mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-07 04:56:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Temporarily undo AKV signing while we complete the shim review

Browse Source 
We don't want to be blocked from doing releases in the meantime. Revert
this commit when ready.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This commit is contained in:
James Le Cuirot 2024-11-13 12:07:40 +00:00
parent 2853c77c66
commit 101efbff39
No known key found for this signature in database
GPG Key ID: 1226415D00DD3137
2 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build_library/build_image_util.sh
View File

@ -827,6 +827,7 @@ EOF
fi
# Sign the kernel after /usr is in a consistent state and verity is calculated
[[ ${COREOS_OFFICIAL:-0} -ne 1 ]] && \
do_sbsign --output "${root_fs_dir}/boot/flatcar/vmlinuz-a"{,}
cleanup_sbsign_certs

16
build_library/grub_install.sh
View File

@ -186,12 +186,12 @@ case "${FLAGS_target}" in
x86_64-efi|arm64-efi)
info "Installing default ${FLAGS_target} UEFI bootloader."
# Sign GRUB and mokmanager(mm) with the shim-embedded key.
do_sbsign --output "${ESP_DIR}/${GRUB_IMAGE}"{,}
do_sbsign --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi"
if [[ ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
# Sign GRUB and mokmanager(mm) with the shim-embedded key.
do_sbsign --output "${ESP_DIR}/${GRUB_IMAGE}"{,}
do_sbsign --output "${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi"
# Unofficial build: Sign shim with our development key.
sudo sbsign \
--key /usr/share/sb_keys/DB.key \
@ -199,8 +199,10 @@ case "${FLAGS_target}" in
--output "${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi" \
"${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi"
else
# Official build: Copy our pre-signed shim.
sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi.signed" \
# Official build: Copy the unsigned files.
sudo cp "${BOARD_ROOT}/usr/lib/shim/mm${EFI_ARCH}.efi" \
"${ESP_DIR}/EFI/boot/mm${EFI_ARCH}.efi"
sudo cp "${BOARD_ROOT}/usr/lib/shim/shim${EFI_ARCH}.efi" \
"${ESP_DIR}/EFI/boot/boot${EFI_ARCH}.efi"
fi