>
> > >> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is 
> > >> the trigger to create this binary: 
> > >> 
> > >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file 
> > >>   
> > > 
> > > I was looking at kernel 5.6. 
> > > 
> > > Then we likely need multiple condition when to run sign-file while 
> > > building an external module. 
> > > 
> > > And we also need some idea how to deploy the shared keys to all 
> > > recipes. If we only talk about two or three, the kernel recipe 
> > > could carry the keys as artifacts, and other recipes would simply 
> > > link them. But that is not really nice to maintain. We could, of 
> > > course, package the keys into linux-headers. Downside: Someone may 
> > > then accidentally ship them on a device.   
> > 
> > maybe we can use a separate package? e.g. kernel-module-signkeys? 
> > 
> > normally this package will be only used for building, we can output 
> > an error during isar build when someone installs this package to the 
> > image (prevents "accidentally ship them on a device") 
> > 
> > next point: can we avoid somehow with isar that this package is 
> > showing up in some apt repo (outside isar build system)? 
>
> All packages isar builds for an image show up in a repo called 
> "isar-apt" that is strictly internal. 
>
> If you choose to make use of the rebuild cache that will be another 
> repo - "base-apt". "base-apt" can be published and used for consecutive 
> (re-)builds. 
>
> Isar does not publish anything on its own, nothing to be afraid of. 
>

ok my misunderstanding, because "isar-apt" resides in the deploy 
subdirectory, I was assuming it may get published at some point 
(openembedded/poky had also an ipk subdirectory in deploy which could serve 
as an external ipk repo).

means this "base-apt" gets only generated when I was using "-c 
cache_base_repo"? about this directory I am not afraid, it contains no 
self-built packages.

kernel-headers-cip resides in "isar-apt", so I was more worried about this 
apt repo.