commit: 6eadcb62ab76f54a84f6a2bb41a8f4550c02938e Author: John Helmert III <ajak <AT> gentoo <DOT> org> AuthorDate: Sat Feb 10 19:49:50 2024 +0000 Commit: John Helmert III <ajak <AT> gentoo <DOT> org> CommitDate: Sat Feb 10 19:51:51 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6eadcb62
app-crypt/sbctl: patch to avoid install hook failure with no keys This patch gives us a nicer message rather than a hard failure when configuring a kernel with `installkernel[systemd]`: sbctl: Signing kernel /boot/3389a12916b765a75a36a1cf65c7ab53/6.6.13-gentoo-dist/linux Secureboot key directory doesn't exist, not signing! Bug: https://bugs.gentoo.org/922618 Signed-off-by: John Helmert III <ajak <AT> gentoo.org> .../files/sbctl-0.13-no-installkernel-error.patch | 27 +++++++++++++++ app-crypt/sbctl/sbctl-0.13-r1.ebuild | 40 ++++++++++++++++++++++ 2 files changed, 67 insertions(+) diff --git a/app-crypt/sbctl/files/sbctl-0.13-no-installkernel-error.patch b/app-crypt/sbctl/files/sbctl-0.13-no-installkernel-error.patch new file mode 100644 index 000000000000..18e28eb39b1d --- /dev/null +++ b/app-crypt/sbctl/files/sbctl-0.13-no-installkernel-error.patch @@ -0,0 +1,27 @@ +From: https://github.com/Foxboron/sbctl/pull/188 +From: John Helmert III <a...@gentoo.org> +Date: Sat, 10 Feb 2024 11:46:01 -0800 +Subject: [PATCH] 91-sbctl.install: don't sign without signing keys + +It's expected that signing doesn't work without having previously +generated keys, so don't try to sign when keys don't exist. + +Closes: https://github.com/Foxboron/sbctl/issues/187 +Signed-off-by: John Helmert III <a...@gentoo.org> +--- a/contrib/kernel-install/91-sbctl.install ++++ b/contrib/kernel-install/91-sbctl.install +@@ -28,6 +28,14 @@ fi + case "$COMMAND" in + add) + printf 'sbctl: Signing kernel %s\n' "$IMAGE_FILE" ++ ++ # exit without error if keys don't exist ++ # https://github.com/Foxboron/sbctl/issues/187 ++ if ! test -d /usr/share/secureboot/keys; then ++ echo "Secureboot key directory doesn't exist, not signing!" ++ exit 0 ++ fi ++ + sbctl sign -s "$IMAGE_FILE" 1>/dev/null + ;; + remove) diff --git a/app-crypt/sbctl/sbctl-0.13-r1.ebuild b/app-crypt/sbctl/sbctl-0.13-r1.ebuild new file mode 100644 index 000000000000..4410439fe955 --- /dev/null +++ b/app-crypt/sbctl/sbctl-0.13-r1.ebuild @@ -0,0 +1,40 @@ +# Copyright 2022-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module optfeature verify-sig + +DESCRIPTION="Secure Boot key manager" +HOMEPAGE="https://github.com/Foxboron/sbctl" +SRC_URI="https://github.com/Foxboron/${PN}/releases/download/${PV}/${P}.tar.gz + verify-sig? ( https://github.com/Foxboron/${PN}/releases/download/${PV}/${P}.tar.gz.sig )" +SRC_URI+=" https://dev.gentoo.org/~ajak/distfiles/${CATEGORY}/${PN}/${P}-deps.tar.xz" + +LICENSE="Apache-2.0 BSD BSD-2 MIT" +SLOT="0" +KEYWORDS="~amd64" + +BDEPEND="app-text/asciidoc + verify-sig? ( sec-keys/openpgp-keys-foxboron )" + +PATCHES=( "${FILESDIR}/${PN}-0.13-no-installkernel-error.patch" ) + +VERIFY_SIG_OPENPGP_KEY_PATH="/usr/share/openpgp-keys/foxboron.asc" + +src_unpack() { + if use verify-sig; then + verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.sig} + fi + + default +} + +src_install() { + emake PREFIX="${ED}/usr" install +} + +pkg_postinst() { + optfeature "automatically signing installed kernels with sbctl keys on each kernel installation" \ + "sys-kernel/installkernel[systemd]" +}