> >> from where you got CONFIG_MODULE_SIG_FORMAT? CONFIG_MODULE_SIG is
> >> the trigger to create this binary:
> >>
> >> scripts/Makefile:hostprogs-$(CONFIG_MODULE_SIG)+= sign-file
> >>  
> >
> > I was looking at kernel 5.6.
> >
> > Then we likely need multiple condition when to run sign-file while
> > building an external module.
> >
> > And we also need some idea how to deploy the shared keys to all
> > recipes. If we only talk about two or three, the kernel recipe
> > could carry the keys as artifacts, and other recipes would simply
> > link them. But that is not really nice to maintain. We could, of
> > course, package the keys into linux-headers. Downside: Someone may
> > then accidentally ship them on a device.  
>
> maybe we can use a separate package? e.g. kernel-module-signkeys?
>
> normally this package will be only used for building, we can output
> an error during isar build when someone installs this package to the
> image (prevents "accidentally ship them on a device")
>
> next point: can we avoid somehow with isar that this package is
> showing up in some apt repo (outside isar build system)?

All packages isar builds for an image show up in a repo called
"isar-apt" that is strictly internal.

If you choose to make use of the rebuild cache that will be another
repo - "base-apt". "base-apt" can be published and used for consecutive
(re-)builds.

Isar does not publish anything on its own, nothing to be afraid of.