You are not logged in.
Following this guide and I can't quite figure out how could I use the new kernel downloaded to /usr/lib/modules after linux update to sign with my key. The warning above code block suggests I should look for new kernel in that directory instead of searching in boot partition, but how can I make this script use exactly the newly downloaded kernel? Shouldn't there under /usr/lib/modules be multiple directories after linux pacman update? What in my case should be written in "Exec" line?
Also, does the bootloader (in esp) get updated, or does it remain the same, thus always signed?
Last edited by xt1zer (2020-02-16 15:06:17)
Offline
I think that wiki article is out of date on some parts.
heres what I do in the pacman hook saved in a file called '89-secure_book.hook'
[Trigger]
Operation = Install
Operation = Upgrade
Type = File
Target = usr/lib/modules/*/vmlinuz
Target = boot/
[Action]
Description = Signing EFI file(s)
When = PostTransaction
Exec = /path/to/signing_script
Depends = sbsigntools
NeedsTargets
and then the script that signs the files is
#!/bin/bash
crtpath='/path/to/certificate'
keypath='/path/to/key'
signing_failed=0
if [ "$PWD" != "/" ]; then
efipathprefix="$PWD/"
else
efipathprefix="/"
fi
while read -r pacmanHookTarget
do
efipath="$efipathprefix$pacmanHookTarget"
# check if it's a file as pacman can sometimes sends directories only
if [ ! -f $efipath ] || [ -d $efipath ]; then
continue
fi
# basic check - if the first 2 bytes of the file equals 'MZ'
if [ `head --bytes 2 "$efipath"` != "MZ" ]; then
continue
fi
# check if the file is already signed by the certificate
sbverify --cert ${crtpath} ${efipath} >/dev/null 2>&1
if [ $? -eq 0 ]; then
continue
fi
# sign the file
echo Signing ${efipath}
sbsign --key ${keypath} --cert ${crtpath} --output ${efipath} ${efipath} >/dev/null 2>&1
# check if the file is signed correctly
sbverify --cert ${crtpath} ${efipath} >/dev/null 2>&1
if [ $? -ne 0 ]; then
echo "ERROR: failed to sign '${efipath}'"
signing_failed=1
fi
done
if [ $signing_failed -eq 1 ]; then
exit 1
fi
exit 0
note: you will need to change the following in the pacman hook file
Exec = /path/to/signing_script
and the following in the signing script
crtpath='/path/to/certificate'
keypath='/path/to/key'
I think this is cleaner than whats provided in the wiki and also bare in mind that this signs files triggered by paths, not packages
Last edited by sinatosk (2020-01-08 16:31:00)
Offline