diff --git a/Makefile.rhelver b/Makefile.rhelver
index 23510a327..1785402a6 100644
--- a/Makefile.rhelver
+++ b/Makefile.rhelver
@@ -12,7 +12,7 @@ RHEL_MINOR = 1
 #
 # Use this spot to avoid future merge conflicts.
 # Do not trim this comment.
-RHEL_RELEASE = 119
+RHEL_RELEASE = 120
 
 #
 # RHEL_REBASE_NUM
diff --git a/kernel.changelog b/kernel.changelog
index 0182882f6..fc25812c5 100644
--- a/kernel.changelog
+++ b/kernel.changelog
@@ -1,3 +1,32 @@
+* Tue Aug 12 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-120.el10]
+- mm/memory-tier: fix abstract distance calculation overflow (Rafael Aquini) [RHEL-100684]
+- net: add debug check in skb_reset_mac_header() (Davide Caratti) [RHEL-96625]
+- net: skb_reset_mac_len() must check if mac_header was set (Davide Caratti) [RHEL-96625]
+- vlan: enforce underlying device type (CKI Backport Bot) [RHEL-96625] {CVE-2025-21920}
+- kernel.spec: add conditional to include rhel trusted certificates (Eric Chanudet) [RHEL-78808]
+- kernel.spec: Always BuildRequire openssl-devel (Eric Chanudet) [RHEL-78808]
+- kernel.spec: automotive: disable kernel signature by default (Eric Chanudet) [RHEL-78808]
+- redhat/configs: automotive: enable extra system cert (Eric Chanudet) [RHEL-78808]
+- redhat/configs: automotive: Disable module signature with modules_install (Eric Chanudet) [RHEL-78808]
+- xfs: do not check NEEDSREPAIR if ro,norecovery mount. (CKI Backport Bot) [RHEL-101641]
+- iavf: fix reset_task for early reset event (Michal Schmidt) [RHEL-83568]
+- iavf: add support for Rx timestamps to hotpath (Michal Schmidt) [RHEL-83568]
+- iavf: handle set and get timestamps ops (Michal Schmidt) [RHEL-83568]
+- iavf: periodically cache PHC time (Michal Schmidt) [RHEL-83568]
+- iavf: add support for indirect access to PHC time (Michal Schmidt) [RHEL-83568]
+- iavf: add initial framework for registering PTP clock (Michal Schmidt) [RHEL-83568]
+- iavf: negotiate PTP capabilities (Michal Schmidt) [RHEL-83568]
+- iavf: add support for negotiating flexible RXDID format (Michal Schmidt) [RHEL-83568]
+- iavf: Implement checking DD desc field (Michal Schmidt) [RHEL-83568]
+- iavf: refactor iavf_clean_rx_irq to support legacy and flex descriptors (Michal Schmidt) [RHEL-83568]
+- iavf: define Rx descriptors as qwords (Michal Schmidt) [RHEL-83568]
+- iavf: allow changing VLAN state without calling PF (Michal Schmidt) [RHEL-83568]
+- iavf: Remove unused declarations (Michal Schmidt) [RHEL-83568]
+- iavf: add support to exchange qos capabilities (Michal Schmidt) [RHEL-83568]
+- iavf: Add net_shaper_ops support (Michal Schmidt) [RHEL-83568]
+- redhat/configs: automotive: Enable CONFIG_BOOTPARAM_HUNG_TASK_PANIC config (Dorinda Bassey) [RHEL-87368]
+Resolves: RHEL-100684, RHEL-101641, RHEL-78808, RHEL-83568, RHEL-87368, RHEL-96625
+
 * Thu Aug 07 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-119.el10]
 - i2c/designware: Fix an initialization issue (CKI Backport Bot) [RHEL-106627] {CVE-2025-38380}
 - ice: default to TIME_REF instead of TXCO on E825-C (Petr Oros) [RHEL-104246]
diff --git a/kernel.spec b/kernel.spec
index a39158ecc..b0cfa672b 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -111,6 +111,9 @@ Summary: The Linux kernel
 # Sign modules on all arches
 %global signmodules 1
 
+# Add additional rhel certificates to system trusted keys.
+%global rhelkeys 1
+
 # Compress modules only for architectures that build modules
 %ifarch noarch
 %global zipmodules 0
@@ -162,15 +165,15 @@ Summary: The Linux kernel
 %define specrpmversion 6.12.0
 %define specversion 6.12.0
 %define patchversion 6.12
-%define pkgrelease 119
+%define pkgrelease 120
 %define kversion 6
-%define tarfile_release 6.12.0-119.el10
+%define tarfile_release 6.12.0-120.el10
 # This is needed to do merge window version magic
 %define patchlevel 12
 # This allows pkg_release to have configurable %%{?dist} tag
-%define specrelease 119%{?buildid}%{?dist}
+%define specrelease 120%{?buildid}%{?dist}
 # This defines the kabi tarball version
-%define kabiversion 6.12.0-119.el10
+%define kabiversion 6.12.0-120.el10
 
 # If this variable is set to 1, a bpf selftests build failure will cause a
 # fatal kernel package build error
@@ -460,6 +463,9 @@ Summary: The Linux kernel
 %define with_kabichk 0
 %define with_kernel_abi_stablelists 0
 %define with_kabidw_base 0
+%define signkernel 0
+%define signmodules 1
+%define rhelkeys 0
 %endif
 
 
@@ -767,9 +773,8 @@ BuildRequires: libnl3-devel
 BuildRequires: python3-pyyaml python3-jsonschema python3-pip python3-setuptools python3-wheel
 %endif
 
-%if %{with_tools} || %{signmodules} || %{signkernel}
 BuildRequires: openssl-devel
-%endif
+
 %if %{with_selftests}
 BuildRequires: clang llvm-devel fuse-devel zlib-devel binutils-devel python3-docutils python3-jsonschema
 %ifarch x86_64 riscv64
@@ -2046,12 +2051,16 @@ done
 %if %{signkernel}%{signmodules}
 
 # Add DUP and kpatch certificates to system trusted keys for RHEL
+truncate -s0 ../certs/rhel.pem
 %if 0%{?rhel}
+%if %{rhelkeys}
 %{log_msg "Add DUP and kpatch certificates to system trusted keys for RHEL"}
 openssl x509 -inform der -in %{SOURCE100} -out rheldup3.pem
 openssl x509 -inform der -in %{SOURCE101} -out rhelkpatch1.pem
 openssl x509 -inform der -in %{SOURCE102} -out nvidiagpuoot001.pem
-cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem > ../certs/rhel.pem
+cat rheldup3.pem rhelkpatch1.pem nvidiagpuoot001.pem >> ../certs/rhel.pem
+# rhelkeys
+%endif
 %if %{signkernel}
 %ifarch s390x ppc64le
 openssl x509 -inform der -in %{secureboot_ca_0} -out secureboot.pem
@@ -4320,6 +4329,34 @@ fi\
 #
 #
 %changelog
+* Tue Aug 12 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-120.el10]
+- mm/memory-tier: fix abstract distance calculation overflow (Rafael Aquini) [RHEL-100684]
+- net: add debug check in skb_reset_mac_header() (Davide Caratti) [RHEL-96625]
+- net: skb_reset_mac_len() must check if mac_header was set (Davide Caratti) [RHEL-96625]
+- vlan: enforce underlying device type (CKI Backport Bot) [RHEL-96625] {CVE-2025-21920}
+- kernel.spec: add conditional to include rhel trusted certificates (Eric Chanudet) [RHEL-78808]
+- kernel.spec: Always BuildRequire openssl-devel (Eric Chanudet) [RHEL-78808]
+- kernel.spec: automotive: disable kernel signature by default (Eric Chanudet) [RHEL-78808]
+- redhat/configs: automotive: enable extra system cert (Eric Chanudet) [RHEL-78808]
+- redhat/configs: automotive: Disable module signature with modules_install (Eric Chanudet) [RHEL-78808]
+- xfs: do not check NEEDSREPAIR if ro,norecovery mount. (CKI Backport Bot) [RHEL-101641]
+- iavf: fix reset_task for early reset event (Michal Schmidt) [RHEL-83568]
+- iavf: add support for Rx timestamps to hotpath (Michal Schmidt) [RHEL-83568]
+- iavf: handle set and get timestamps ops (Michal Schmidt) [RHEL-83568]
+- iavf: periodically cache PHC time (Michal Schmidt) [RHEL-83568]
+- iavf: add support for indirect access to PHC time (Michal Schmidt) [RHEL-83568]
+- iavf: add initial framework for registering PTP clock (Michal Schmidt) [RHEL-83568]
+- iavf: negotiate PTP capabilities (Michal Schmidt) [RHEL-83568]
+- iavf: add support for negotiating flexible RXDID format (Michal Schmidt) [RHEL-83568]
+- iavf: Implement checking DD desc field (Michal Schmidt) [RHEL-83568]
+- iavf: refactor iavf_clean_rx_irq to support legacy and flex descriptors (Michal Schmidt) [RHEL-83568]
+- iavf: define Rx descriptors as qwords (Michal Schmidt) [RHEL-83568]
+- iavf: allow changing VLAN state without calling PF (Michal Schmidt) [RHEL-83568]
+- iavf: Remove unused declarations (Michal Schmidt) [RHEL-83568]
+- iavf: add support to exchange qos capabilities (Michal Schmidt) [RHEL-83568]
+- iavf: Add net_shaper_ops support (Michal Schmidt) [RHEL-83568]
+- redhat/configs: automotive: Enable CONFIG_BOOTPARAM_HUNG_TASK_PANIC config (Dorinda Bassey) [RHEL-87368]
+
 * Thu Aug 07 2025 CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> [6.12.0-119.el10]
 - i2c/designware: Fix an initialization issue (CKI Backport Bot) [RHEL-106627] {CVE-2025-38380}
 - ice: default to TIME_REF instead of TXCO on E825-C (Petr Oros) [RHEL-104246]
diff --git a/sources b/sources
index abf28f3e5..b53c71ebc 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,5 @@
 SHA512 (kernel-abi-stablelists-6.6.0.tar.bz2) = 4f917598056dee5e23814621ec96ff2e4a411c8c4ba9d56ecb01b23cb96431825bedbecfcbaac9338efbf5cb21694d85497fa0bf43e7c80d9cd10bc6dd144dbd
 SHA512 (kernel-kabi-dw-6.6.0.tar.bz2) = 19308cd976031d05e18ef7f5d093218acdb89446418bab0cd956ff12cf66369915b9e64bb66fa9f20939428a60e81884fec5be3529c6c7461738d6540d3cc5c6
-SHA512 (linux-6.12.0-119.el10.tar.xz) = 4791b3009b2035126bbbc22ef3b4b586f308a8697979bd0519653f6769aab7b6a7ac2380b6049ed4e0dc9d3508afdd6b1680456a7f57e6761712ee5c81e619c9
-SHA512 (kernel-abi-stablelists-6.12.0-119.el10.tar.xz) = a76e522dc5a5dcdf61de2f1bb171f6fc0d6b59946dcce7d4a4e68f02011245f14402d38a3baa3ae293db5e4f4b299426669beb5d11ffe69d9d4a42218a414c70
-SHA512 (kernel-kabi-dw-6.12.0-119.el10.tar.xz) = 60ebd251927400a2791c1844d03b746266ececf5424663b40ec83bd9b2495b3a5d3a56f00d41fc25757b9b6d5639406af26f1a104877c69785dbd17cc957484c
+SHA512 (linux-6.12.0-120.el10.tar.xz) = 1de1f22ca4f704d0b7121c1439ec0b92556581ac908d257fc496dd09843c3a9298e5d2c78032a0b56b1ab9806ed5f7f0a9844edc6f80f22121f75447f01d2792
+SHA512 (kernel-abi-stablelists-6.12.0-120.el10.tar.xz) = 68d9c29cbc390c900db79c277ae8067070896c084720837dc24f1dc030e61b71c33e523aaff8d852bd2bf3468e28dad3c28b369be9fd61ef3aeb7a95e8b2e978
+SHA512 (kernel-kabi-dw-6.12.0-120.el10.tar.xz) = 60ebd251927400a2791c1844d03b746266ececf5424663b40ec83bd9b2495b3a5d3a56f00d41fc25757b9b6d5639406af26f1a104877c69785dbd17cc957484c