* [PR PATCH] sbsigntool: rewrite post-install kernel hook
@ 2020-07-21 14:21 sgn
2020-07-21 17:56 ` Duncaen
` (13 more replies)
0 siblings, 14 replies; 15+ messages in thread
From: sgn @ 2020-07-21 14:21 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 741 bytes --]
There is a new pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 4702 bytes --]
From f00e6fee1245833be7de14002bbdab50b76e3fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..ef379afecb7 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel"; then
+ return 0
+ fi
+ if ! sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign boot/vmlinuz-$VERSION"
+ return 1
+ fi
+ if ! sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
@ 2020-07-21 17:56 ` Duncaen
2020-07-21 17:59 ` Duncaen
` (12 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Duncaen @ 2020-07-21 17:56 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 285 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-662014871
Comment:
Is it possible to change the options to set/unset instead of checking for 1 to make all the hooks more uniform, without breaking compatibility?
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
2020-07-21 17:56 ` Duncaen
@ 2020-07-21 17:59 ` Duncaen
2020-07-21 23:12 ` sgn
` (11 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: Duncaen @ 2020-07-21 17:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 441 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-662014871
Comment:
Is it possible to change the options to set/unset instead of checking for 1 to make all the hooks more uniform, without breaking compatibility?
Edit: nvm, not possible and this seems to have started with the x1 stuff with the really bad efibootmgr hook, its bad but doesn't really matter too much.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
2020-07-21 17:56 ` Duncaen
2020-07-21 17:59 ` Duncaen
@ 2020-07-21 23:12 ` sgn
2020-07-21 23:16 ` [PR PATCH] [Updated] " sgn
` (10 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-07-21 23:12 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 231 bytes --]
New comment by sgn on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-662152937
Comment:
Yes, at the time, I started `sbsigntool`, I mostly copy from `efibootmgr`.
It's too late now.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (2 preceding siblings ...)
2020-07-21 23:12 ` sgn
@ 2020-07-21 23:16 ` sgn
2020-07-22 0:13 ` ericonr
` (9 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-07-21 23:16 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 4702 bytes --]
From f00e6fee1245833be7de14002bbdab50b76e3fa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..ef379afecb7 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel"; then
+ return 0
+ fi
+ if ! sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign boot/vmlinuz-$VERSION"
+ return 1
+ fi
+ if ! sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (3 preceding siblings ...)
2020-07-21 23:16 ` [PR PATCH] [Updated] " sgn
@ 2020-07-22 0:13 ` ericonr
2020-07-23 13:57 ` sgn
` (8 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: ericonr @ 2020-07-22 0:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 275 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-662169581
Comment:
Could we add support for the UEFI bundles already? Source `dracut-uefi-hook` and check if they are being built, then try to sign them.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (4 preceding siblings ...)
2020-07-22 0:13 ` ericonr
@ 2020-07-23 13:57 ` sgn
2020-07-23 13:59 ` ericonr
` (7 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-07-23 13:57 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 363 bytes --]
New comment by sgn on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-663022796
Comment:
> Could we add support for the UEFI bundles already? Source `dracut-uefi-hook` and check if they are being built, then try to sign them.
Sure, will do in the weekend. Have we decided stable variable name for that hook, yet?
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (5 preceding siblings ...)
2020-07-23 13:57 ` sgn
@ 2020-07-23 13:59 ` ericonr
2020-07-23 13:59 ` ericonr
` (6 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: ericonr @ 2020-07-23 13:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 175 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-663023314
Comment:
I don't think so. It's in #22484.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (6 preceding siblings ...)
2020-07-23 13:59 ` ericonr
@ 2020-07-23 13:59 ` ericonr
2020-08-06 2:03 ` [PR PATCH] [Updated] " sgn
` (5 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: ericonr @ 2020-07-23 13:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 283 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/pull/23688#issuecomment-663023698
Comment:
There weren't complaints about the filename, but there were some comments regarding the variables themselves. I think they are solved, though.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (7 preceding siblings ...)
2020-07-23 13:59 ` ericonr
@ 2020-08-06 2:03 ` sgn
2020-08-06 2:06 ` sgn
` (4 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-08-06 2:03 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 4707 bytes --]
From 5c3284c158220d72d04e246c51aa6546a3ba8c63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..bc3b06f2f73 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
+ return 0
+ fi
+ if ! sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign $_kernel"
+ return 1
+ fi
+ if ! sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (8 preceding siblings ...)
2020-08-06 2:03 ` [PR PATCH] [Updated] " sgn
@ 2020-08-06 2:06 ` sgn
2020-08-06 12:09 ` sgn
` (3 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-08-06 2:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 4731 bytes --]
From 4bd83bc0d54826ae314ce42d17e053e144c50bb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..70918527711 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
+ return 0
+ fi
+ if ! usr/bin/sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign $_kernel"
+ return 1
+ fi
+ if ! usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (9 preceding siblings ...)
2020-08-06 2:06 ` sgn
@ 2020-08-06 12:09 ` sgn
2020-08-06 12:13 ` sgn
` (2 subsequent siblings)
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-08-06 12:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 7125 bytes --]
From 4bd83bc0d54826ae314ce42d17e053e144c50bb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH 1/2] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..70918527711 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
+ return 0
+ fi
+ if ! usr/bin/sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign $_kernel"
+ return 1
+ fi
+ if ! usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
From eeeaea4d37068c199a822e2b62b6ce67de8e1fdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Thu, 6 Aug 2020 19:06:30 +0700
Subject: [PATCH 2/2] refind: rewrite kernel post-install hook
- refind-install only supports installing into
{/boot,/boot/efi,/efi}/EFI/{BOOT,refind}/refind.conf, there're no point
trying to fiddling with anything else.
- That configuration file should always exist, simplify all logic behind
that decision.
---
srcpkgs/refind/files/kernel.post-install | 44 +++++++++++-------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/srcpkgs/refind/files/kernel.post-install b/srcpkgs/refind/files/kernel.post-install
index 88b261aaacd..d8c5ed5ee78 100755
--- a/srcpkgs/refind/files/kernel.post-install
+++ b/srcpkgs/refind/files/kernel.post-install
@@ -13,41 +13,39 @@ if [ "z$UPDATE_REFIND_CONF" != "z1" ]; then
fi
# Default refind.conf
-: "${REFIND_CONF:=/boot/EFI/refind/refind.conf}"
-
-zrefind_dir="${REFIND_CONF%/*}"
-mkdir -p "$zrefind_dir"
-touch "$REFIND_CONF"
+: "${REFIND_CONF:=boot/EFI/refind/refind.conf}"
+REFIND_CONF=${REFIND_CONF#/}
+[ -n "${REFIND_CONF}" ] || exit 0
+
+# refind-install only supports those two paths
+refind_dir=
+case "$REFIND_CONF" in
+*/EFI/[Bb][Oo][Oo][Tt]/refind.conf)
+ refind_dir="/EFI/BOOT" ;;
+*/EFI/refind/refind.conf)
+ refind_dir="/EFI/refind" ;;
+*)
+ echo >&2 "unsupported \$REFIND_CONF: $REFIND_CONF"
+ exit 1 ;;
+esac
tmpfile=$(mktemp /tmp/refind.XXXXXXX)
-zefi_mountpoint=$(df -P "$REFIND_CONF" | awk 'NR==2{print $6}')
-zicon="${zrefind_dir#$zefi_mountpoint}/icons/os_void.png"
zversion=$(echo "$VERSION" | sed 's/[.]/[.]/g')
-zentry=$(cat <<EOF
+(
+ # Clean itself if this is force reconfigure
+ sed "/^menuentry \"Void Linux $zversion\" [{]\$/,/[}]/d" <"$REFIND_CONF"
+ cat <<EOF
menuentry "Void Linux $VERSION" {
- icon $zicon
+ icon $refind_dir/icons/os_void.png
volume "Void Linux"
loader /vmlinuz-$VERSION
initrd /initramfs-$VERSION.img
options "$OPTIONS"
}
EOF
-)
-
-<"$REFIND_CONF" \
-sed "/^menuentry \"Void Linux $zversion\" [{]\$/,/[}]/d" |
-awk -v "entry=$zentry" '
- /^timeout / {t=1}
- /^menuentry / && !x {print entry; x=1}
- 1
- END {
- if (!x) {print entry}
- if (!t) {print "timeout 20"}
- }
- ' \
->"$tmpfile"
+) >"$tmpfile"
mv "$tmpfile" "$REFIND_CONF"
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (10 preceding siblings ...)
2020-08-06 12:09 ` sgn
@ 2020-08-06 12:13 ` sgn
2020-08-06 12:40 ` sgn
2020-08-07 13:05 ` [PR PATCH] [Closed]: " ahesford
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-08-06 12:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 7125 bytes --]
From 4bd83bc0d54826ae314ce42d17e053e144c50bb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH 1/2] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..70918527711 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
+ return 0
+ fi
+ if ! usr/bin/sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign $_kernel"
+ return 1
+ fi
+ if ! usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
From 6fac00c4dadc63454ebb09a424478aec703e86d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Thu, 6 Aug 2020 19:06:30 +0700
Subject: [PATCH 2/2] refind: rewrite kernel post-install hook
- refind-install only supports installing into
{/boot,/boot/efi,/efi}/EFI/{BOOT,refind}/refind.conf, there're no point
trying to fiddling with anything else.
- That configuration file should always exist, simplify all logic behind
that decision.
---
srcpkgs/refind/files/kernel.post-install | 44 +++++++++++-------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/srcpkgs/refind/files/kernel.post-install b/srcpkgs/refind/files/kernel.post-install
index 88b261aaacd..68e60414928 100755
--- a/srcpkgs/refind/files/kernel.post-install
+++ b/srcpkgs/refind/files/kernel.post-install
@@ -13,41 +13,39 @@ if [ "z$UPDATE_REFIND_CONF" != "z1" ]; then
fi
# Default refind.conf
-: "${REFIND_CONF:=/boot/EFI/refind/refind.conf}"
-
-zrefind_dir="${REFIND_CONF%/*}"
-mkdir -p "$zrefind_dir"
-touch "$REFIND_CONF"
+: "${REFIND_CONF:=boot/EFI/refind/refind.conf}"
+REFIND_CONF=${REFIND_CONF#/}
+[ -n "${REFIND_CONF}" ] || exit 0
+
+# refind-install only supports those two paths
+refind_dir=
+case "$REFIND_CONF" in
+*/EFI/[Bb][Oo][Oo][Tt]/refind.conf)
+ refind_dir="/EFI/BOOT" ;;
+*/EFI/refind/refind.conf)
+ refind_dir="/EFI/refind" ;;
+*)
+ echo >&2 "unsupported \$REFIND_CONF: $REFIND_CONF"
+ exit 1 ;;
+esac
tmpfile=$(mktemp /tmp/refind.XXXXXXX)
-zefi_mountpoint=$(df -P "$REFIND_CONF" | awk 'NR==2{print $6}')
-zicon="${zrefind_dir#$zefi_mountpoint}/icons/os_void.png"
zversion=$(echo "$VERSION" | sed 's/[.]/[.]/g')
-zentry=$(cat <<EOF
+(
+ cat <<EOF
menuentry "Void Linux $VERSION" {
- icon $zicon
+ icon $refind_dir/icons/os_void.png
volume "Void Linux"
loader /vmlinuz-$VERSION
initrd /initramfs-$VERSION.img
options "$OPTIONS"
}
EOF
-)
-
-<"$REFIND_CONF" \
-sed "/^menuentry \"Void Linux $zversion\" [{]\$/,/[}]/d" |
-awk -v "entry=$zentry" '
- /^timeout / {t=1}
- /^menuentry / && !x {print entry; x=1}
- 1
- END {
- if (!x) {print entry}
- if (!t) {print "timeout 20"}
- }
- ' \
->"$tmpfile"
+ # Clean itself if this is force reconfigure
+ sed "/^menuentry \"Void Linux $zversion\" [{]\$/,/[}]/d" <"$REFIND_CONF"
+) >"$tmpfile"
mv "$tmpfile" "$REFIND_CONF"
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Updated] sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (11 preceding siblings ...)
2020-08-06 12:13 ` sgn
@ 2020-08-06 12:40 ` sgn
2020-08-07 13:05 ` [PR PATCH] [Closed]: " ahesford
13 siblings, 0 replies; 15+ messages in thread
From: sgn @ 2020-08-06 12:40 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 746 bytes --]
There is an updated pull request by sgn against master on the void-packages repository
https://github.com/sgn/void-packages sbsigntool-rewrite-hook
https://github.com/void-linux/void-packages/pull/23688
sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
A patch file from https://github.com/void-linux/void-packages/pull/23688.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbsigntool-rewrite-hook-23688.patch --]
[-- Type: text/x-diff, Size: 7537 bytes --]
From 4bd83bc0d54826ae314ce42d17e053e144c50bb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Tue, 21 Jul 2020 00:03:15 +0700
Subject: [PATCH 1/2] sbsigntool: rewrite post-install kernel hook
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
.../files/kernel.d/sbsigntool.post-install | 66 +++++++++++--------
.../files/kernel.d/sbsigntool.post-remove | 13 ++++
srcpkgs/sbsigntool/template | 4 +-
3 files changed, 53 insertions(+), 30 deletions(-)
create mode 100644 srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
index bc450dbc428..70918527711 100644
--- a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-install
@@ -9,7 +9,35 @@ PKGNAME="$1"
VERSION="$2"
msg() {
- echo "EFI sbsign hook: $1"
+ echo "sbsigntool: $1"
+}
+
+do_sign() {
+ _kernel="$1"
+ if [ ! -f "$_kernel" ]; then
+ msg "$_kernel not found"
+ return 1
+ fi
+ # Ignore efi file signed with this key
+ if usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel" >/dev/null 2>&1; then
+ return 0
+ fi
+ if ! usr/bin/sbsign ${EFI_SIGN_ENGINE:+"--engine=$EFI_SIGN_ENGINE"} \
+ -k "$ROOTDIR/$EFI_KEY_FILE" -c "$ROOTDIR/$EFI_CERT_FILE" \
+ "$_kernel"
+ then
+ msg "failed to sign $_kernel"
+ return 1
+ fi
+ if ! usr/bin/sbverify -c "$ROOTDIR/$EFI_CERT_FILE" "$_kernel.signed"; then
+ msg "failed to verify the signature"
+ return 1
+ fi
+
+ if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
+ mv -f "$_kernel" "$_kernel.unsigned"
+ fi
+ mv -f "$_kernel.signed" "$_kernel"
}
. "${ROOTDIR}/etc/default/sbsigntool-kernel-hook"
@@ -17,38 +45,18 @@ if [ "x${SBSIGN_EFI_KERNEL}" != x1 ]; then
exit 0
fi
-if [ ! -f "${EFI_KEY_FILE}" ] || [ ! -f "${EFI_CERT_FILE}" ]; then
+if [ ! -f "$ROOTDIR/$EFI_KEY_FILE" ] || [ ! -f "$ROOTDIR/$EFI_CERT_FILE" ]; then
msg "key and/or certificate is not available"
exit 1
fi
-key_stat=$(stat --dereference --format="%a %u" "${EFI_KEY_FILE}")
-
-# check if go=00 owner=0
-if [ "${key_stat}" = "${key_stat%00 0}" ]; then
- msg "Please chown root:root '${EFI_KEY_FILE}'"
- msg "and chmod go-rwx '${EFI_KEY_FILE}'"
- exit 1
-fi
-
-# this part is completely untested
-options=""
-if [ "x${EFI_SIGN_ENGINE}" != x ]; then
- options="--engine=${EFI_SIGN_ENGINE}"
-fi
-
-if ! sbsign $options -k "${EFI_KEY_FILE}" -c "${EFI_CERT_FILE}" \
- "/boot/vmlinuz-${VERSION}"; then
- msg "failed to sign kernel"
- exit 1
-fi
-
-if ! sbverify -c "${EFI_CERT_FILE}" "/boot/vmlinuz-${VERSION}.signed"; then
- msg "failed to verify the signature"
+# All POSIX comformance ls should work
+if ! ls -Ll "$ROOTDIR/$EFI_KEY_FILE" "$ROOTDIR/$EFI_CERT_FILE" |
+ awk '$1 !~ /^-...------$/ || $3 != "root" { exit 1 }'
+then
+ msg "$EFI_KEY_FILE and $EFI_CERT_FILE must be owned by root."
+ msg "and not readable by other users."
exit 1
fi
-if [ "x${EFI_KEEP_UNSIGNED}" = "x1" ]; then
- mv -f "/boot/vmlinuz-${VERSION}" "/boot/vmlinuz-${VERSION}.unsigned"
-fi
-mv -f "/boot/vmlinuz-${VERSION}.signed" "/boot/vmlinuz-${VERSION}"
+do_sign "boot/vmlinuz-$VERSION"
diff --git a/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
new file mode 100644
index 00000000000..5d3f73602af
--- /dev/null
+++ b/srcpkgs/sbsigntool/files/kernel.d/sbsigntool.post-remove
@@ -0,0 +1,13 @@
+#!/bin/sh
+#
+# Kernel hook for sbsigntool.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+PKGNAME="$1"
+VERSION="$2"
+
+if [ -f "boot/vmlinuz-$VERSION.unsigned" ]; then
+ rm -f "boot/vmlinuz-${VERSION}.unsigned"
+fi
diff --git a/srcpkgs/sbsigntool/template b/srcpkgs/sbsigntool/template
index 6e39cac66d9..6ee86139b27 100644
--- a/srcpkgs/sbsigntool/template
+++ b/srcpkgs/sbsigntool/template
@@ -1,7 +1,7 @@
# Template file for 'sbsigntool'
pkgname=sbsigntool
version=0.9.4
-revision=2
+revision=3
archs="x86_64* i686* aarch64* arm*"
wrksrc=sbsigntools-$version
build_style=gnu-configure
@@ -59,4 +59,6 @@ post_install() {
# and I'm not sure about their interaction
vinstall ${FILESDIR}/kernel.d/sbsigntool.post-install 744 \
etc/kernel.d/post-install 40-sbsigntool
+ vinstall ${FILESDIR}/kernel.d/sbsigntool.post-remove 744 \
+ etc/kernel.d/post-remove 40-sbsigntool
}
From 53bdcc8d3e0f41f29ed5dccaa0496ed1052bd7de Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=90o=C3=A0n=20Tr=E1=BA=A7n=20C=C3=B4ng=20Danh?=
<congdanhqx@gmail.com>
Date: Thu, 6 Aug 2020 19:06:30 +0700
Subject: [PATCH 2/2] refind: rewrite kernel post-install hook
- refind-install only supports installing into
{/boot,/boot/efi,/efi}/EFI/{BOOT,refind}/refind.conf, there're no point
trying to fiddling with anything else.
- That configuration file should always exist, simplify all logic behind
that decision.
---
srcpkgs/refind/files/kernel.post-install | 44 +++++++++++-------------
srcpkgs/refind/template | 2 +-
2 files changed, 22 insertions(+), 24 deletions(-)
diff --git a/srcpkgs/refind/files/kernel.post-install b/srcpkgs/refind/files/kernel.post-install
index 88b261aaacd..68e60414928 100755
--- a/srcpkgs/refind/files/kernel.post-install
+++ b/srcpkgs/refind/files/kernel.post-install
@@ -13,41 +13,39 @@ if [ "z$UPDATE_REFIND_CONF" != "z1" ]; then
fi
# Default refind.conf
-: "${REFIND_CONF:=/boot/EFI/refind/refind.conf}"
-
-zrefind_dir="${REFIND_CONF%/*}"
-mkdir -p "$zrefind_dir"
-touch "$REFIND_CONF"
+: "${REFIND_CONF:=boot/EFI/refind/refind.conf}"
+REFIND_CONF=${REFIND_CONF#/}
+[ -n "${REFIND_CONF}" ] || exit 0
+
+# refind-install only supports those two paths
+refind_dir=
+case "$REFIND_CONF" in
+*/EFI/[Bb][Oo][Oo][Tt]/refind.conf)
+ refind_dir="/EFI/BOOT" ;;
+*/EFI/refind/refind.conf)
+ refind_dir="/EFI/refind" ;;
+*)
+ echo >&2 "unsupported \$REFIND_CONF: $REFIND_CONF"
+ exit 1 ;;
+esac
tmpfile=$(mktemp /tmp/refind.XXXXXXX)
-zefi_mountpoint=$(df -P "$REFIND_CONF" | awk 'NR==2{print $6}')
-zicon="${zrefind_dir#$zefi_mountpoint}/icons/os_void.png"
zversion=$(echo "$VERSION" | sed 's/[.]/[.]/g')
-zentry=$(cat <<EOF
+(
+ cat <<EOF
menuentry "Void Linux $VERSION" {
- icon $zicon
+ icon $refind_dir/icons/os_void.png
volume "Void Linux"
loader /vmlinuz-$VERSION
initrd /initramfs-$VERSION.img
options "$OPTIONS"
}
EOF
-)
-
-<"$REFIND_CONF" \
-sed "/^menuentry \"Void Linux $zversion\" [{]\$/,/[}]/d" |
-awk -v "entry=$zentry" '
- /^timeout / {t=1}
- /^menuentry / && !x {print entry; x=1}
- 1
- END {
- if (!x) {print entry}
- if (!t) {print "timeout 20"}
- }
- ' \
->"$tmpfile"
+ # Clean itself if this is force reconfigure
+ sed "/^menuentry \"Void Linux $zversion\" [{]\$/,/[}]/d" <"$REFIND_CONF"
+) >"$tmpfile"
mv "$tmpfile" "$REFIND_CONF"
diff --git a/srcpkgs/refind/template b/srcpkgs/refind/template
index 5e9865b9667..d7f8f2fba1c 100644
--- a/srcpkgs/refind/template
+++ b/srcpkgs/refind/template
@@ -1,7 +1,7 @@
# Template file for 'refind'
pkgname=refind
version=0.12.0
-revision=1
+revision=2
archs="x86_64* i686* aarch64*"
makedepends="gnu-efi-libs"
depends="bash dosfstools efibootmgr"
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PR PATCH] [Closed]: sbsigntool: rewrite post-install kernel hook
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
` (12 preceding siblings ...)
2020-08-06 12:40 ` sgn
@ 2020-08-07 13:05 ` ahesford
13 siblings, 0 replies; 15+ messages in thread
From: ahesford @ 2020-08-07 13:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 582 bytes --]
There's a closed pull request on the void-packages repository
sbsigntool: rewrite post-install kernel hook
https://github.com/void-linux/void-packages/pull/23688
Description:
* run the hook on target filesystem
* Use ls | awk to check ownership and permission, instead of relying on
GNU-stat.
* libify signing code, in order to support uefi bundle in the future
* Stop append signature to the efi signed by current key/cert.
While we're at it,
* add post-remove script to remove unsigned file if exist
---
@ericonr @ahesford I think you may be interested on this.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2020-08-07 13:05 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-21 14:21 [PR PATCH] sbsigntool: rewrite post-install kernel hook sgn
2020-07-21 17:56 ` Duncaen
2020-07-21 17:59 ` Duncaen
2020-07-21 23:12 ` sgn
2020-07-21 23:16 ` [PR PATCH] [Updated] " sgn
2020-07-22 0:13 ` ericonr
2020-07-23 13:57 ` sgn
2020-07-23 13:59 ` ericonr
2020-07-23 13:59 ` ericonr
2020-08-06 2:03 ` [PR PATCH] [Updated] " sgn
2020-08-06 2:06 ` sgn
2020-08-06 12:09 ` sgn
2020-08-06 12:13 ` sgn
2020-08-06 12:40 ` sgn
2020-08-07 13:05 ` [PR PATCH] [Closed]: " ahesford
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).