From df1366fce0edc8f3823c50f455672cc561af028b Mon Sep 17 00:00:00 2001
From: Simon Pflaumer <s.pflaumer@murena.io>
Date: Sun, 18 Jan 2026 16:54:56 +0000
Subject: [PATCH] dkms: resolve in-tree certificates to absolute paths

On Gentoo, the signing certificate can be obtained from the kernel configuration, which by default is a path relative to it's source directory, causing `prepare_mok` to pass, as the PWD can be within that source directory while checking the obtained paths, but definitely failing during `do_build`, once the PWD is the temporary build directory. This changes the logic to obtain an absolute path using `readlink -f`, instead of assuming that the configured path is absolute
---
 dkms.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/dkms.in b/dkms.in
index bca479d7..a840e7d1 100644
--- a/dkms.in
+++ b/dkms.in
@@ -1280,10 +1280,20 @@ prepare_mok()
                 fi
 
                 if [[ ! $mok_signing_key && -f ${kernel_config} ]]; then
+                    # Switch to the kernel's source directory while resolving
+                    # the module signing key, since the path set within the config
+                    # could be relative to the source directory
+                    local _pwd=$(pwd)
+                    cd $kernel_source_dir
+
                     mok_signing_key=$(grep "^CONFIG_MODULE_SIG_KEY=" "${kernel_config}" | cut -f2 -d= | sed 's/"//g')
+                    # Assume the absolute path to the certificate
+                    mok_signing_key=$(readlink -f "${mok_signing_key}")
                     # Kernel module signing facility requires PEM files containing both
                     # the key and the certificate, so in this case both will be the same.
                     mok_certificate=${mok_signing_key}
+
+                    cd $_pwd
                 fi
                 ;;
         esac