[PR PATCH] sbctl: update to 0.11, patch, add kernel hook

[PR PATCH] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 519 bytes --]

There is a new pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 2518 bytes --]

From f2718edb646324d8008117571636e4fcb129cfff Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: update to 0.11, patch, add kernel hook

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 12 ++++++++++++
 srcpkgs/sbctl/patches/keyusage.patch     | 12 ++++++++++++
 srcpkgs/sbctl/template                   |  7 ++++---
 3 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..17f839fda13ad
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,12 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+PKGNAME="$1"
+VERSION="$2"
+
+[ -x usr/bin/sbctl ] || exit 0
+
+usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..f1ad253e433ef
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,12 @@
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..1b05eba23bbba 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.11
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
 hostmakedepends="asciidoc"
@@ -10,7 +10,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
 
 do_build() {
 	make
@@ -23,4 +23,5 @@ do_install() {
 
 post_install() {
 	vlicense LICENSE
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
 }

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 187 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1728506486

Comment:
I don't think the hook should run by default.

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 188 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1728506486

Comment:
I don't think the hook should run by default. 

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 239 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1728507073

Comment:
Kernels are not necessarily named `vmlinuz`, it could be `vmlinux` depending on the architecture.

Re: sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 359 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1729869190

Comment:
I could add a check for the existence of vmlinuz.
(Note that efibootmgr also uses vmlinuz, and secure boot is a uefi feature, afaik.)
If one installs sbctl, don't they want to sign new kernels? or what is your concern?

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 441 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1729885218

Comment:
You have to first create keys and enroll, some users might want to sign kernel with sbctl and move/rename them instead of modifying the tracked binary. 

aarch64 supports efi and the kernel binaries are uncompressed and named `vmlinux`, the `efibootmgr` hook is not very good for multiple reasons.

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3240 bytes --]

From b81df64b0787d0d074ed0cf77c5856dafd4d809e Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: update to 0.11, patch, add kernel hook

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 19 +++++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 12 ++++++++++++
 srcpkgs/sbctl/template                   |  8 +++++---
 4 files changed, 39 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..7748f08161a16
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,19 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+if [ "${SIGN_KERNEL}" = 0 ]; then
+	exit 0
+fi
+if [ "${SIGN_KERNEL}" = 1 ] && [ -e "boot/vmlinuz-${VERSION}" ]; then
+	usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+fi
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..32c71d84c1a5b
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+SIGN_KERNEL=0
+# To let sbctl sign new kernel images, set it to 1
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..f1ad253e433ef
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,12 @@
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..5fdc4210ffe3b 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.11
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
 hostmakedepends="asciidoc"
@@ -10,7 +10,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
 
 do_build() {
 	make
@@ -23,4 +23,6 @@ do_install() {
 
 post_install() {
 	vlicense LICENSE
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 214 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730070490

Comment:
how about now? it's disabled by default, and it checks existence of vmlinuz

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 432 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730076889

Comment:
We generally don't test for values of those environment variables and instead check if they are set or not, that makes the code easier and avoids having to define what yes/no/true/false/0/1 is the correct choice.

Not sure why you would only sign `vmlinuz` kernels and ignore `vmlinux`.

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 389 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730085677

Comment:
    [ -z "$SBCTL_SIGN_KERNEL" ] && exit 0
    [ -e "vmlinuz-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}}"
    [ -e "vmlinux-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}}"
    
/etc/default/sbctl-kernel-hook:

    # SBCTL_SIGN_KERNEL=yes

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 387 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730085677

Comment:
    [ -z "$SBCTL_SIGN_KERNEL" ] && exit 0
    [ -e "vmlinuz-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}"
    [ -e "vmlinux-${VERSION}" ] && sign "boot/vmlinux-${VERSION}"
    
/etc/default/sbctl-kernel-hook:

    # SBCTL_SIGN_KERNEL=yes

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 397 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730085677

Comment:
    [ -z "$SBCTL_SIGN_KERNEL" ] && exit 0
    [ -e "boot/vmlinuz-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}"
    [ -e "boot/vmlinux-${VERSION}" ] && sign "boot/vmlinux-${VERSION}"
    
/etc/default/sbctl-kernel-hook:

    # SBCTL_SIGN_KERNEL=yes

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 396 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730085677

Comment:
    [ -z "$SBCTL_SIGN_KERNEL" ] && exit 0
    [ -e "boot/vmlinuz-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}"
    [ -e "boot/vmlinux-${VERSION}" ] && sign "boot/vmlinux-${VERSION}"
    
/etc/default/sbctl-kernel-hook:

    # SBCTL_SIGN_KERNEL=no

Re: sbctl: update to 0.11, patch, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 546 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730085677

Comment:
    [ -z "$SBCTL_SIGN_KERNEL" ] && exit 0
    [ -e "boot/vmlinuz-${VERSION}" ] && sign "boot/vmlinuz-${VERSION}"
    [ -e "boot/vmlinux-${VERSION}" ] && sign "boot/vmlinux-${VERSION}"
    
/etc/default/sbctl-kernel-hook:

    # SBCTL_SIGN_KERNEL=yes

I guess the set vs yes/no/1/0 is arguable, seems like other hooks tend to check for 1/0, other things like xbps-src and such use the -n/-z style.

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3290 bytes --]

From 81e3609a8153d0f1711ae0986d7513e0e7a4a467 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: update to 0.11, patch, add kernel hook

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 12 ++++++++++++
 srcpkgs/sbctl/template                   |  8 +++++---
 4 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..f1ad253e433ef
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,12 @@
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..5fdc4210ffe3b 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.11
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
 hostmakedepends="asciidoc"
@@ -10,7 +10,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
 
 do_build() {
 	make
@@ -23,4 +23,6 @@ do_install() {
 
 post_install() {
 	vlicense LICENSE
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 152 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1730230285

Comment:
Done, thanks.

Re: [PR REVIEW] sbctl: update to 0.11, patch, add kernel hook

[classabbyamp]

[-- Attachment #1: Type: text/plain, Size: 200 bytes --]

New review comment by classabbyamp on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#discussion_r1335002466

Comment:
please add a note or link explaining this patch

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3461 bytes --]

From 3e35956e17693349659d4ae3646e97c2b92c55b6 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: update to 0.11, patch, add kernel hook

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 17 +++++++++++++++++
 srcpkgs/sbctl/template                   |  8 +++++---
 4 files changed, 42 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..cf2d33ef91205
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,17 @@
+omit the keyUsage bitfield, so that the certificate is accepted by the
+firmware of certain thinkpad laptops
+
+fixes https://github.com/Foxboron/sbctl/issues/102
+
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..5fdc4210ffe3b 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.11
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
 hostmakedepends="asciidoc"
@@ -10,7 +10,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
 
 do_build() {
 	make
@@ -23,4 +23,6 @@ do_install() {
 
 post_install() {
 	vlicense LICENSE
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: [PR REVIEW] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 150 bytes --]

New review comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#discussion_r1335024611

Comment:
Done.

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 4321 bytes --]

From 94a539680962cecde6f0f9ab75d9c473877ab252 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: update to 0.11, patch, add kernel hooks

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 +++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 17 +++++++++++++++++
 srcpkgs/sbctl/template                   |  9 ++++++---
 5 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..cf2d33ef91205
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,17 @@
+omit the keyUsage bitfield, so that the certificate is accepted by the
+firmware of certain thinkpad laptops
+
+fixes https://github.com/Foxboron/sbctl/issues/102
+
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..ce09dbede1835 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.11
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
 hostmakedepends="asciidoc"
@@ -10,7 +10,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
 
 do_build() {
 	make
@@ -23,4 +23,7 @@ do_install() {
 
 post_install() {
 	vlicense LICENSE
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 173 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1732408279

Comment:
added a post-removal hook as well.

Re: sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 158 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1758304136

Comment:
can this be merged?

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 6506 bytes --]

From 8dc6327910cab4ffb7d516cabb680e51951e391b Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH 1/2] sbctl: update to 0.11, patch, add kernel hooks

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 +++++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 17 +++++++++++++++++
 srcpkgs/sbctl/template                   |  9 ++++++---
 5 files changed, 60 insertions(+), 3 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..cf2d33ef91205
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,17 @@
+omit the keyUsage bitfield, so that the certificate is accepted by the
+firmware of certain thinkpad laptops
+
+fixes https://github.com/Foxboron/sbctl/issues/102
+
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..ce09dbede1835 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,7 +1,7 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.11
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
 hostmakedepends="asciidoc"
@@ -10,7 +10,7 @@ maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
 
 do_build() {
 	make
@@ -23,4 +23,7 @@ do_install() {
 
 post_install() {
 	vlicense LICENSE
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

From 86f9c0d61218763cf61b8329d70e61e339cf4213 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Thu, 26 Oct 2023 18:06:12 -0400
Subject: [PATCH 2/2] sbctl: update to 0.12

---
 srcpkgs/sbctl/template | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index ce09dbede1835..1afb25512e35c 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,28 +1,43 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.11
+version=0.12
 revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=9709c912ac38cac6afbf024588ca1b341c1a9b5a29c4c575d2863fe2ad5aed75
+checksum=38f97a4e47e9ff4e175f444833c6877a26b6d78308916e704edee0f06b3057eb
 
 do_build() {
-	make
+	# want -buildmode=pie -trimpath
+	go install -p "$XBPS_MAKEJOBS" -mod="${go_mod_mode}" -modcacherw -buildmode=pie -trimpath -v -tags "${go_build_tags}" -ldflags "${go_ldflags}" ${go_package}
 }
 
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+post_build() {
+	make man
+	# builds it again, to generate the completions
+	make completions
+}
+
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	vcompletion contrib/completions/bash-completion/completions/sbctl bash
+	vcompletion contrib/completions/zsh/site-functions/_sbctl zsh
+	vcompletion contrib/completions/fish/vendor_completions.d/sbctl.fish fish
+
+	vinstall contrib/kernel-install/91-sbctl.install 755 usr/lib/kernel/install.d/91-sbctl.install
+
+	vman docs/sbctl.8
 	vlicense LICENSE
+
 	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
 	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
 	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook

Re: sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 206 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1781963009

Comment:
update to 0.12, enable pie (is there a smarter way?), enable checks

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 4928 bytes --]

From 57d9eff2997944e221eb40ab1b55e30271a75de2 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, patch, add kernel hooks, update to 0.12

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 ++++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 ++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 17 ++++++++++++++
 srcpkgs/sbctl/template                   | 30 +++++++++++++++++-------
 5 files changed, 76 insertions(+), 8 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..cf2d33ef91205
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,17 @@
+omit the keyUsage bitfield, so that the certificate is accepted by the
+firmware of certain thinkpad laptops
+
+fixes https://github.com/Foxboron/sbctl/issues/102
+
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..7568cc6d0f2c9 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,40 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.12
+revision=1
 build_style=go
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=38f97a4e47e9ff4e175f444833c6877a26b6d78308916e704edee0f06b3057eb
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
+post_build() {
+	make man
+	for _comp in bash zsh fish; do
+		./_build-sbctl-xbps/bin/sbctl completion ${_comp} > sbctl.${_comp}
+	done
 }
 
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	vcompletion sbctl.bash bash
+	vcompletion sbctl.zsh zsh
+	vcompletion sbctl.fish fish
+	vinstall contrib/kernel-install/91-sbctl.install 755 usr/lib/kernel/install.d/91-sbctl.install
+
+	vman docs/sbctl.8
 	vlicense LICENSE
+
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: [PR PATCH] [Updated] sbctl: update to 0.11, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.11, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 4907 bytes --]

From bdde2d4273faa868d42e18df302de25a6533fe76 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, patch, add kernel hooks, update to 0.12

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 17 +++++++++++++
 srcpkgs/sbctl/template                   | 32 ++++++++++++++++--------
 5 files changed, 76 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..cf2d33ef91205
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,17 @@
+omit the keyUsage bitfield, so that the certificate is accepted by the
+firmware of certain thinkpad laptops
+
+fixes https://github.com/Foxboron/sbctl/issues/102
+
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..312a105b3d203 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,38 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.12
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=38f97a4e47e9ff4e175f444833c6877a26b6d78308916e704edee0f06b3057eb
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall contrib/kernel-install/91-sbctl.install 755 usr/lib/kernel/install.d/91-sbctl.install
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
+
 	vlicense LICENSE
 }

Re: sbctl: update to 0.12, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 180 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1781963009

Comment:
update to 0.12, enable pie, enable checks

Re: sbctl: update to 0.12, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 158 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1783465154

Comment:
ready to merge, imo

Re: sbctl: update to 0.12, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 163 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1790890432

Comment:
patch is merged upstream

Re: [PR PATCH] [Updated] sbctl: update to 0.12, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.12, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 4907 bytes --]

From 59e8f7579c7d8f74e49534a63919636ff890fcf2 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, patch, add kernel hooks, update to 0.12

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/patches/keyusage.patch     | 17 +++++++++++++
 srcpkgs/sbctl/template                   | 32 ++++++++++++++++--------
 5 files changed, 76 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd
 create mode 100644 srcpkgs/sbctl/patches/keyusage.patch

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/patches/keyusage.patch b/srcpkgs/sbctl/patches/keyusage.patch
new file mode 100644
index 0000000000000..cf2d33ef91205
--- /dev/null
+++ b/srcpkgs/sbctl/patches/keyusage.patch
@@ -0,0 +1,17 @@
+omit the keyUsage bitfield, so that the certificate is accepted by the
+firmware of certain thinkpad laptops
+
+fixes https://github.com/Foxboron/sbctl/issues/102
+
+diff --git a/keys.go b/keys.go
+index ffc7858..61c2db6 100644
+--- a/keys.go
++++ b/keys.go
+@@ -58,7 +58,6 @@
+ 		SignatureAlgorithm: x509.SHA256WithRSA,
+ 		NotBefore:          time.Now(),
+ 		NotAfter:           time.Now().AddDate(5, 0, 0),
+-		KeyUsage:           x509.KeyUsageDigitalSignature,
+ 		Subject: pkix.Name{
+ 			Country:    []string{name},
+ 			CommonName: name,
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..312a105b3d203 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,38 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.12
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=38f97a4e47e9ff4e175f444833c6877a26b6d78308916e704edee0f06b3057eb
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall contrib/kernel-install/91-sbctl.install 755 usr/lib/kernel/install.d/91-sbctl.install
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
+
 	vlicense LICENSE
 }

Re: [PR PATCH] [Updated] sbctl: update to 0.12, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 524 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update to 0.12, patch, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 4017 bytes --]

From dd2de78ff1557fe3881bcc4242d27b15f2f4e4bc Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hooks, update to 0.13

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 32 ++++++++++++++++--------
 4 files changed, 59 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..fc40fd8997300 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,38 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall contrib/kernel-install/91-sbctl.install 755 usr/lib/kernel/install.d/91-sbctl.install
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
+
 	vlicense LICENSE
 }

Re: sbctl: update to 0.12, patch, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 180 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1870543197

Comment:
updated to 0.13, which includes my patch.

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 4017 bytes --]

From 264cd4fc2901a592fc7a3afa6adcedca96e1da16 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hooks, update to 0.13

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook-postrm   | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 32 ++++++++++++++++--------
 4 files changed, 59 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postrm
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook-postrm b/srcpkgs/sbctl/files/kernel-hook-postrm
new file mode 100644
index 0000000000000..2fe43327ef72f
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postrm
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-remove hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl rm boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..fc40fd8997300 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,38 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall contrib/kernel-install/91-sbctl.install 755 usr/lib/kernel/install.d/91-sbctl.install
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook-postrm 744 etc/kernel.d/post-remove 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
+
 	vlicense LICENSE
 }

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 207 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1894153232

Comment:
should i just drop the kernel hooks for now, and just do the update?

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1894637024

Comment:
- remove the postrm hook, which does not work
- we currently install (and also in my prior pr) /usr/lib/kernel/install.d/91-sbctl.install, but this is arch/systemd specific, so remove it

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3070 bytes --]

From 95c81597554f61c0afb26547e1defcc122db8090 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hook, update to 0.13

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 ++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 29 ++++++++++++++++--------
 3 files changed, 39 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 00000000000000..c49ece0d0bedb7
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 00000000000000..59a52c91c7de20
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d7..a1b150380215e2 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,35 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
 	vlicense LICENSE
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3162 bytes --]

From e03b850cc90dc45d6bfa46a745bb5a401aeae3bd Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hook, update to 0.13, don't
 write  keys at /usr/share

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 ++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 30 ++++++++++++++++--------
 3 files changed, 40 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..484cb0fd23dd0 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,36 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
+go_ldflags="-X ${go_import_path}.DatabasePath=/etc/secureboot"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
 	vlicense LICENSE
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 261 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1910864674

Comment:
i realised the program by default writes key material to /usr/share.
make it use /etc/secureboot instead, via a go_ldlfag

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3241 bytes --]

From 38d745b89f772a48065c0f50bfcca96615a6b9d7 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hook, update to 0.13, change
 key loc

by default keys are at /usr/share/secureboot,
put them at /etc/secureboot instead via go_ldflag
---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 ++++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 30 ++++++++++++++++--------
 3 files changed, 40 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..484cb0fd23dd0 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,36 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
+go_ldflags="-X ${go_import_path}.DatabasePath=/etc/secureboot"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
 	vlicense LICENSE
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1910878553

Comment:
@Duncaen , anyone: this has sevaral improvements, has been running fine for some time. any chance it can be merged?

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1910878553

Comment:
@Duncaen , anyone: this has several improvements, has been running fine for some time. any chance it can be merged?

Re: sbctl: update, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 327 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1920261433

Comment:
> make it use /etc/secureboot instead, via a go_ldlfag

Sucks that its in `/usr/share`, but breaking already existing installs and diverting from the documentation doesn't seem right.

Re: sbctl: update, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1920261433

Comment:
> i realised the program by default writes key material to /usr/share.
> make it use /etc/secureboot instead, via a go_ldlfag

Sucks that its in `/usr/share`, but breaking already existing installs and diverting from the documentation doesn't seem right.

Re: sbctl: update, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 462 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1920261433

Comment:
> i realised the program by default writes key material to /usr/share.
> make it use /etc/secureboot instead, via a go_ldlfag

Sucks that its in `/usr/share`, but breaking already existing installs and diverting from the documentation doesn't seem right.

Upstream issue https://github.com/Foxboron/sbctl/issues/57.

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 834 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1921669635

Comment:
i see your point, and i saw the issue (been there for years).
the help function in the sbctl program gets built correctly though, see e.g.
```
$ sbctl help create-keys
Create a set of secure boot signing keys

Usage:
  sbctl create-keys [flags]

Flags:
  -d, --database-path string   location to create GUID file. defaults to /etc/secureboot (default "/etc/secureboot")
  -e, --export string          export file path. defaults to /etc/secureboot/keys (default "/etc/secureboot/keys")
  -h, --help                   help for create-keys
```
i got this idea from nix pkgs.
would an install/update message be enough to warn the user?
otherwise i'll just remove this change for now.

Re: sbctl: update, add kernel hook

[Duncaen]

[-- Attachment #1: Type: text/plain, Size: 540 bytes --]

New comment by Duncaen on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1921840760

Comment:
I would probably prefer to not change it now that it has been like this in the repos for 3 years and we don't know what upstream is going to do.

There are 3 scenarios:
- Upstream changes it to what we "patched" in, everythink good.
- Upstream changes it to something else, users have to manually change again.
- Upstream changes it and adds a fallback mechanism, we don't have to do anything.

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3164 bytes --]

From 17b7d3d9f9902efb8ce79db3ef8ee1b327b68186 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hook, update to 0.13

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 31 ++++++++++++++++--------
 3 files changed, 41 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..303e0ddd92001 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,37 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
+# sbctl writes keys in /usr/share
+# go_ldflags="-X ${go_import_path}.DatabasePath=/etc/secureboot"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
 	vlicense LICENSE
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 3180 bytes --]

From 72bfb415fd761bf75c514625af533b7233663c41 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, add kernel hook, update to 0.13

---
 srcpkgs/sbctl/files/kernel-hook-postinst | 17 +++++++++++++
 srcpkgs/sbctl/files/kernel-hook.confd    |  3 +++
 srcpkgs/sbctl/template                   | 31 ++++++++++++++++--------
 3 files changed, 41 insertions(+), 10 deletions(-)
 create mode 100644 srcpkgs/sbctl/files/kernel-hook-postinst
 create mode 100644 srcpkgs/sbctl/files/kernel-hook.confd

diff --git a/srcpkgs/sbctl/files/kernel-hook-postinst b/srcpkgs/sbctl/files/kernel-hook-postinst
new file mode 100644
index 0000000000000..c49ece0d0bedb
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook-postinst
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Kernel post-install hook for sbctl.
+#
+# Arguments passed to this script: $1 pkgname, $2 version.
+#
+
+[ -x usr/bin/sbctl ] || exit 0
+
+PKGNAME="$1"
+VERSION="$2"
+
+. "${ROOTDIR}/etc/default/sbctl-kernel-hook"
+
+[ -z "${SBCTL_SIGN_KERNEL}" ] && exit 0
+[ -e "boot/vmlinuz-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinuz-${VERSION}
+[ -e "boot/vmlinux-${VERSION}" ] && usr/bin/sbctl sign -s boot/vmlinux-${VERSION}
diff --git a/srcpkgs/sbctl/files/kernel-hook.confd b/srcpkgs/sbctl/files/kernel-hook.confd
new file mode 100644
index 0000000000000..59a52c91c7de2
--- /dev/null
+++ b/srcpkgs/sbctl/files/kernel-hook.confd
@@ -0,0 +1,3 @@
+# Options for the kernel hook script installed by the sbctl package.
+# SBCTL_SIGN_KERNEL=yes
+# To let sbctl sign new kernel images, set it to 'yes'
diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d..7fc4ec7aef086 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,37 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
+# see https://github.com/Foxboron/sbctl/issues/57
+# go_ldflags="-X ${go_import_path}.DatabasePath=/etc/secureboot"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
 	vlicense LICENSE
+
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
+
+	vinstall ${FILESDIR}/kernel-hook-postinst 744 etc/kernel.d/post-install 40-sbctl
+	vinstall ${FILESDIR}/kernel-hook.confd 644 etc/default sbctl-kernel-hook
 }

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 202 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-1924822134

Comment:
Done. I commented out the option and left a comment for future.

Re: [PR PATCH] [Updated] sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 509 bytes --]

There is an updated pull request by dkwo against master on the void-packages repository

https://github.com/dkwo/void-packages sbctl
https://github.com/void-linux/void-packages/pull/46165

sbctl: update, add kernel hook
- I tested the changes in this PR: yes
- I built this PR locally for my native architecture, (x86_64-glibc)

the patch fixes https://github.com/Foxboron/sbctl/issues/102
cc maintainer @ericonr 

A patch file from https://github.com/void-linux/void-packages/pull/46165.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-sbctl-46165.patch --]
[-- Type: text/x-diff, Size: 1713 bytes --]

From d1223bca255c7f62056045672991cca956bd80a3 Mon Sep 17 00:00:00 2001
From: dkwo <nicolopiazzalunga@gmail.com>
Date: Sun, 17 Sep 2023 09:43:11 -0400
Subject: [PATCH] sbctl: run checks, update to 0.13

---
 srcpkgs/sbctl/template | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/srcpkgs/sbctl/template b/srcpkgs/sbctl/template
index 5d181cd62da0d7..ca0dc3edf6da2f 100644
--- a/srcpkgs/sbctl/template
+++ b/srcpkgs/sbctl/template
@@ -1,26 +1,33 @@
 # Template file for 'sbctl'
 pkgname=sbctl
-version=0.10
-revision=3
+version=0.13
+revision=1
 build_style=go
+build_helper=qemu
 go_import_path="github.com/foxboron/sbctl"
+go_package="${go_import_path}/cmd/sbctl"
+# see https://github.com/Foxboron/sbctl/issues/57
+# go_ldflags="-X ${go_import_path}.DatabasePath=/etc/secureboot"
 hostmakedepends="asciidoc"
 short_desc="Secure Boot key manager"
 maintainer="Érico Nogueira <ericonr@disroot.org>"
 license="MIT"
 homepage="https://github.com/Foxboron/sbctl"
 distfiles="https://github.com/Foxboron/sbctl/archive/${version}.tar.gz"
-checksum=22c394e1ae3f80eafe85e331ca4499d2df28bebcc4421c0af89241b897a17774
+checksum=3d5b396985eabea4960377dbf81dbd891db473af20284edc7db1b4e891368c02
+export GOFLAGS="-buildmode=pie"
 
-do_build() {
-	make
-}
-
-do_install() {
-	make install PREFIX=/usr DESTDIR=$DESTDIR
-	# TODO: install completions, sbctl tries to run lsblk when generating them
+do_check() {
+	go test -v ./...
 }
 
 post_install() {
+	make man
+	vman docs/sbctl.8
 	vlicense LICENSE
+	SBCTL="${DESTDIR}/usr/bin/sbctl"
+	for shell in bash fish zsh; do
+		vtargetrun ${SBCTL} completion ${shell} > sbctl.${shell}
+		vcompletion sbctl.${shell} ${shell}
+	done
 }

Re: sbctl: update, add kernel hook

[dkwo]

[-- Attachment #1: Type: text/plain, Size: 342 bytes --]

New comment by dkwo on void-packages repository

https://github.com/void-linux/void-packages/pull/46165#issuecomment-2062111322

Comment:
I removed the kernel hook, as I prefer to sign the unified kernel image. Also simpler in view of moving kerneks out of /boot.
This is now just an update, which i've been using for months with no issues.