From bbca6283c46f2f007082f90491817c8588311185 Mon Sep 17 00:00:00 2001 From: Pornpipat Popum Date: Fri, 7 Nov 2025 02:20:12 +0700 Subject: [PATCH] Attempt to fix sbctl again (#7154) * Attempt to fix sbctl * debug: enable xtrace in verbosity * bump package release * Also add removal script --- anda/tools/sbctl/91-sbctl-rm | 41 ++++++++++++++++++++++++++++++++++ anda/tools/sbctl/91-sbctl-sign | 40 +++++++++++++++++++++++++++++++++ anda/tools/sbctl/sbctl.spec | 19 +++++++++------- 3 files changed, 92 insertions(+), 8 deletions(-) create mode 100644 anda/tools/sbctl/91-sbctl-rm create mode 100755 anda/tools/sbctl/91-sbctl-sign diff --git a/anda/tools/sbctl/91-sbctl-rm b/anda/tools/sbctl/91-sbctl-rm new file mode 100644 index 0000000000..247852a75a --- /dev/null +++ b/anda/tools/sbctl/91-sbctl-rm @@ -0,0 +1,41 @@ +#!/usr/bin/sh +# This file is part of sbctl. +# Patched for Fedora, for the Terra repository + +#shellcheck disable=SC2034 +# Enable xtrace if we're verbose +if [ "${KERNEL_INSTALL_VERBOSE:-0}" = "1" ]; then + set -x +fi + +ver=${1} +img=${2} + + +die() { + echo -e " ${NOCOLOR-\e[1;31m*\e[0m }${*}" >&2 + exit 1 +} + +einfo() { + echo -e " ${NOCOLOR-\e[1;32m*\e[0m }${*}" +} + +main() { + # re-define for subst to work + [[ -n ${NOCOLOR+yes} ]] && NOCOLOR= + einfo "Unregistering kernel file from sbctl" + # do nothing if secureboot key directory doesn't exist + if ! [ "$(sbctl setup --print-state --json | awk '/installed/ { gsub(/,$/,"",$2); print $2 }')" = "true" ]; then + einfo "Secureboot key directory doesn't exist, not signing!" + exit 0 + fi + + [[ ${EUID} -eq 0 ]] || die "Please run this script as root" + + einfo "sbctl: Unregistering kernel $img" + sbctl remove-file $img +} + +main + diff --git a/anda/tools/sbctl/91-sbctl-sign b/anda/tools/sbctl/91-sbctl-sign new file mode 100755 index 0000000000..35bb741ac3 --- /dev/null +++ b/anda/tools/sbctl/91-sbctl-sign @@ -0,0 +1,40 @@ +#!/usr/bin/sh +# This file is part of sbctl. +# Patched for Fedora, for the Terra repository + +#shellcheck disable=SC2034 +# Enable xtrace if we're verbose +if [ "${KERNEL_INSTALL_VERBOSE:-0}" = "1" ]; then + set -x +fi + +ver=${1} +img=${2} + +die() { + echo -e " ${NOCOLOR-\e[1;31m*\e[0m }${*}" >&2 + exit 1 +} + +einfo() { + echo -e " ${NOCOLOR-\e[1;32m*\e[0m }${*}" +} + +main() { + # re-define for subst to work + [[ -n ${NOCOLOR+yes} ]] && NOCOLOR= + einfo "Running kernel install script" + # do nothing if secureboot key directory doesn't exist + if ! [ "$(sbctl setup --print-state --json | awk '/installed/ { gsub(/,$/,"",$2); print $2 }')" = "true" ]; then + einfo "Secureboot key directory doesn't exist, not signing!" + exit 0 + fi + + [[ ${EUID} -eq 0 ]] || die "Please run this script as root" + + einfo "sbctl: Signing kernel $img" + sbctl sign -s $img +} + +main + diff --git a/anda/tools/sbctl/sbctl.spec b/anda/tools/sbctl/sbctl.spec index 939ee0217a..11cbc18f7e 100644 --- a/anda/tools/sbctl/sbctl.spec +++ b/anda/tools/sbctl/sbctl.spec @@ -1,6 +1,6 @@ Name: sbctl Version: 0.18 -Release: 2%?dist +Release: 3%?dist Summary: Secure Boot key manager License: MIT @@ -9,6 +9,9 @@ Source0: https://github.com/Foxboron/sbctl/releases/download/%{version}/s ## Based on CachyOS's batch sign script # https://github.com/CachyOS/CachyOS-Settings/blob/master/usr/bin/sbctl-batch-sign Source1: %{name}-batch-sign +# Downstream postinst hook +Source2: 91-sbctl-sign +Source3: 91-sbctl-rm ExclusiveArch: %{golang_arches} @@ -46,14 +49,13 @@ export GOPATH=%{_builddir}/go %make_install PREFIX=%{_prefix} install -Dm755 %{SOURCE1} -t %{buildroot}%{_bindir} -# This script is actually broken on Fedora, while new Debian installkernel hook works fine -# for kernel-install, thanks to Fedora's kernel-install hook adding support for -# postinst.d hooks. +# This script is actually broken on Fedora rm -f %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install +rm -f %{buildroot}%{_prefix}/lib/kernel/postinst.d/91-sbctl.install -# 95-kernel-hooks.install only runs postinst scripts from /etc, so move it there -mkdir -p %{buildroot}%{_sysconfdir}/kernel/postinst.d -mv %{buildroot}%{_prefix}/lib/kernel/postinst.d/91-sbctl.install %{buildroot}%{_sysconfdir}/kernel/postinst.d/ +# 95-kernel-hooks.install only runs postinst scripts from /etc, so install it there +install -Dm755 %{SOURCE2} -t %{buildroot}%{_sysconfdir}/kernel/postinst.d +install -Dm755 %{SOURCE3} -t %{buildroot}%{_sysconfdir}/kernel/prerm.d %transfiletriggerin -P 1 -- /efi /usr/lib /usr/libexec if [[ ! -f /run/ostree-booted ]] && grep -q -m 1 -e '\.efi$' -e '/vmlinuz$'; then @@ -67,7 +69,8 @@ fi %doc README.md %{_bindir}/sbctl %{_bindir}/sbctl-batch-sign -%{_sysconfdir}/kernel/postinst.d/91-sbctl.install +%{_sysconfdir}/kernel/postinst.d/91-sbctl-sign +%{_sysconfdir}/kernel/prerm.d/91-sbctl-rm %{_mandir}/man8/sbctl.8* %{_mandir}/man5/sbctl.conf.5* %{_datadir}/bash-completion/completions/sbctl