" ]] ; then
 		rm -f "${tmpdir}"results/* "${tmpdir}"*.log
 		rmdir "${tmpdir}"results/ "${tmpdir}"
 	fi
@@ -136,10 +169,19 @@ remove_tmpdir()
 
 cleanup_cachedir ()
 {
-	create_tmpdir
-	find /boot/ -maxdepth 1 -name 'vmlinuz*' | sed 's|/boot/vmlinuz-||' > "${tmpdir}"results/kernels
-	find "/var/cache/akmods/" -maxdepth 2 -mtime +14 -type f \( -name '*.rpm' -or -name '*.log' \) | grep -v --file "${tmpdir}"results/kernels | xargs --no-run-if-empty rm
-	remove_tmpdir
+	local excluded
+	excluded=$(find /boot -name 'vmlinuz-*' '!' -name '*rescue*' 2>/dev/null | sed 's/.*vmlinuz-//')
+	local -a file_list
+	mapfile -t file_list < <(find /var/cache/akmods -mindepth 2 -type f -not -name .last.log 2>/dev/null | grep -Fv -f <(echo "${excluded}"))
+	for one_file in "${file_list[@]}"; do
+		if grep -q ".*\.rpm$" <<< "${one_file}" ; then
+			if ! rpm -q "$(basename "${one_file%.rpm}")" >/dev/null ; then
+				rm -f "${one_file}"
+			fi
+		else
+			rm -f "${one_file}"
+		fi
+	done
 }
 
 init ()
@@ -154,11 +196,6 @@ init ()
 	UMASK=022
 	umask ${UMASK}
 
-	# fall back to current kernel if user didn't provide one
-	if [[ ! "${kernels}" ]] ; then
-		kernels="$(uname -r)"
-	fi
-
 	# we get the echo_{success,failure} stuff from there
 	if [[ -r /etc/rc.d/init.d/functions ]] ; then
 		source /etc/rc.d/init.d/functions
@@ -211,17 +248,75 @@ init ()
 
 	# tools needed
 	for tool in akmodsbuild chown flock sed rpmdev-vercmp ; do
-		if ! which "${tool}" &> /dev/null ; then
+		if ! command -v "${tool}" &> /dev/null ; then
 			echo -n "${tool} not found" >&2
 			echo_failure ; echo ; exit 1
 		fi
 	done
 
 	# create lockfile and wait till we get it
-	exec 99>/var/lock/subsys/akmods
+	exec 99>/run/akmods/akmods.lock
 	flock -w 900 99
 }
 
+
+check_kernel_devel()
+{
+	if [[ ! -r /usr/src/kernels/"${1}"/Makefile ]] && \
+		 [[ ! -r /lib/modules/"${1}"/build/Makefile ]] ; then
+		echo "Could not find files needed to compile modules for ${1}"
+		echo "Are the development files for kernel ${1} or the appropriate kernel-devel package installed?"
+		return 1
+	elif [[ -r /usr/src/kernels/"${1}"/Makefile ]] && \
+		 [[ ! -d /lib/modules/"${1}" ]] ; then
+		# this is a red hat / fedora kernel-devel package, but the kernel for it is not installed
+		# kmodtool would add a dep on that kernel when building; thus when we'd try to install the
+		# rpms we'd run into a missing-dep problem. Thus we prevent that case
+		echo "Kernel ${1} not installed"
+		return 1
+	fi
+	return 0
+}
+
+check_default_kernel()
+{
+	# Ensure to build for grub or systemd-boot default kernel
+	#
+	# IMPORTANT: "bootctl is-installed" check that systemd-boot is installed only.
+	# It doesn't check if systemd-boot is the default loader.
+	# So we assume grubby results if available
+	if command -v grubby >/dev/null 2>&1 ; then
+		default_kernel=$(grubby --default-kernel | sed -e 's/^.*vmlinuz-//')
+	elif bootctl is-installed >/dev/null 2>&1 ; then
+		# Leave jq as optional - isDefault requires systemd 253
+		if command -v jq >/dev/null ; then
+			default_kernel="$(bootctl list  --json=short | jq -r '.[] | select(.isDefault).version')"
+			# Validate the result or discard - rhbz#2270414
+			if [[ ! -f /boot/vmlinuz-"${default_kernel}" ]] ; then
+				default_kernel=""
+			fi
+		fi
+	else # They use neither systemd-boot nor grub2
+		echo -n "Unable to figure out the default kernel" >&2
+		echo_warning ; echo
+		default_kernel=""
+	fi
+
+	local _kernels
+	if [[ "${default_kernel}" == "$(uname -r)" ]] ; then
+		_kernels="${default_kernel}"
+	else
+		_kernels="${default_kernel} $(uname -r)"
+	fi
+
+	for _kernel in ${_kernels} ; do
+		if check_kernel_devel "${_kernel}" ; then
+			kernels="${kernels} ${_kernel}"
+		fi
+	done
+
+}
+
 buildinstall_kmod()
 {
 	local this_kernelver=${1}
@@ -267,22 +362,25 @@ buildinstall_kmod()
 	unset TMPDIR
 
 	# build module using akmod
-	akmods_echo 1 4 "Building RPM using the command '$(which akmodsbuild) --kernels ${this_kernelver} ${this_kmodsrpm}'"
-	/sbin/runuser -s /bin/bash -c "$(which akmodsbuild) --quiet --kernels ${this_kernelver} --outputdir ${tmpdir}results --logfile ${tmpdir}/akmodsbuild.log ${this_kmodsrpm}" akmods >> "${kmodlogfile}" 2>&1
+	akmods_echo_plymouth 1 "akmod: Building ${this_kmodsrpm}..."
+	akmods_echo 1 4 "Building RPM using the command '/usr/sbin/akmodsbuild --kernels ${this_kernelver} ${this_kmodsrpm}'"
+	/sbin/runuser -s /bin/bash -c "/usr/sbin/akmodsbuild --quiet --kernels ${this_kernelver} --outputdir ${tmpdir}results --logfile ${tmpdir}/akmodsbuild.log ${this_kmodsrpm}" akmods >> "${kmodlogfile}" 2>&1
 	local returncode=$?
 
 	# copy rpmbuild log to kmod specific logfile
 	if [[ -s "${tmpdir}"/akmodsbuild.log ]] ; then
-		while read line ; do
-			echo "$(date +%Y/%m/%d\ %H:%M:%S) akmodsbuild: ${line}" >> "${kmodlogfile}"
-		done < "${tmpdir}"/akmodsbuild.log
+		sed -e "s|^|$(date +%Y/%m/%d\ %H:%M:%S) akmodsbuild: |" "${tmpdir}"/akmodsbuild.log >> "${kmodlogfile}"
 	fi
 
 	# result
-	if (( ! ${returncode} == 0 )) ; then
-		if [[ "${continue_line}" ]] ; then
+	if (( returncode != 0 )) ; then
+		if [[ -n "${continue_line}" ]] ; then
 			akmods_echo 1 2 --failure
 		fi
+
+		akmods_echo_plymouth 0 ""
+		akmods_echo_plymouth 1 "akmod: Building ${this_kmodsrpm} failed!"
+		sleep 5
 		akmods_echo 2 1 "Building rpms failed; see /var/cache/akmods/${this_kmodname}/${this_kmodverrel}-for-${this_kernelver}.failed.log for details"
 		cp -fl "${kmodlogfile}" "/var/cache/akmods/${this_kmodname}/${this_kmodverrel}-for-${this_kernelver}.failed.log"
 		kmodlogfile=""
@@ -291,13 +389,18 @@ buildinstall_kmod()
 	fi
 
 	# dnf/yum install - repository disabled on purpose see rfbz#3350
+
+	akmods_echo_plymouth 0 ""
+	akmods_echo_plymouth 1 "akmod: Installing ${this_kmodsrpm}..."
 	akmods_echo 1 4 "Installing newly built rpms"
+	local -a rpm_paths
+	mapfile -t rpm_paths < <(find "${tmpdir}results" -type f -name '*.rpm' | grep -v debuginfo)
 	if [[ -f /usr/bin/dnf ]] ; then
 		akmods_echo 1 4 "DNF detected"
-		dnf -y install --disablerepo='*' $(find "${tmpdir}results" -type f -name '*.rpm' | grep -v debuginfo) >> "${kmodlogfile}" 2>&1
+		dnf -y "${pkg_install:-install}" --nogpgcheck --disablerepo='*' "${rpm_paths[@]}" >> "${kmodlogfile}" 2>&1
 	else
 		akmods_echo 1 4 "DNF not found, using YUM instead."
-		yum -y install --disablerepo='*' $(find "${tmpdir}results" -type f -name '*.rpm' | grep -v debuginfo) >> "${kmodlogfile}" 2>&1
+		yum -y "${pkg_install:-install}" --nogpgcheck --disablerepo='*' "${rpm_paths[@]}" >> "${kmodlogfile}" 2>&1
 	fi
 	local returncode=$?
 
@@ -305,10 +408,14 @@ buildinstall_kmod()
 	cp "${tmpdir}results/"* "/var/cache/akmods/${this_kmodname}/"
 
 	# everything fine?
-	if (( ${returncode} != 0 )) ; then
-		if [[ "${continue_line}" ]] ; then
+	if (( returncode != 0 )) ; then
+		if [[ -n "${continue_line}" ]] ; then
 			akmods_echo 1 2 --failure
 		fi
+
+		akmods_echo_plymouth 0 ""
+		akmods_echo_plymouth 1 "akmod: Installing ${this_kmodsrpm} failed!"
+		sleep 5
 		akmods_echo 2 1 "Could not install newly built RPMs. You can find them and the logfile in:"
 		akmods_echo 2 1 "/var/cache/akmods/${this_kmodname}/${this_kmodverrel}-for-${this_kernelver}.failed.log"
 		cp -fl "${kmodlogfile}" "/var/cache/akmods/${this_kmodname}/${this_kmodverrel}-for-${this_kernelver}.failed.log"
@@ -323,6 +430,8 @@ buildinstall_kmod()
 	kmodlogfile=""
 	remove_tmpdir
 
+	akmods_echo_plymouth 0 ""
+
 	return 0
 }
 
@@ -331,22 +440,47 @@ check_kmod_up2date()
 	local this_kernelver=${1}
 	local this_kmodname=${2}
 
-	# kmod present?
-	if [[ ! -d /lib/modules/${this_kernelver}/extra/${this_kmodname}/ ]] ; then
+	# with --rebuild we should always build
+	if [[ -n "${rebuild}" ]]; then
+		return 1
+	fi
+
+	local kmodpackage_file
+	kmodpackage_file="$(modinfo "${this_kmodname}" -k "${this_kernelver}" -n 2>/dev/null)"
+
+	# kmod present, even with weak-modules?
+	if [[ ! -n "${kmodpackage_file}" ]] && [[ ! -d /lib/modules/${this_kernelver}/extra/${this_kmodname}/ ]] ; then
+		# build it
+		return 1
+	fi
+
+	# special case where part of the kmod is mainlined using $this_kmodname
+	# making $kmodpackage_file non zero when the kmod is not install yet
+	if [[ "${kmodpackage_file}" == "/lib/modules/${this_kernelver}/"* ]] && \
+	   [[ ! -d /lib/modules/${this_kernelver}/extra/${this_kmodname}/ ]] ; then
 		# build it
 		return 1
 	fi
 
 	# kmod up2date?
-	local kmodpackage="$(rpm -qf /lib/modules/${this_kernelver}/extra/${this_kmodname}/ 2> /dev/null)"
-	if [[ ! "${kmodpackage}" ]] ; then
+	local kmodpackage
+	# Weak module symlink case
+	if [ -n "${kmodpackage_file}" ] && [ -h "${kmodpackage_file}" ] && echo "${kmodpackage_file}" | grep -q "weak-updates" ; then
+		kmodpackage="$(rpm -qf "$(readlink -e "${kmodpackage_file}")" 2> /dev/null)"
+	# Regular module file case
+	else
+		kmodpackage="$(rpm -qf "/lib/modules/${this_kernelver}/extra/${this_kmodname}/" 2> /dev/null)"
+	fi
+	if [[ ! -n "${kmodpackage}" ]] ; then
 		# seems we didn't get what we wanted
 		# well, better to do nothing in this case
 		akmods_echo 1 2 -n "Warning: Could not determine what package owns /lib/modules/${this_kernelver}/extra/${this_kmodname}/"
 		return 0
 	fi
-	local kmodver=$(rpm -q --qf '%{EPOCH}:%{VERSION}-%{RELEASE}\n' "${kmodpackage}" | sed 's|(none)|0|; s!\.\(fc\|lvn\)[0-9]*!!g')
-	local akmodver=$(rpm -qp --qf '%{EPOCH}:%{VERSION}-%{RELEASE}\n' /usr/src/akmods/"${this_kmodname}"-kmod.latest | sed 's|(none)|0|; s!\.\(fc\|lvn\)[0-9]*!!g')
+	local kmodver
+	kmodver=$(rpm -q --qf '%{EPOCH}:%{VERSION}-%{RELEASE}\n' "${kmodpackage}" | sed 's|(none)|0|; s!\.\(fc\|el\|lvn\)[0-9]*!!g')
+	local akmodver
+	akmodver=$(rpm -qp --qf '%{EPOCH}:%{VERSION}-%{RELEASE}\n' /usr/src/akmods/"${this_kmodname}"-kmod.latest | sed 's|(none)|0|; s!\.\(fc\|el\|lvn\)[0-9]*!!g')
 
 	rpmdev-vercmp "${kmodver}" "${akmodver}" &>/dev/null
 	local retvalue=$?
@@ -373,10 +507,11 @@ check_kmods()
 
 	akmods_echo 1 2 -n "Checking kmods exist for ${this_kernelver}"
 	for akmods_kmodfile in /usr/src/akmods/*-kmod.latest ; do
-		local this_kmodname="$(basename ${akmods_kmodfile%%-kmod.latest})"
+		local this_kmodname
+		this_kmodname="$(basename "${akmods_kmodfile%%-kmod.latest}")"
 
 		# actually check this akmod?
-		if [[ "${akmods}" ]] ; then
+		if [[ -n "${akmods}" ]] ; then
 			for akmod in ${akmods} ; do
 				if [[ "${this_kmodname}" != "${akmod}" ]] ; then
 					# ignore this one
@@ -386,9 +521,9 @@ check_kmods()
 		fi
 
 		# go
-		if ! check_kmod_up2date ${this_kernelver} ${this_kmodname} ; then
+		if ! check_kmod_up2date "${this_kernelver}" "${this_kmodname}" ; then
 			# okay, kmod wasn't found or is not up2date
-			if [[ "${continue_line}" ]] ; then
+			if [[ -n "${continue_line}" ]] ; then
 				akmods_echo 1 2 --success
 				# if the files for building modules are not available don't even try to build modules
 				if [[ ! -r /usr/src/kernels/"${this_kernelver}"/Makefile ]] && \
@@ -404,14 +539,15 @@ check_kmods()
 				fi
 			fi
 
-			local this_kmodverrel="$(rpm -qp --qf '%{VERSION}-%{RELEASE}' "${akmods_kmodfile}" | sed 's!\.\(fc\|lvn\)[0-9]*!!g' )"
-			if [[ ! "${alwaystry}" ]] && [[ -e "/var/cache/akmods/${this_kmodname}/${this_kmodverrel}-for-${this_kernelver}".failed.log ]] ; then
+			local this_kmodverrel
+			this_kmodverrel="$(rpm -qp --qf '%{VERSION}-%{RELEASE}' "${akmods_kmodfile}" | sed 's!\.\(fc\|el\|lvn\)[0-9]*!!g' )"
+			if [[ ! -n "${alwaystry}" ]] && [[ -e "/var/cache/akmods/${this_kmodname}/${this_kmodverrel}-for-${this_kernelver}".failed.log ]] ; then
 				akmods_echo 1 2 -n "Ignoring ${this_kmodname}-kmod as it failed earlier"
 				akmods_echo 1 2 --warning
 				local someignored="true"
 			else
 				akmods_echo 1 2 -n "Building and installing ${this_kmodname}-kmod"
-			 	buildinstall_kmod ${this_kernelver} ${this_kmodname} ${akmods_kmodfile} ${this_kmodverrel}
+				buildinstall_kmod "${this_kernelver}" "${this_kmodname}" "${akmods_kmodfile}" "${this_kmodverrel}"
 				local returncode=$?
 				if [[ "$returncode" == "0" ]] ; then
 					akmods_echo 1 2 --success
@@ -425,9 +561,9 @@ check_kmods()
 		fi
 	done
 
-	if [[ "${continue_line}" ]] ; then
+	if [[ -n "${continue_line}" ]] ; then
 		akmods_echo 1 2 --success
-	elif [[ "${someignored}" ]] || [[ "${somefailed}" ]] ; then
+	elif [[ -n "${someignored}" ]] || [[ -n "${somefailed}" ]] ; then
 		echo
 		akmods_echo 1 2 "Hint: Some kmods were ignored or failed to build or install."
 		akmods_echo 1 2 "You can try to rebuild and install them by by calling"
@@ -438,7 +574,7 @@ check_kmods()
 
 	# akmods for newly installed akmod rpms as wells as akmods.service run
 	# after udev and systemd-modules-load.service have tried to load modules
-	if [[ "${somesucceeded}" ]] && [[ ${this_kernelver} = "$(uname -r)" ]] ; then
+	if [[ -n "${somesucceeded}" ]] && [[ "${this_kernelver}" == "$(uname -r)" ]] ; then
 		find /sys/devices -name modalias -print0 | xargs -0 cat | xargs modprobe -a -b -q
 		if [ -f /usr/bin/systemctl ] ; then
 			systemctl restart systemd-modules-load.service
@@ -454,6 +590,7 @@ myprog_help ()
 	echo " --force             -- try all, even if they failed earlier"
 	echo " --kernels <kernel>  -- build and install only for kernel <kernel>"
 	echo "                        (formatted the same as 'uname -r' would produce)"
+	echo " --rebuild           -- rebuild all, even if they are up to date"
 	echo " --akmod <akmod>     -- build and install only akmod <akmod>"
 }
 
@@ -463,31 +600,29 @@ while [ "${1}" ] ; do
 	case "${1}" in
 		--kernel|--kernels)
 			shift
-			if [[ ! "${1}" ]] ; then
+			if [[ ! -n "${1}" ]] ; then
 				echo "ERROR: Please provide the kernel-version to build for together with --kernel" >&2
 				exit 1
-			elif [[ ! -r /usr/src/kernels/"${1}"/Makefile ]] && \
-				 [[ ! -r /lib/modules/"${1}"/build/Makefile ]] ; then
-				echo "Could not find files needed to compile modules for ${1}"
-				echo "Are the development files for kernel ${1} or the appropriate kernel-devel package installed?"
-				exit 1
-			elif [[ -r /usr/src/kernels/"${1}"/Makefile ]] && \
-				 [[ ! -d /lib/modules/"${1}" ]] ; then
-				# this is a red hat / fedora kernel-devel package, but the kernel for it is not installed
-				# kmodtool would add a dep on that kernel when building; thus when we'd try to install the
-				# rpms we'd run into a missing-dep problem. Thus we prevent that case
-				echo "Kernel ${1} not installed"
+			fi
+
+			if ! check_kernel_devel "${1}" ; then
+				echo "ERROR: kernel or kernel-devel required for ${1}" >&2
 				exit 1
 			fi
+
 			# overwrites the default:
-			kernels="${kernels}${1}"
+			if [[ ! -n "${kernels}" ]] ; then
+				kernels="${1}"
+			else
+				kernels="${kernels} ${1}"
+			fi
 			# an try to build, even if we tried already
 			alwaystry=true
 			shift
 			;;
 		--akmod|--kmod)
 			shift
-			if [[ ! "${1}" ]] ; then
+			if [[ ! -n "${1}" ]] ; then
 				echo "ERROR: Please provide a name of a akmod package together with --akmods" >&2
 				exit 1
 			elif [[ -r /usr/src/akmods/"${1}"-kmod.latest ]] ; then
@@ -507,18 +642,28 @@ while [ "${1}" ] ; do
 		--from-init)
 			# just in case: remove stale lockfile if it exists:
 			rm -f /var/cache/akmods/.lockfile
+			# Clean old logs and rpm files from no more installed kmod
+			# packages.
+			cleanup_cachedir
+			# akmods --from-init only operates on current kernel
+			kernels="$(uname -r)"
 			shift
 			;;
 		--from-posttrans|--from-kernel-posttrans|--from-akmod-posttrans)
 			# ignored
 			shift
 			;;
+		--rebuild)
+			rebuild=true
+			pkg_install=reinstall
+			shift
+			;;
 		--verbose)
-			let verboselevel++
+			(( verboselevel++ ))
 			shift
 			;;
 		--quiet)
-			let verboselevel--
+			(( verboselevel-- ))
 			shift
 			;;
 		--help)
@@ -537,12 +682,18 @@ while [ "${1}" ] ; do
 	esac
 done
 
+check_plymouth
 # sanity checks
 init
 
+# only check for default_kernel if no value have been parsed
+if  [ -z "${kernels}" ] ; then
+	check_default_kernel
+fi
+
 # go
 for kernel in ${kernels} ; do
-	check_kmods ${kernel}
+	check_kmods "${kernel}"
 done
 
 # finished :)

akmods-keygen.target

@@ -0,0 +1,3 @@
+[Unit]
+Wants=akmods-keygen@.service
+PartOf=akmods.service

akmods-keygen@.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Akmods Secure boot MOK Key Generation
+ConditionFileNotEmpty=|!/etc/pki/akmods/certs/public_key.der
+ConditionFileNotEmpty=|!/etc/pki/akmods/private/private_key.priv
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/kmodgenca -a
+
+[Install]
+WantedBy=akmods-keygen.target

akmods-kmodgenca

@@ -0,0 +1,588 @@
+#!/bin/bash
+
+# NAME: 'kmodgenca'
+# PURPOSE: Helper script to create CA/key pair to sign modules.
+# Copyright (c) 2017 Stanislas Leduc <stanislas.leduc@balinor.net>
+# Copyright (c) 2018-2019 Nicolas Viéville <nicolas.vieville@uphf.fr>
+# Copyright (c) 2024 Rohan Barar <rohan.barar@gmail.com>
+
+################################################################################
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+################################################################################
+
+# EXIT STATUS CODES AND DESCRIPTIONS
+# 0 - SUCCESS
+# 1 - INSUFFICIENT PRIVILEGES
+# 2 - INVALID COMMAND LINE ARGUMENT
+# 3 - BROKEN SYMLINKS TO DEFAULT KEY PAIR
+# 4 - MISSING CACERT CONFIGURATION TEMPLATE
+# 5 - FAILED TO READ CA CERTIFICATE CONFIGURATION TEMPLATE
+# 6 - FAILED TO WRITE CA CERTIFICATE CONFIGURATION FILE
+# 7 - UNSUCCESSFUL OPENSSL KEY PAIR CREATION COMMAND
+# 8 - FAILED TO CREATE KEY PAIR FILES
+
+# ENFORCE STRICT ERROR HANDLING
+# - Exit script on error.
+# - Ensure pipelines fail on the first error.
+set -eo pipefail
+
+# DECLARE CONSTANTS
+# Script Information
+readonly SCRIPT_NAME="kmodgenca"
+readonly SCRIPT_VERSION="0.6.0"
+
+# Directories
+readonly AKMODS_DIR="/etc/pki/akmods"
+readonly PRIVATE_KEY_DIR="${AKMODS_DIR}/private"
+readonly PUBLIC_KEY_DIR="${AKMODS_DIR}/certs"
+
+# Paths
+readonly PRIVATE_KEY_PATH="${PRIVATE_KEY_DIR}/private_key.priv"
+readonly PUBLIC_KEY_PATH="${PUBLIC_KEY_DIR}/public_key.der"
+readonly CACERT_CONFIG_PATH="${AKMODS_DIR}/cacert.config"
+readonly RESTORECON_PATH="/usr/sbin/restorecon"
+
+# ANSI
+readonly BOLD_RED_TEXT="\e[1;31m"
+readonly BOLD_YELLOW_TEXT="\e[1;33m"
+readonly BOLD_GREEN_TEXT="\033[1;32m"
+readonly BOLD_BLUE_TEXT="\e[1;34m"
+readonly BOLD_GREY_TEXT="\e[1;37m"
+readonly CLEAR_TEXT="\e[0m"
+
+# DECLARE VARIABLES
+# Command Line Argument Flags
+FORCE_BUILD=0
+AUTOMATIC_BUILD=0
+SHOW_HELP=0
+SHOW_VER=0
+BAD_ARGS=0
+
+# Unique New Key Pair Name (Hostname + UNIX/POSIX Timestamp + Dashless UUID)
+cert_hostname="${HOSTNAME}"
+KEYNAME="${cert_hostname:0:44}_$(date +%s)_$(uuidgen | awk -F '-' '{print $1}')"
+
+# Other
+AUTOMATIC_BUILD_OPTION=""
+
+# FUNCTIONS
+function help() {
+    echo -e "${BOLD_GREY_TEXT}KMODGENCA HELP${CLEAR_TEXT}"
+    echo "Creates a Certificate Authority (CA) and key pair for module signing."
+    echo "Private keys are created in:               '${PRIVATE_KEY_DIR}'."
+    echo "Public keys (certificates) are created in: '${PUBLIC_KEY_DIR}'."
+    echo -e "\nUsage: ${SCRIPT_NAME} [OPTIONS]"
+    echo -e "\nOptions:"
+    echo "  -a, --auto           Utilise default values for 'cacert.config'."
+    echo "  -f, --force          Create CA/key pair even if one already exists."
+    echo "  -h, --help           Display this help message."
+    echo "  -V, --version        Display script version information."
+    echo ""
+}
+
+function check_root() {
+    # Notify user.
+    echo -e "${BOLD_BLUE_TEXT}INFO:${CLEAR_TEXT} CHECKING FOR ELEVATED PRIVILEGES..."
+
+    if [ "$EUID" -ne 0 ]; then
+        echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} INSUFFICIENT PRIVILEGES!" >&2
+        echo "Please run the command using 'sudo' or as root." >&2
+        echo "Quitting." >&2
+        exit 1
+    fi
+}
+
+function parse_arguments() {
+    if [ $# -gt 0 ]; then
+        while [ "$1" ] ; do
+            case "$1" in
+            -a|--auto)
+                AUTOMATIC_BUILD=1
+                shift
+                ;;
+            -f|--force)
+                FORCE_BUILD=1
+                shift
+                ;;
+            -h|--help)
+                SHOW_HELP=1
+                shift
+                ;;
+            -V|--version)
+                SHOW_VER=1
+                shift
+                ;;
+            -*)
+                # Handle combined single-letter options.
+                for (( i=1; i<${#1}; i++ )); do
+                    case "${1:$i:1}" in
+                    a)
+                        AUTOMATIC_BUILD=1
+                        ;;
+                    f)
+                        FORCE_BUILD=1
+                        ;;
+                    h)
+                        SHOW_HELP=1
+                        ;;
+                    V)
+                        SHOW_VER=1
+                        ;;
+                    *)
+                        echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} INVALID OPTION '${1:$i:1}' in '${1}'." >&2
+                        BAD_ARGS=1
+                        ;;
+                    esac
+                done
+                shift
+                ;;
+            *)
+                echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} INVALID OPTION '${1}'." >&2
+                BAD_ARGS=1
+                shift
+                ;;
+            esac
+        done
+    fi
+
+    # Display help message and then exit in the event of invalid argument(s).
+    if [[ "$BAD_ARGS" -eq 1 ]]; then
+        echo "" >&2
+        help >&2
+        echo "Quitting." >&2
+        exit 2
+    fi
+
+    # Display script help information if requested.
+    if [[ "$SHOW_HELP" -eq 1 ]]; then
+        help
+    fi
+
+    # Display script version information if requested.
+    if [[ "$SHOW_VER" -eq 1 ]]; then
+        echo "${SCRIPT_NAME} v${SCRIPT_VERSION}"
+    fi
+
+    # Exit script if version and/or help information requested.
+    if [ "$SHOW_VER" -eq 1 ] || [ "$SHOW_HELP" -eq 1 ]; then
+        if [ "$AUTOMATIC_BUILD" -eq 1 ]; then
+            echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} IGNORING '-a' (--auto)." >&2
+        fi
+        if [ "$FORCE_BUILD" -eq 1 ]; then
+            echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} IGNORING '-f' (--force)." >&2
+        fi
+        exit 0
+    fi
+
+    # Warn user regarding forced builds.
+    if [[ "$FORCE_BUILD" -eq 1 ]]; then
+        echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} FORCED BUILD SELECTED. KEY PAIR OVERWRITE MAY OCCUR!" >&2
+    fi
+
+    # Warn user regarding automatic builds.
+    if [[ "$AUTOMATIC_BUILD" -eq 1 ]]; then
+        echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} AUTOMATIC BUILD SELECTED. USING DEFAULT VALUES FOR CA/KEY PAIR CREATION." >&2
+    fi
+}
+
+function check_broken_key_pair() {
+    # Check for broken non-selected key pairs.
+    local unmatched_public_key_paths=()
+    local unmatched_private_key_paths=()
+
+    # Store paths of public and private keys.
+    local public_key_paths=()
+    local private_key_paths=()
+    # Note: Requires superuser permissions (i.e., sudo).
+    mapfile -t public_key_paths < <(find "$PUBLIC_KEY_DIR" -maxdepth 1 -name "*.der")
+    mapfile -t private_key_paths < <(find "$PRIVATE_KEY_DIR" -maxdepth 1 -name "*.priv")
+
+    # Find public/private keys without corresponding private/public keys.
+    local key_file_path
+    for key_file_path in "${public_key_paths[@]}"; do
+        # Skip symlink.
+        if [[ "$key_file_path" == "$PUBLIC_KEY_PATH" ]]; then
+            continue
+        fi
+
+        # Remove file extension.
+        local public_key_name
+        public_key_name="$(basename "$key_file_path")"
+        public_key_name="${public_key_name%.*}"
+
+        # Check if the corresponding private key exists.
+        local found=0
+        for private_key_path in "${private_key_paths[@]}"; do
+            if [[ "$private_key_path" == "${PRIVATE_KEY_DIR}/${public_key_name}.priv" ]]; then
+                found=1
+                break
+            fi
+        done
+
+        # Store public key file name (with extension) if unpaired.
+        if [[ "$found" -eq 0 ]]; then
+            unmatched_public_key_paths+=("$key_file_path")
+        fi
+    done
+
+    for key_file_path in "${private_key_paths[@]}"; do
+        # Skip symlink.
+        if [[ "$key_file_path" == "$PRIVATE_KEY_PATH" ]]; then
+            continue
+        fi
+
+        # Remove file extension.
+        local private_key_name
+        private_key_name="$(basename "$key_file_path")"
+        private_key_name="${private_key_name%.*}"
+
+        # Check if the corresponding public key exists.
+        local found=0
+        for public_key_path in "${public_key_paths[@]}"; do
+            if [[ "$public_key_path" == "${PUBLIC_KEY_DIR}/${private_key_name}.der" ]]; then
+                found=1
+                break
+            fi
+        done
+
+        # Store private key file name (with extension) if unpaired.
+        if [[ "$found" -eq 0 ]]; then
+            unmatched_private_key_paths+=("$key_file_path")
+        fi
+    done
+
+    # Check if isolated keys were detected.
+    if [[ ${#unmatched_private_key_paths[@]} -gt 0 || ${#unmatched_public_key_paths[@]} -gt 0 ]]; then
+        echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} SOME KEY PAIRS ARE BROKEN!" >&2
+
+        # Notify user regarding isolated public keys.
+        if [[ ${#unmatched_public_key_paths[@]} -gt 0 ]]; then
+            echo "Isolated Public Keys:" >&2
+            local isolated_pub_key_path
+            for isolated_pub_key_path in "${unmatched_public_key_paths[@]}"; do
+                echo "    ${isolated_pub_key_path}" >&2
+            done
+            echo "" >&2
+        fi
+
+        # Notify user regarding isolated private keys.
+        if [[ ${#unmatched_private_key_paths[@]} -gt 0 ]]; then
+            echo "Isolated Private Keys:" >&2
+            local isolated_pri_key_path
+            for isolated_pri_key_path in "${unmatched_private_key_paths[@]}"; do
+                echo "    ${isolated_pri_key_path}" >&2
+            done
+            echo "" >&2
+        fi
+    fi
+
+    # Terminate the script when:
+    #   1. A certificate (public key) OR private key exists (but not both), AND
+    #   2. A forced rebuild was not requested (i.e., 'FORCE_BUILD' is NOT '1')
+
+    # Check for broken symlinks to the currently selected pair of keys.
+    # Note: Requires superuser permissions (i.e. sudo).
+    # shellcheck disable=SC2155
+    local pub_key_exists=$(readlink -e "$PUBLIC_KEY_PATH" &>/dev/null && echo 1 || echo 0)
+
+    # Note: Requires superuser permissions (i.e. sudo).
+    # shellcheck disable=SC2155
+    local pri_key_exists=$(readlink -e "$PRIVATE_KEY_PATH" &>/dev/null && echo 1 || echo 0)
+
+    if [[ "$pub_key_exists" -ne "$pri_key_exists" && "$FORCE_BUILD" -eq 0 ]]; then
+        # Notify user.
+        echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} BROKEN SYMLINK(S) TO THE DEFAULT KEY PAIR!" >&2
+        echo "Valid symlinks to a public and private key must exist." >&2
+        echo "" >&2
+
+        # Dynamic status output with colours.
+        echo -e "${PUBLIC_KEY_PATH}: $( [[ $pub_key_exists -eq 1 ]] && echo -e "${BOLD_GREEN_TEXT}WORKING${CLEAR_TEXT}" || echo -e "${BOLD_RED_TEXT}BROKEN${CLEAR_TEXT}" )" >&2
+        echo -e "${PRIVATE_KEY_PATH}: $( [[ $pri_key_exists -eq 1 ]] && echo -e "${BOLD_GREEN_TEXT}WORKING${CLEAR_TEXT}" || echo -e "${BOLD_RED_TEXT}BROKEN${CLEAR_TEXT}" )" >&2
+        echo "" >&2
+        echo "Quitting." >&2
+
+        # Exit script.
+        exit 3
+    fi
+}
+
+function check_existing_key_pair() {
+    # Notify user.
+    echo -e "${BOLD_BLUE_TEXT}INFO:${CLEAR_TEXT} CHECKING FOR AN EXISTING KEY PAIR..."
+
+    # Terminate the script when:
+    #   1. Both a certificate (public key) and private key already exist, AND
+    #   2. A forced rebuild was not requested (i.e., 'FORCE_BUILD' is NOT '1')
+
+    # Note: This approach will return '1' in the event of a broken symlink.
+    # Note: Requires superuser permissions (i.e. sudo).
+    if readlink -e "$PUBLIC_KEY_PATH" &>/dev/null && \
+       readlink -e "$PRIVATE_KEY_PATH" &>/dev/null && \
+       [ "$FORCE_BUILD" -eq 0 ]; then
+
+        # Notify user.
+        echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} EXISTING KEY PAIR." >&2
+        echo "Please specify argument '--force' to overwrite the existing key pair." >&2
+        echo "Quitting." >&2
+
+        # Exit script.
+        exit 0
+    fi
+}
+
+function set_key_pair_name() {
+    if [ "$AUTOMATIC_BUILD" -eq 0 ]; then
+        while true; do
+            local key_pair_file_name=""
+            local valid_name=1
+
+            # Request key pair name from user.
+            # shellcheck disable=SC2162
+            read -p "Key Pair Name: " key_pair_file_name
+
+            # Check for empty string.
+            if [[ -z $(echo "$key_pair_file_name" | xargs) ]]; then
+                valid_name=0
+                echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} NAME MUST NOT BE EMPTY.\n" >&2
+            fi
+
+            # Ensure name is not '.' or '..'.
+            if [[ $(echo "$key_pair_file_name" | xargs) == "." ]] || [[ $(echo "$key_pair_file_name" | xargs) == ".." ]]; then
+                valid_name=0
+                echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} NAME MUST NOT BE '.' OR '..'.\n" >&2
+            fi
+
+            # Ensure name is not longer than 255 characters.
+            if [ "$(echo "$key_pair_file_name" | xargs | awk '{print length}')" -gt 255 ]; then
+                valid_name=0
+                echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} NAME MUST NOT BE LONGER THAN 255 CHARACTERS.\n" >&2
+            fi
+
+            # Ensure name only contains valid characters.
+            # - Letters (A-Z) (a-z)
+            # - Numbers (0-9)
+            # - Special
+            #   - Period ('.')
+            #   - Underscore ('_')
+            #   - Hyphen ('-')
+            if ! [[ $(echo "$key_pair_file_name" | xargs) =~ ^[0-9a-zA-Z._-]+$ ]]; then
+                # Avoid triggering on an empty string.
+                if [[ -n $(echo "$key_pair_file_name" | xargs) ]]; then
+                    valid_name=0
+
+                    # Inform user of illegal characters within provided name.
+                    local illegal_chars
+                    illegal_chars=$(echo "$key_pair_file_name" | awk -F '' '{for(i=1;i<=NF;i++) if ($i !~ /^[0-9a-zA-Z._-]$/) print $i}' | sort -u | tr -d '\n')
+                    echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} NAME MUST NOT CONTAIN ILLEGAL CHARACTERS." >&2
+                    echo -e "Illegal characters in provided name:" >&2
+                    for (( i=0; i<${#illegal_chars}; i++ )); do
+                        echo "-    '${illegal_chars:i:1}'" >&2
+                    done
+                    echo -e "\nPlease ensure the name only contains letters, numbers, periods, underscores and hyphens.\n" >&2
+                fi
+            fi
+
+            # Ensure key pair with same name does not exist.
+            if [ -f "${PUBLIC_KEY_DIR}/${key_pair_file_name}.der" ] || [ -f "${PRIVATE_KEY_DIR}/${key_pair_file_name}.priv" ]; then
+                valid_name=0
+                echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} EXISTING KEY PAIR WITH SAME NAME.\n" >&2
+            fi
+
+            # Break the loop if a valid name was provided.
+            if [ "$valid_name" -eq 1 ]; then
+                break
+            fi
+        done
+
+        # Update global key pair name variable.
+        KEYNAME="$key_pair_file_name"
+    else
+        # Handle the extremely unlikely occurrence of a key pair name conflict with an existing key pair.
+        while [ -f "${PUBLIC_KEY_DIR}/${KEYNAME}.der" ]; do
+            KEYNAME="${cert_hostname:0:44}_$(date +%s)_$(uuidgen | awk -F '-' '{print $1}')"
+        done
+    fi
+}
+
+function create_cacert_config() {
+    # Notify user.
+    echo -e "${BOLD_BLUE_TEXT}INFO:${CLEAR_TEXT} UPDATING CACERT CONFIGURATION FILE AT '${CACERT_CONFIG_PATH}'..."
+
+    # Check if the cacert configuration template exists.
+    if [[ -f "${CACERT_CONFIG_PATH}.in" ]]; then
+        local sed_output=""
+        local sed_exit_status=0
+
+        if [ "$AUTOMATIC_BUILD" -eq 1 ]; then
+            # Set '-batch' argument.
+            AUTOMATIC_BUILD_OPTION="-batch"
+
+            local cert_country_code=$(locale country_ab2)
+            if [[ -z ${cert_country_code} ]]; then
+                echo -e "${BOLD_YELLOW_TEXT}WARNING:${CLEAR_TEXT} COULD NOT DETECT COUNTRY CODE FROM LOCALE; USING FALLBACK VALUE: US" >&2
+                cert_country_code=US
+            fi
+
+            # Utilise default values if 'AUTOMATIC_BUILD' is equal to '1'.
+            # - Set OpenSSL field values.
+            # - Comment default and min/max values.
+            sed_output=$(sed -e "s#\(0.organizationName *= \).*#\1${cert_hostname}#" \
+                -e "s#\(organizationalUnitName *= \).*#\1${cert_hostname}#" \
+                -e "s#\(emailAddress *= \).*#\1akmods@${cert_hostname}#" \
+                -e "s#\(localityName *= \).*#\1None#" \
+                -e "s#\(stateOrProvinceName *= \).*#\1None#" \
+                -e "s#\(countryName *= \).*#\1${cert_country_code}#" \
+                -e "s#\(commonName *= \).*#\1${KEYNAME}#" \
+                -e "s/^[^#]*_default *= /#&/" \
+                -e "s/^[^#]*_min/#&/" \
+                -e "s/^[^#]*_max/#&/" "${CACERT_CONFIG_PATH}.in")
+            sed_exit_status=$?
+        else
+            # Request user enter values manually if 'AUTOMATIC_BUILD' is equal to '0'.
+            # Request OpenSSL prompt user for values later.
+            sed_output=$(sed -e "s#\(prompt *= \).*#\1yes#" "${CACERT_CONFIG_PATH}.in")
+            sed_exit_status=$?
+        fi
+
+        # Check if 'sed' command failed.
+        if [ "$sed_exit_status" -ne 0 ]; then
+            echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} FAILED TO READ CACERT CONFIGURATION TEMPLATE at '${CACERT_CONFIG_PATH}.in'." >&2
+            echo "Quitting." >&2
+            exit 5
+        else
+            # Note: Requires superuser permissions (i.e. sudo).
+            if ! echo "$sed_output" > "$CACERT_CONFIG_PATH"; then
+                echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} FAILED TO WRITE CACERT CONFIGURATION FILE to '${CACERT_CONFIG_PATH}'." >&2
+                echo "Quitting." >&2
+                exit 6
+            fi
+        fi
+    else
+        echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} MISSING CACERT CONFIGURATION TEMPLATE!" >&2
+        echo "Failed to locate the CAcert configuration template at '${CACERT_CONFIG_PATH}.in'." >&2
+        echo "Quitting." >&2
+        exit 4
+    fi
+}
+
+function create_new_key_pair() {
+    # Notify user.
+    echo -e "${BOLD_BLUE_TEXT}INFO:${CLEAR_TEXT} CREATING NEW KEY PAIR..."
+
+    # Prepare an OpenSSL command to generate the key pair.
+    local key_pair_generation_command=(
+        "openssl req"                                     # Request new certificate
+        "-x509"                                           # X.509 certificate type
+        "-new"                                            # New key pair
+        "-nodes"                                          # No DES
+        "-utf8"                                           # UTF-8 encoding
+        "-sha256"                                         # SHA-256 hash algorithm
+        "-days" "3650"                                    # 10 year cert validity
+        "${AUTOMATIC_BUILD_OPTION}"                       # Empty or "-batch"
+        "-config" "${CACERT_CONFIG_PATH}"                 # Configuration file path
+        "-outform" "DER"                                  # DER output format
+        "-out" "${PUBLIC_KEY_DIR}/${KEYNAME}.der"         # Public key output path
+        "-keyout" "${PRIVATE_KEY_DIR}/${KEYNAME}.priv"    # Private key output path
+    )
+
+    # Execute the key pair generation command within the 'akmods' group context.
+    # Ensure 'rw-rwx---' permissions.
+    # Note: Requires superuser permissions (i.e. sudo).
+    if sg akmods -c "umask 037 && ${key_pair_generation_command[*]}"; then
+        # Check if both a public and a private key file were created.
+        if [[ ! -f "${PUBLIC_KEY_DIR}/${KEYNAME}.der" || ! -f "${PRIVATE_KEY_DIR}/${KEYNAME}.priv" ]]; then
+            echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} KEY PAIR CREATION FAILED!" >&2
+            echo "The OpenSSL key pair generation command ran, but key files were not created." >&2
+            echo "Quitting." >&2
+            exit 8
+        fi
+    else
+        echo -e "${BOLD_RED_TEXT}ERROR:${CLEAR_TEXT} KEY PAIR CREATION FAILED!" >&2
+        echo "The OpenSSL key pair generation command did not complete successfully." >&2
+        echo "Quitting." >&2
+        exit 7
+    fi
+}
+
+function set_key_permissions() {
+    # Notify user.
+    echo -e "${BOLD_BLUE_TEXT}INFO:${CLEAR_TEXT} SETTING KEY PAIR PERMISSIONS..."
+
+    # Ensure that akmods group can read keys.
+    # Note: Requires superuser permissions (i.e. sudo).
+    chmod g+r "${PUBLIC_KEY_DIR}/${KEYNAME}.der"
+    chmod g+r "${PRIVATE_KEY_DIR}/${KEYNAME}.priv"
+
+    # Sanitise permissions.
+    # Note: Requires superuser permissions (i.e. sudo).
+    if [[ -x "$RESTORECON_PATH" ]] ; then
+        $RESTORECON_PATH "${PUBLIC_KEY_DIR}/${KEYNAME}.der"
+        $RESTORECON_PATH "${PRIVATE_KEY_DIR}/${KEYNAME}.priv"
+    fi
+}
+
+function update_key_symlinks() {
+    # Notify user.
+    echo -e "${BOLD_BLUE_TEXT}INFO:${CLEAR_TEXT} UPDATING KEY PAIR SYMLINKS..."
+
+    # Note: Requires superuser permissions (i.e. sudo).
+    ln -nsf "${PUBLIC_KEY_DIR}/${KEYNAME}.der" "$PUBLIC_KEY_PATH"
+    ln -nsf "${PRIVATE_KEY_DIR}/${KEYNAME}.priv" "$PRIVATE_KEY_PATH"
+    chown -h root:akmods "$PUBLIC_KEY_PATH"
+    chown -h root:akmods "$PRIVATE_KEY_PATH"
+}
+
+# SCRIPT MAINLINE
+# Parse any supplied arguments.
+parse_arguments "$@"
+
+# Check for elevated privileges.
+check_root
+
+# Check for broken key pairs.
+check_broken_key_pair
+
+# Check for existing key pair.
+check_existing_key_pair
+
+# Set key pair name.
+set_key_pair_name
+
+# Create 'cacert.config' using template file 'cacert.config.in'.
+create_cacert_config
+
+# Create new key pair.
+create_new_key_pair
+
+# Set permissions and sanitise keys.
+set_key_permissions
+
+# Update symlink to use new key pair.
+update_key_symlinks
+
+# Print completion messages.
+echo -e "\n${BOLD_GREEN_TEXT}SUCCESS!${CLEAR_TEXT}"
+echo "Public Key (Certificate) created at:    ${PUBLIC_KEY_DIR}/${KEYNAME}.der"
+echo "Private Key created at:                 ${PRIVATE_KEY_DIR}/${KEYNAME}.priv"
+echo -e "\nSymlinks:"
+echo "${KEYNAME}.der  -> ${PUBLIC_KEY_PATH}"
+echo "${KEYNAME}.priv -> ${PRIVATE_KEY_PATH}"
+
+# Exit script.
+exit 0

akmods-ostree-post

@@ -43,7 +43,7 @@ finally()
 	# remove tmpfiles
 	remove_tmpdir
 
-	exit ${1:-128}
+	exit "${1:-128}"
 }
 
 # Make sure finally() is run regardless of reason for exiting.
@@ -51,7 +51,7 @@ trap "finally" ABRT HUP INT QUIT
 
 create_tmpdir()
 {
-	if ! tmpdir="$(mktemp -d -p /tmp ${myprog}.XXXXXXXX)/" ; then
+	if ! tmpdir="$(mktemp -d -p /tmp "${myprog}.XXXXXXXX")/" ; then
 		echo "ERROR: failed to create tmpdir." >&2
 		finally 1
 	fi
@@ -64,7 +64,7 @@ create_tmpdir()
 remove_tmpdir()
 {
 	# remove tmpfiles
-	if [[ "${tmpdir}" ]] && [[ -d "${tmpdir}" ]]; then
+	if [[ -n "${tmpdir}" ]] && [[ -d "${tmpdir}" ]]; then
 		rm -rf "${tmpdir}"
 	fi
 }
@@ -79,24 +79,24 @@ for kernel in ${kernels} ; do
 	echo "Building ${srpm} for kernel ${kernel}"
 	# Note: This builds as root, but this is pretty safe because its happening in the ostree %post sandbox.
 	#       In fact, given that /usr is a rofiles-fuse mount no other user can access /usr in this sandbox anyway.
-	akmodsbuild --quiet --kernels ${kernel} --outputdir ${tmpdir}results --logfile "${tmpdir}/akmodsbuild.log" "${srpm}"  2>&1
+	akmodsbuild --quiet --kernels "${kernel}" --outputdir "${tmpdir}results" --logfile "${tmpdir}/akmodsbuild.log" "${srpm}"  2>&1
 	returncode=$?
-	if (( ! ${returncode} == 0 )); then
+	if (( returncode != 0 )); then
 		finally 1
 	fi
 done
 
 for f in $(find "${tmpdir}results" -type f -name '*.rpm' | grep -v debuginfo) ; do
-	rpm2cpio $f | cpio --quiet  -D / -id
+	rpm2cpio "${f}" | cpio --quiet  -D / -id
 	returncode=$?
-	if (( ! ${returncode} == 0 )); then
+	if (( returncode != 0 )); then
 		echo "Extracting $f failed:" 2>&1
 		finally 1
 	fi
 done
 
 for kernel in ${kernels} ; do
-   depmod -v ${kernel} 2>&1
+   depmod -v "${kernel}" 2>&1
 done
 
 finally 0

akmods-shutdown

@@ -23,9 +23,9 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 
-echo "Building modules for all installed kernels."
-for kernel in /usr/src/kernels/* ; do
-	kernel=$(basename $kernel)
-	/usr/sbin/akmods --kernels $kernel
-done
+echo "This akmods-shutdown script is deprecated and will be removed in the future"
+echo "Using akmods instead ..."
 
+sleep 6
+
+/usr/sbin/akmods

akmods-shutdown.service

@@ -7,7 +7,7 @@ Conflicts=shutdown.target
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/bin/true
-ExecStop=-/usr/sbin/akmods-shutdown
+ExecStop=-/usr/sbin/akmods
 TimeoutStopSec=5min
 
 [Install]

akmods-tmpfiles.conf

@@ -0,0 +1,2 @@
+# See tmpfiles.d(5) for details
+d /run/akmods 0770 root akmods -

akmods.h2m

@@ -1,9 +1,9 @@
 [BUGS]
-https://bugzilla.rpmfusion.org/buglist.cgi?product=Fedora&component=akmods&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED
+https://bugz.fedoraproject.org/akmods
 [REPORTING BUGS]
 Submit a bug against the akmods component at:
 .br
-https://bugzilla.rpmfusion.org/enter_bug.cgi?product=Fedora
+https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora
 [AUTHOR]
 Thorsten Leemhuis <fedora [AT] leemhuis [DOT] info>
 [MAINTAINER]

akmods.log

@@ -0,0 +1,8 @@
+/var/log/akmods/akmods.log {
+    monthly
+    rotate 12
+    missingok
+    notifempty
+    create 644 root root
+    su root akmods
+}

akmods.service

@@ -1,7 +1,9 @@
 [Unit]
 Description=Builds and install new kmods from akmod packages
 ConditionPathExists=!/run/ostree-booted
-Before=@SERVICE@
+Before=display-manager.service
+After=akmods-keygen.target
+Wants=akmods-keygen.target
 
 [Service]
 Type=oneshot

akmods.spec

@@ -1,7 +1,7 @@
 Name:           akmods
-Version:        0.5.6
-Release:        24%{?dist}
-Summary:        Automatic kmods build and install tool 
+Version:        0.6.2
+Release:        %autorelease
+Summary:        Automatic kmods build and install tool
 
 License:        MIT
 URL:            http://rpmfusion.org/Packaging/KernelModules/Akmods
@@ -11,9 +11,7 @@ Source0:        95-akmods.preset
 Source1:        akmods
 Source2:        akmodsbuild
 Source3:        akmods.h2m
-Source4:        akmodsinit
-Source5:        akmodsposttrans
-Source6:        akmods.service.in
+Source6:        akmods.service
 Source7:        akmods-shutdown
 Source8:        akmods-shutdown.service
 Source9:        README
@@ -21,69 +19,80 @@ Source10:       LICENSE
 Source11:       akmods@.service
 Source12:       akmods-ostree-post
 Source13:       95-akmodsposttrans.install
+Source14:       akmods.log
+Source15:       README.secureboot
+Source16:       cacert.config.in
+Source17:       akmods-kmodgenca
+Source18:       akmods-keygen.target
+Source19:       akmods-keygen@.service
+Source20:       %{name}-tmpfiles.conf
+Source21:       akmods.sysusers.conf
 
 BuildArch:      noarch
 
 BuildRequires:  help2man
 
+# Needed for older branches el8+, noop on f43+
+%{?sysusers_requires_compat}
+
 # not picked up automatically
-%if 0%{?rhel} == 6
-Requires:       %{_bindir}/nohup
-%endif
 Requires:       %{_bindir}/flock
 Requires:       %{_bindir}/time
 
 # needed for actually building kmods:
 Requires:       %{_bindir}/rpmdev-vercmp
-Requires:       kmodtool >= 1-9
+Requires:       kmodtool >= 1.1-1
+
+# needed to create CA/Keypair to sign modules
+Requires:       openssl
 
 # this should track in all stuff that is normally needed to compile modules:
 Requires:       bzip2 coreutils diffutils file findutils gawk gcc grep
-Requires:       gzip make sed tar unzip util-linux which rpm-build
+Requires:       gzip make sed tar unzip util-linux rpm-build
 
+# On EL, kABI list was renamed
 %if 0%{?rhel}
-Requires:       kernel-abi-whitelists
+Requires:       (kernel-abi-stablelists if kernel-core)
 %endif
-%if 0%{?fedora} || 0%{?rhel} > 7
+
 # We use a virtual provide that would match either
 # kernel-devel or kernel-PAE-devel
 Requires:       kernel-devel-uname-r
-Suggests:       (kernel-debug-devel if kernel-debug)
-Suggests:       (kernel-devel if kernel)
-Suggests:       (kernel-lpae-devel if kernel-lpae)
-Suggests:       (kernel-PAE-devel if kernel-PAE)
-Suggests:       (kernel-PAEdebug-devel if kernel-PAEdebug)
-# Theses are from planetccrma-core or rhel-7-server-rt-rpms
-Suggests:       (kernel-rt-devel if kernel-rt)
-Suggests:       (kernel-rtPAE-devel if kernel-rtPAE)
+# kernel-devel-matched enforces the same kernel version as the -devel
+%if 0%{?fedora} || 0%{?rhel} >= 9
+Requires:       (kernel-debug-devel-matched if kernel-debug-core)
+Requires:       (kernel-devel-matched if kernel-core)
 %else
-# There is no much variant there, so using a sane default
-Requires:       kernel-devel
+Suggests:       (kernel-debug-devel if kernel-debug-core)
+Suggests:       (kernel-devel if kernel-core)
 %endif
+Suggests:       (kernel-rt-devel if kernel-rt)
 
 # we create a special user that used by akmods to build kmod packages
-Requires(pre):  shadow-utils
 
-%if 0%{?fedora} || 0%{?rhel} > 6
 # systemd unit requirements.
 BuildRequires:  systemd
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
 # Optional but good to have on recent kernel
-Requires: elfutils-libelf-devel
-%endif
+Requires: pkgconfig(libelf)
 
+# We need grubby or systemd-boot to know the default kernel
+# On EL7 assumes grubby is there by default - rhbz#2124086
+%if 0%{?fedora} || 0%{?rhel} > 7
+Requires: (grubby or sdubby)
+%endif
 
 %description
 Akmods startup script will rebuild akmod packages during system
-boot while its background daemon will build them for kernels right
+boot, while its background daemon will build them for kernels right
 after they were installed.
 
 
 %prep
 %setup -q -c -T
-cp -p %{SOURCE9} %{SOURCE10} .
+cp -p %{SOURCE9} %{SOURCE10} %{SOURCE15} .
 
 
 %build
@@ -91,32 +100,39 @@ cp -p %{SOURCE9} %{SOURCE10} .
 
 
 %install
-mkdir -p %{buildroot}%{_usrsrc}/akmods \
+mkdir -p %{buildroot}%{_usrsrc}/%{name} \
          %{buildroot}%{_sbindir} \
+         %{buildroot}%{_sysconfdir}/rpm \
+         %{buildroot}%{_sysconfdir}/pki/%{name}/certs \
+         %{buildroot}%{_sysconfdir}/pki/%{name}/private \
          %{buildroot}%{_sysconfdir}/kernel/postinst.d \
-         %{buildroot}%{_localstatedir}/cache/akmods
+         %{buildroot}%{_sysconfdir}/logrotate.d \
+         %{buildroot}%{_localstatedir}/cache/%{name} \
+         %{buildroot}%{_localstatedir}/log/%{name} \
+         %{buildroot}%{_tmpfilesdir}
 
 install -pm 0755 %{SOURCE1} %{buildroot}%{_sbindir}/
 install -pm 0755 %{SOURCE2} %{buildroot}%{_sbindir}/
 install -pm 0755 %{SOURCE12} %{buildroot}%{_sbindir}/
-install -pm 0755 %{SOURCE5} %{buildroot}%{_sysconfdir}/kernel/postinst.d/
+install -pm 0644 %{SOURCE14} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+install -pm 0640 %{SOURCE16} %{buildroot}%{_sysconfdir}/pki/%{name}/
+install -pm 0755 %{SOURCE17} %{buildroot}%{_sbindir}/kmodgenca
+install -pm 0644 %{SOURCE20} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -dpm 0770 %{buildroot}%{_rundir}/%{name}/
 
-%if 0%{?fedora} || 0%{?rhel} > 6
 mkdir -p %{buildroot}%{_prefix}/lib/kernel/install.d
 install -pm 0755 %{SOURCE13} %{buildroot}%{_prefix}/lib/kernel/install.d/
 mkdir -p \
          %{buildroot}%{_unitdir} \
          %{buildroot}%{_presetdir}
-sed "s|@SERVICE@|display-manager.service|" %{SOURCE6} >\
-    %{buildroot}%{_unitdir}/akmods.service
+
 install -pm 0644 %{SOURCE0} %{buildroot}%{_presetdir}/
+install -pm 0644 %{SOURCE6} %{buildroot}%{_unitdir}/
 install -pm 0755 %{SOURCE7} %{buildroot}%{_sbindir}/
 install -pm 0644 %{SOURCE8} %{buildroot}%{_unitdir}/
 install -pm 0644 %{SOURCE11} %{buildroot}%{_unitdir}/
-%else
-mkdir -p %{buildroot}%{_initddir}/
-install -pm 0755 %{SOURCE4} %{buildroot}%{_initddir}/akmods
-%endif
+install -pm 0644 %{SOURCE18} %{buildroot}%{_unitdir}/
+install -pm 0644 %{SOURCE19} %{buildroot}%{_unitdir}/
 
 # Generate and install man pages.
 mkdir -p %{buildroot}%{_mandir}/man1
@@ -127,15 +143,12 @@ help2man -N -i %{SOURCE3} -s 1 \
     -o %{buildroot}%{_mandir}/man1/akmodsbuild.1 \
        %{buildroot}%{_sbindir}/akmodsbuild
 
+install -m0644 -D %{SOURCE21} %{buildroot}%{_sysusersdir}/akmods.conf
+
 
 %pre
-# create group and user
-getent group akmods >/dev/null || groupadd -r akmods
-getent passwd akmods >/dev/null || \
-useradd -r -g akmods -d /var/cache/akmods/ -s /sbin/nologin \
-    -c "User is used by akmods to build akmod packages" akmods
+%sysusers_create_compat %{SOURCE21}
 
-%if 0%{?fedora} || 0%{?rhel} > 6
 %post
 %systemd_post akmods.service
 %systemd_post akmods@.service
@@ -150,191 +163,40 @@ useradd -r -g akmods -d /var/cache/akmods/ -s /sbin/nologin \
 %systemd_postun akmods.service
 %systemd_postun akmods@.service
 %systemd_postun akmods-shutdown.service
-%else
-%post
-if [ $1 -eq 1 ] ; then
-  /sbin/chkconfig --add akmods ||:
-fi
-
-%preun
-if [ $1 -eq 0 ] ; then
-  /sbin/chkconfig --del akmods || :
-fi
-%endif
 
 
 %files
-%doc README
-%if 0%{?rhel} > 6 || 0%{?fedora} > 20
+%doc README README.secureboot
 %license LICENSE
-%else
-%doc LICENSE
-%endif
 %{_sbindir}/akmodsbuild
 %{_sbindir}/akmods
 %{_sbindir}/akmods-ostree-post
-%{_sysconfdir}/kernel/postinst.d/akmodsposttrans
-%if 0%{?fedora} || 0%{?rhel} > 6
+%{_sbindir}/kmodgenca
+%dir %attr(750,root,akmods) %{_sysconfdir}/pki/%{name}/certs
+%dir %attr(750,root,akmods) %{_sysconfdir}/pki/%{name}/private
+%config(noreplace) %attr(640,root,akmods) %{_sysconfdir}/pki/%{name}/cacert.config.in
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
 %{_unitdir}/akmods.service
 %{_unitdir}/akmods@.service
 %{_sbindir}/akmods-shutdown
 %{_unitdir}/akmods-shutdown.service
 %{_prefix}/lib/kernel/install.d/95-akmodsposttrans.install
+%attr(0644,root,root) %{_unitdir}/akmods-keygen.target
+%attr(0644,root,root) %{_unitdir}/akmods-keygen@.service
+%dir %attr(0770,root,akmods) %{_rundir}/%{name}
+%{_tmpfilesdir}/%{name}.conf
 # akmods was enabled in the default preset by f28
-%if 0%{?fedora} && 0%{?fedora} >= 28
-%exclude %{_presetdir}/95-akmods.preset
-%else
+%if 0%{?rhel}
 %{_presetdir}/95-akmods.preset
-%endif
 %else
-%{_initddir}/akmods
+%exclude %{_presetdir}/95-akmods.preset
 %endif
 %{_usrsrc}/akmods
-%attr(-,akmods,akmods) %{_localstatedir}/cache/akmods
+%dir %attr(-,akmods,akmods) %{_localstatedir}/cache/akmods
+%dir %attr(0775,root,akmods) %{_localstatedir}/log/%{name}
 %{_mandir}/man1/*
+%{_sysusersdir}/akmods.conf
 
 
 %changelog
-* Wed Nov 20 2019 Nicolas Viéville <nicolas.vieville@uphf.fr> - 0.5.6-24
-- Check kernel presence differently for systemd-boot machines - rhbz#1769144
-
-* Wed Oct 16 2019 Leigh Scott <leigh123linux@googlemail.com> - 0.5.6-23
-- Add requires kernel-abi-whitelists for RHEL
-
-* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.6-22
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Mon May 20 2019 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-21
-- Add check for rhel8
-
-* Wed May 15 2019 Nicolas Viéville <nicolas.vieville@uphf.fr> - 0.5.6-20
-- Fix akmodsposttrans after kernel update/install on Fedora >= 28 and 
-  RHEL >= 7 - rhbz#1709055
-
-* Thu Feb 28 2019 Alexander Larsson <alexl@redhat.com> - 0.5.6-19
-- Support ostree/silverblue builds - rhbz#1667014
-
-* Thu Feb 28 2019 Hans de Goede <hdegoede@redhat.com>
-- Do not fail when the old initscripts pkg is not installed - rhbz#1680121
-
-* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.6-18
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Mon Nov 05 2018 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-17
-- Don't enforce target arch - rhbz#1644430
-- Rework log file path
-- Avoid using /usr/lib/modules for el6 compat
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.6-16
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Mon Mar 26 2018 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-15
-- Add inihibitor for akmods@.service
-- Use restart on akmodsposttrans
-
-* Mon Mar 26 2018 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-14
-- Switch to always retry by default
-- Drop akmods preset by f28
-- Don't enable service on ah
-- Test a rw directory
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.6-13
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Wed Dec 13 2017 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-12
-- Update kernel posttrans method - rhbz#1518401
-
-* Thu Aug 03 2017 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-11
-- Rework kernel-devel requires on el
-
-* Thu Aug 03 2017 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-10
-- Enable suggests on fedora
-- Add back el6 support in spec
-- Add Requires elfutils-libelf-devel
-
-* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.6-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
-
-* Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 0.5.6-8
-- perl dependency renamed to perl-interpreter
-  <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
-
-* Thu May  4 2017 Hans de Goede <hdegoede@redhat.com> - 0.5.6-7
-- "udevadm trigger" may have bad side-effects (rhbz#454407) instead
-  look for modalias files under /sys/devices and call modprobe directly
-- Fix exit status when no akmod packages are installed, so that systemd
-  does not consider the akmods.service as having failed to start
-
-* Wed May  3 2017 Hans de Goede <hdegoede@redhat.com> - 0.5.6-6
-- Run "udevadm trigger" and "systemctl restart systemd-modules-load.service"
-  when new kmod packages have been build and installed so that the new
-  modules may be used immediately without requiring a reboot
-
-* Mon Mar  6 2017 Hans de Goede <hdegoede@redhat.com> - 0.5.6-5
-- Add LICENSE file (rhbz#1422918)
-
-* Fri Feb 24 2017 Hans de Goede <hdegoede@redhat.com> - 0.5.6-4
-- Replace %%{_prefix}/lib/systemd/system-preset with %%{_presetdir}
-
-* Thu Feb 16 2017 Hans de Goede <hdegoede@redhat.com> - 0.5.6-3
-- Submit to Fedora for package review
-
-* Mon Nov 28 2016 Nicolas Chauvet <kwizart@gmail.com> - 0.5.6-2
-- Use Suggests kernel-devel weak-dependency - see rfbz#3386
-
-* Fri Oct 14 2016 Richard Shaw <hobbes1069@gmail.com> - 0.5.6-1
-- Disable shutdown systemd service file by default.
-- Remove modprobe line from main service file.
-
-* Wed Aug 17 2016 Sérgio Basto <sergio@serjux.com> - 0.5.4-3
-- New release
-
-* Sun Jan 03 2016 Nicolas Chauvet <kwizart@gmail.com> - 0.5.4-2
-- Revert conflicts kernel-debug-devel
-
-* Thu Jul 23 2015 Richard Shaw <hobbes1069@gmail.com> - 0.5.4-1
-- Do not mark a build as failed when only installing the RPM fails.
-- Run akmods-shutdown script instead of akmods on shutdown.
-- Add systemd preset file to enable services by default.
-
-* Wed Jul 15 2015 Richard Shaw <hobbes1069@gmail.com> - 0.5.3-2
-- Add package conflicts to stop pulling in kernel-debug-devel, fixes BZ#3386.
-- Add description for the formatting of the <kernel> parameter, BZ#3580.
-- Update static man pages and clean them up.
-- Fixed another instance of TMPDIR causing issues.
-- Added detection of dnf vs yum to akmods, fixed BZ#3481.
-
-* Wed Apr  1 2015 Richard Shaw <hobbes1069@gmail.com> - 0.5.2-1
-- Fix temporary directory creation when TMPDIR environment variable is set,
-  fixes BZ#2596.
-- Update systemd scripts to use macros.
-- Fix akmods run on shutdown systemd unit file, fixes BZ#3503.
-
-* Sun Nov 16 2014 Nicolas Chauvet <kwizart@gmail.com> - 0.5.1-4
-- Fix akmods on armhfp - rfbz#3117
-- Use yum instead of rpm to install packages - rfbz#3350
-  Switch to a better date format
-
-* Fri Jan 11 2013 Richard Shaw <hobbes1069@gmail.com> - 0.5.1-3
-- Really fix akmods.service.in.
-
-* Fri Jun 01 2012 Richard Shaw <hobbes1069@gmail.com> - 0.5.1-2
-- Add service file to run again on shutdown.
-- Add conditional for Fedora 18 to specify correct systemd graphical service.
-
-* Thu Apr 12 2012 Nicolas Chauvet <kwizart@gmail.com> - 0.4.0-4
-- Rebuilt
-
-* Tue Mar 20 2012 Richard Shaw <hobbes1069@gmail.com> - 0.4.0-3
-- Add additional error output if the needed kernel development files are not
-  installed. (Fixes #561)
-
-* Mon Mar 05 2012 Richard Shaw <hobbes1069@gmail.com> - 0.4.0-2
-- Remove remaining references to previous Fedora releases
-- Remove legacy SysV init script from CVS.
-- Added man page for akmods and cleaned up man page for akmodsbuild.
-
-* Tue Feb 07 2012 Nicolas Chauvet <kwizart@gmail.com> - 0.4.0-1
-- Update for UsrMove support
-- Remove unused references to older fedora
-- Change Requires from kernel-devel to kernel-devel-uname-r
+%autochangelog

akmods.sysusers.conf

@@ -0,0 +1,3 @@
+#Type  Name  ID  GECOS  Home directory  Shell
+g  akmods  -  -  -  -
+u  akmods  -  'User is used by akmods to build akmod packages' /var/cache/akmods/ -

akmods@.service

@@ -1,5 +1,7 @@
 [Unit]
 Description=Builds and install new kmods from akmod for a given kernel
+Wants=akmods-keygen.target
+After=akmods-keygen.target
 
 [Service]
 Type=oneshot

akmodsbuild

@@ -23,14 +23,10 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #
 myprog="akmodsbuild"
-myver="0.5.6"
+myver="0.6.2"
 
 # defaults that might get overwritten by user:
 kernels="$(uname -r)"
-target="$(uname -m)"
-if [[ "${target}" == "armv7l" ]] ; then
-	target="armv7hl"
-fi
 numberofjobs=$(grep -c processor /proc/cpuinfo 2> /dev/null)
 verboselevel=2
 outputdir="${PWD}"
@@ -57,14 +53,14 @@ init ()
 		fi
 	done
 
-	if [[ ! "${srpms}" ]] ; then
+	if [[ ! -n "${srpms}" ]] ; then
 		echo "ERROR: Please provide a list of SRPM-files to build."
 		exit 2
 	fi
 
 	# SRPMS available?
 	for srpm in ${srpms}; do
-		if [[ ! -r ${srpm} ]] ; then
+		if [[ ! -r "${srpm}" ]] ; then
 			echo "ERROR: Can't find SRPM ${srpm}"
 			exit 1
 		fi
@@ -81,27 +77,36 @@ init ()
 
 
 	# make sure this is a number
-	if ! (( ${numberofjobs} > 0 )) ; then
+	if ! (( numberofjobs > 0 )) ; then
 		echo "Warning: using hardcoded defaut value for number of jobs"
 		numberofjobs=2
 	fi
 
 	## preparations
 	# tmpdir
-	if ! tmpdir="$(mktemp -d -p /tmp ${myprog}.XXXXXXXX)" ; then
+	if ! tmpdir="$(mktemp -d -p /tmp "${myprog}.XXXXXXXX")" ; then
 		echo "ERROR: Could create tempdir."
 		exit 1
 	fi
 
-	# buildtreee
+	if [ -z "${target}" ] ; then
+		case "${kernels}" in
+			*x86_64_v4) target=x86_64_v4;;
+			*x86_64_v3) target=x86_64_v3;;
+			*x86_64_v2) target=x86_64_v2;;
+			*armv7hl) target=armv7hl;;
+			*) target="$(uname -m)" ;;
+		esac
+	fi
+	# buildtree
 	mkdir "${tmpdir}"/{BUILD,SOURCES,SPECS,SRPMS,RPMS,RPMS/"${target}"}
 
 	# logfile
-	if [[ ! "${logfile}" ]] ; then
+	if [[ ! -n "${logfile}" ]] ; then
 		logfile="${tmpdir}/logfile"
 	fi
 
-	if ( [[ -e "${logfile}" ]] && [[ ! -w "${logfile}" ]] ) || ! touch "${logfile}" ; then
+	if { [[ -e "${logfile}" ]] && [[ ! -w "${logfile}" ]] ; } || ! touch "${logfile}" ; then
 		echo "ERROR: Could not write logfile."
 		finally
 		exit 1
@@ -112,10 +117,10 @@ init ()
 finally()
 {
 	# kill background jobs if needed
-	if [[ "${watch_jobid}" ]] ; then
+	if [[ -n "${watch_jobid}" ]] ; then
 		kill "${watch_jobid}"
 	fi
-	if [[ "${rpmbuild_jobid}" ]] ; then
+	if [[ -n "${rpmbuild_jobid}" ]] ; then
 		kill "${rpmbuild_jobid}"
 	fi
 
@@ -143,12 +148,12 @@ akmods_echo()
 	fi
 
 	# output to console
-	if (( ${verboselevel} >= ${this_verbose} )) ; then
-		echo "$@" >&${this_fd}
+	if (( verboselevel >= this_verbose )) ; then
+		echo "$@" >&"${this_fd}"
 	fi
 
 	# global logfile
-	if [[ ! ${notlogfile} ]] ; then
+	if [[ ! -n "${notlogfile}" ]] ; then
 		echo "$@" >> "${logfile}"
 	fi
 }
@@ -159,8 +164,8 @@ watch_rpmbuild()
 	# background function to show rpmbuild progress
 	# does't use akmods_echo here; this stage handles the output on its own
 	# (seperate process and there is no need to log this)
-	if (( ${verboselevel} == 2 )) ; then
-		tail --pid ${1} -n +1 -s 0.1 -f ${2} 2>/dev/null | grep --line-buffered -e '%prep' -e '%build' -e '%install' -e '%clean' | while read line ; do
+	if (( verboselevel == 2 )) ; then
+		tail --pid "${1}" -n +1 -s 0.1 -f "${2}" 2>/dev/null | grep --line-buffered -e '%prep' -e '%build' -e '%install' -e '%clean' | while read -r line ; do
 			if [[ "${line}" != "${line##*prep}" ]] ; then
 				echo -n "prep "
 			elif [[ "${line}" != "${line##*build}" ]] ; then
@@ -172,8 +177,8 @@ watch_rpmbuild()
 				# last linefeed is done by the caller
 			fi
 		done
-	elif (( ${verboselevel} > 2 )) ; then
-		tail --pid ${1} -n +1 -s 0.1 -f ${2}
+	elif (( verboselevel > 2 )) ; then
+		tail --pid "${1}" -n +1 -s 0.1 -f "${2}"
 	fi
 }
 
@@ -194,31 +199,32 @@ process_srpm()
 		--define "_rpmdir     ${tmpdir}/RPMS" \
 		--define "_smp_mflags -j${numberofjobs}" \
 		--define "kernels     ${kernels}" \
-		--target ${target} \
+		--target "${target}" \
 		--rebuild "${source_rpm}" 2>&1 | tee -a "${logfile}" > "${tmpdir}/.joblog"  &
 
 	local rpmbuild_jobid=$!
 
 	# show progress
-	if (( ${verboselevel} >= 2 )) ; then
-		watch_rpmbuild ${rpmbuild_jobid} "${tmpdir}/.joblog" 2> /dev/null &
+	if (( verboselevel >= 2 )) ; then
+		watch_rpmbuild "${rpmbuild_jobid}" "${tmpdir}/.joblog" 2> /dev/null &
 		local watch_jobid=$!
 	fi
 
 	# wait for rpmbuild
-	wait ${rpmbuild_jobid}
-	local rpmbuild_returncode=$(tail -n 1 "${tmpdir}/.jobexit")
+	wait "${rpmbuild_jobid}"
+	local rpmbuild_returncode
+	rpmbuild_returncode=$(tail -n 1 "${tmpdir}/.jobexit")
 	unset rpmbuild_jobid
 
 	# give watch_rpmbuild a moment to catch up; kill it if it does not
-	if (( ${verboselevel} >= 2 )) ; then
+	if (( verboselevel >= 2 )) ; then
 		sleep 0.5
-		kill ${watch_jobid} &> /dev/null
+		kill "${watch_jobid}" &> /dev/null
 		unset watch_jobid
 	fi
 
 	# did rpmbuild succeed?
-	if (( ${rpmbuild_returncode} != 0 )) ; then
+	if (( rpmbuild_returncode != 0 )) ; then
 		# linefeed:
 		akmods_echo 1 2 ""
 
@@ -226,15 +232,16 @@ process_srpm()
 		akmods_echo 2 2 --not-logfile "--- "
 		tail -n 35 "${tmpdir}/.joblog" >&2
 		akmods_echo 2 2  --not-logfile "---"
-		return ${rpmbuild_returncode}
+		return "${rpmbuild_returncode}"
 	fi
 
 	# finish status for watch_rpmbuild
-	if (( ${verboselevel} >= 2 )) ; then
-		akmods_echo 1 2 -n "Successfull; "
+	if (( verboselevel >= 2 )) ; then
+		akmods_echo 1 2 -n "Successful; "
 	fi
 
-	local rpms_built="$(cd "${tmpdir}"/RPMS/"${target}" ; echo *)"
+	local rpms_built
+	rpms_built="$(cd "${tmpdir}"/RPMS/"${target}" || exit ; echo *)"
 
 	if ! mv "${tmpdir}/RPMS/${target}/"* "${outputdir}" ; then
 		# linefeed:
@@ -244,11 +251,11 @@ process_srpm()
 		return 128
 	fi
 
-	if (( ${verboselevel} == 1 )) ; then
+	if (( verboselevel == 1 )) ; then
 		for rpm in ${rpms_built}; do
 			echo "${outputdir%%/}/${rpm}"
 		done
-	elif (( ${verboselevel} >= 2 )) ; then
+	elif (( verboselevel >= 2 )) ; then
 		akmods_echo 1 2  "Saved ${rpms_built} in ${outputdir%%/}/"
 	fi
 
@@ -276,7 +283,7 @@ while [ "${1}" ] ; do
 	case "${1}" in
 		-k|--kernels)
 			shift
-			if [[ ! "${1}" ]] ; then
+			if [[ ! -n "${1}" ]] ; then
 				echo "ERROR: Please provide kernel-version(s) to build for together with --kernel" >&2
 				exit 1
 			fi
@@ -285,7 +292,7 @@ while [ "${1}" ] ; do
 			;;
 		-l|--logfile)
 			shift
-			if [[ ! "${1}" ]] ; then
+			if [[ ! -n "${1}" ]] ; then
 				echo "ERROR: Please provide a filename together with --logfile" >&2
 				exit 1
 			fi
@@ -294,7 +301,7 @@ while [ "${1}" ] ; do
 			;;
 		-o|--outputdir)
 			shift
-			if [[ ! "${1}" ]] ; then
+			if [[ ! -n "${1}" ]] ; then
 				echo "ERROR: Please provide the output directory together with --outputdir" >&2
 				exit 1
 			fi
@@ -303,7 +310,7 @@ while [ "${1}" ] ; do
 			;;
 		-t|--target)
 			shift
-			if [[ ! "${1}" ]] ; then
+			if [[ ! -n "${1}" ]] ; then
 				echo "ERROR: Please provide the target-arch together with --target" >&2
 				exit 1
 			fi
@@ -311,11 +318,11 @@ while [ "${1}" ] ; do
 			shift
 			;;
 		-v|--verbose)
-			let verboselevel++
+			(( verboselevel++ ))
 			shift
 			;;
 		-q|--quiet)
-			let verboselevel--
+			(( verboselevel-- ))
 			shift
 			;;
 		-h|--help)
@@ -343,12 +350,12 @@ init
 
 # go
 for srpm in ${srpms}; do
-	process_srpm ${srpm}
+	process_srpm "${srpm}"
 	returncode=$?
 
-	if (( ${returncode} != 0 )) ; then
+	if (( returncode != 0 )) ; then
 		finally
-		exit ${returncode}
+		exit "${returncode}"
 	fi
 done
 

akmodsinit

@@ -1,47 +0,0 @@
-#!/bin/bash -
-#
-# akmodinit     Builds and install new kmods from akmod packages
-#
-# Author:       Thorsten Leemhuis <fedora@leemhuis.info>
-#
-# chkconfig:    2345 5 95
-#
-# description:  akmodsinit calls akmod during system boot to build and install
-#               kmods for the currently running kernel if neccessary.
-#
-# processname:  akmodsd
-# pidfile:      /var/run/akmodsd.pid
-#
-
-### BEGIN INIT INFO
-# Provides: akmodsd
-# Required-Start: $local_fs
-# Required-Stop: $local_fs
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Builds and install new kmods from akmod packages
-# Description: akmodsinit calls akmod during system boot to build and install
-#              kmods for the currently running kernel if neccessary.
-### END INIT INFO
-
-start_akmods ()
-{
-	# build and install all kmods if neccessary
-	# for the currently running kernel (default in akmods)
-	/usr/sbin/akmods --from-init
-}
-
-
-# See how we were called.
-case "$1" in
-	start|restart|reload|condrestart)
-		start_akmods
-		;;
-	stop|status)
-		exit 0
-		;;
-	*)
-		echo $"Usage: $0 start"
-		exit 2
-		;;
-esac

akmodsposttrans

@@ -1,47 +0,0 @@
-#!/bin/bash -
-#
-# akmodposttrans - Calls akmods for newly installed kernels
-#
-# Copyright (c) 2009 Thorsten Leemhuis <fedora@leemhuis.info>
-# Copyright (c) 2017 Nicolas Chauvet <kwizart@gmail.com>
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-#
-
-# just check in case a user calls this directly
-if [[ ! -w /var ]] ; then
-	echo "Needs to run as root to be able to install rpms." >&2
-	exit 4
-fi
-
-# needs to run in background as rpmdb might be locked otherwise
-if [ -e /bin/systemctl ] ; then
-	# Exit early if system-update.target is active - rhbz#1518401
-	/bin/systemctl is-active system-update.target &>/dev/null
-	RET=$?
-
-	[ $RET == 0 ] && exit 0
-
-	/bin/systemctl restart akmods@${1}.service --no-block >/dev/null 2>&1
-else
-	nohup /usr/sbin/akmods --from-kernel-posttrans --kernels ${1} > /dev/null 2>&1 &
-fi
-
-exit 0

cacert.config.in

@@ -0,0 +1,41 @@
+# Default OpenSSL settings and configuration file for kmodgenca
+# shell-script.
+#
+[ req ]
+default_bits                    = 4096
+distinguished_name              = req_distinguished_name
+prompt                          = no
+utf8                            = yes
+string_mask                     = utf8only
+x509_extensions                 = req_exts
+
+[ req_distinguished_name ]
+# Values settings
+#
+0.organizationName              = Organization Name (eg, company)
+organizationalUnitName          = Organizational Unit Name (eg, section)
+emailAddress                    = Email Address
+emailAddress_max                = 64
+localityName                    = Locality Name (eg, city)
+stateOrProvinceName             = State or Province Name (full name)
+countryName                     = Country Name (2 letter code)
+countryName_min                 = 2
+countryName_max                 = 2
+commonName                      = Common Name (eg, your name or your server\'s hostname)
+commonName_max                  = 64
+
+# Default values
+#
+0.organizationName_default      = akmods local
+organizationalUnitName_default  = akmods
+emailAddress_default            = akmods@localhost.localdomain
+localityName_default            = None
+stateOrProvinceName_default     = None
+countryName_default             = XX
+commonName_default              = akmods local signing CA
+
+[ req_exts ]
+basicConstraints                = critical,CA:FALSE
+keyUsage                        = digitalSignature
+subjectKeyIdentifier            = hash
+authorityKeyIdentifier          = keyid

changelog

@@ -0,0 +1,178 @@
+* Fri May 02 2025 Marcel Hetzendorfer <mh7596@gmail.com> - 0.6.0-11
+- Show building and installing on plymouth boot screen
+
+* Tue Feb 11 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.6.0-10
+- Add sysusers.d config file to allow rpm to create users/groups
+  automatically
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Wed Dec 11 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.6.0-8
+- Update others hostname occurences
+
+* Tue Dec 10 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.6.0-7
+- Drop hostname deps - rhbz#2330137
+
+* Thu Nov 28 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.6.0-6
+- Validate or discard default_kernel - rhbz#2270414
+
+* Fri Nov 08 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.6.0-5
+- Fix KEYNAME lengh - rhbz#2323702
+
+* Wed Oct 02 2024 Rohan Barar <rohan.barar@gmail.com> - 0.6.0-4
+- Add robust missing key pair logic
+
+* Wed Oct 02 2024 Rohan Barar <rohan.barar@gmail.com> - 0.6.0-3
+- Improved error handling + Bug fixes
+
+* Tue Oct 01 2024 Rohan Barar <rohan.barar@gmail.com> - 0.6.0-2
+- Add check for elevated privileges
+
+* Tue Oct 01 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.6.0-1
+- Bump akmods version
+
+* Tue Oct 01 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-30
+- Remove duplicate akmodsposttrans call - rhbz#2011120
+
+* Thu Sep 26 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-29
+- Avoid double error on empty user-provided key pair name.
+
+* Thu Sep 26 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-28
+- Corrected erroneous code introduced in previous commits.
+
+* Thu Sep 26 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-27
+- Fixed typo 'if' to 'fi'.
+
+* Thu Sep 26 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-26
+- Added check for existing key pair with same name as user-specified new
+  key pair name.
+
+* Thu Sep 26 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-25
+- Added ability for user to name key pair.
+
+* Sun Sep 22 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-24
+- Introduced loop to gracefully handle extremely rare key pair name
+  collision events.
+
+* Sat Sep 21 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-23
+- Refactor key pair naming scheme to enhance robustness + Removed collision
+  check and key pair backup function due to bug with ':' in file names
+  alongside superfluous nature of function given improved naming scheme.
+
+* Sat Sep 21 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-22
+- Removed 'sudo' prefixes as per request in PR #23.
+
+* Sat Sep 21 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-21
+- Further improvements to argument parsing logic.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-20
+- Improved clarity of exit status code comments.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-19
+- Revert "Utilise robust shebang." as per request on PR #23.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-18
+- Added support for combined single-letter arguments + Chowned symlinks.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-17
+- Improved mokutil error handling + Added sudo prefixes.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-16
+- Added error handling for failed cacert modification.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-15
+- Whitespace changes for consistency.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-14
+- Extract functions to enhance readability + Set 'commonName' to match
+  'KEYNAME'.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-13
+- Added logic to detect broken existing key pairs.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-12
+- Improved user feedback in event of existing key pair.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-11
+- Updated copyright information.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-10
+- Various changes to avoid ShellCheck warnings.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-9
+- Align license to 80 character width.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-8
+- Utilise robust shebang.
+
+* Fri Sep 20 2024 Rohan Barar <rohan.barar@gmail.com> - 0.5.10-7
+- Removed hard-coded paths.
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-6
+- Fix parsing multiple kernel
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-5
+- Use check_kernel_devel return code as appropriate
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-4
+- Change check_kernel_devel() to return instead of exit
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-3
+- akmods --from-init only operates on current kernel
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-2
+- Deprecate akmods-shutdown script
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.10-1
+- Bump to akmods 0.5.10
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.9-8
+- Only check for default_kernel is no value - rhbz#2293047
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.9-7
+- Revert "Call Init before the argument parser"
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.9-6
+- Switch to use sdubby alternatives to grubby
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.9-5
+- Drop older rhel and use -core
+
+* Fri Aug 23 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.9-4
+- Drop older rhel cases
+
+* Mon Aug 19 2024 Jonathan Wakely <jwakely@fedoraproject.org> - 0.5.9-3
+- Fix bug URLs in man page
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+* Thu Jul 04 2024 Nicolas Chauvet <kwizart@gmail.com> - 0.5.9-1
+- akmods release 0.5.9
+
+* Thu Jul 04 2024 Hans de Goede <hdegoede@redhat.com> - 0.5.8-10
+- Fix intel-ipu6-kmod installation with kernel >= 6.10
+
+* Thu Jul 04 2024 Marius Schwarz <fedoradev@cloud-foo.de> - 0.5.8-9
+- Call Init before the argument parser
+
+* Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.8-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.8-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Dec 05 2023 Nicolas Chauvet <kwizart@gmail.com> - 0.5.8-6
+- Workaround for rhbz#1889136 when localpkg_gpgcheck=True
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Fri May 05 2023 Nicolas Chauvet <kwizart@gmail.com> - 0.5.8-1
+- Don't emit weak-deps from deprecated arches on all
+- Allow akmods --rebuild to force rebuild+reinstall - rhbz#2140012
+- ensure to build for grub or systemd-boot default kernel - rhbz#2124086
+- Drop "which" as akmods dependency
+
+