There are a couple of changes needed:
1. Package version cannot contain '-' (5.4-rc5-1.pvops.qubes is an
invalid rpm version). Follow Fedora upstream idea of moving 'rc' tag
into package release field, as 0.rcXX.(original rel). This way, such
package will be 'older' than the final release (with just release
number there - 1 in most cases). The alternative idea is using
'~rcXX' in the package version, but ~ couldn't be part of a kernel
version reported by the kernel itself and also qubes-dom0-update
refuses ~ in a package filename.
2. Adjust kernel version to match the above - specifically clear
EXTRAVERSION (-rcXX suffix), as it will be added back as package
release (CONFIG_LOCALVERSION).
3. rc tarballs are available only as a git-generated .tar.gz (not
.tar.xz) and there are no matching detached signatures. While it
would be possible to download a signed tag via git, scripting that
would be overly complex as for the task rarely used. Leave this
verification as a manual step and require sha512 checksum to be
committed into repository.
To build an archive matching upstream one, out of a signed tag, use
command like this:
git archive --prefix=linux-5.4-rc5/ --output=../linux-5.4-rc5.tar.gz v5.4-rc5
While at it, remove obsolete BUILD_FLAVOR variable.
wget downloads new linux-*.sign files and backs up the
existing files as file.1, file.2, etc. This causes false
positives during 'git status' or 'make check'
i.e.
* linux-2.6.38.3.tar.bz2.sign.1
* linux-3.2.7.tar.sign.1
Adding -N causes wget to smartly overwrite as required.
1) For newer pvops kernels we can use kernel.org sign files that are signed
with a new (uncompromised, at least not known to be compromised yet) key
2) For older kernel, we need to use hash, as the kernel.org decided not to
release update signature with a new key.
In any case, use hash-based verification additionally, try to minimize trust put
into kernel.org people...
