From 40b60875d0ce22060ac3f468102a79d1356ec4cd Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Fri, 3 Feb 2017 20:15:45 -0800
Subject: [PATCH] offline_signing: sign UEFI binaries for Secure Boot

---
 offline_signing/sign.sh | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/offline_signing/sign.sh b/offline_signing/sign.sh
index baf6c8cfbb..97be403b09 100755
--- a/offline_signing/sign.sh
+++ b/offline_signing/sign.sh
@@ -5,14 +5,27 @@ DATA_DIR="$(readlink -f "$1")"
 KEYS_DIR="$(readlink -f "$(dirname "$0")")"
 
 gpg2 --verify "${DATA_DIR}/coreos_production_update.bin.bz2.sig"
-gpg2 --verify "${DATA_DIR}/coreos_production_image.vmlinuz.sig"
 gpg2 --verify "${DATA_DIR}/coreos_production_update.zip.sig"
 bunzip2 --keep "${DATA_DIR}/coreos_production_update.bin.bz2"
 unzip "${DATA_DIR}/coreos_production_update.zip" -d "${DATA_DIR}"
 
 export PATH="${DATA_DIR}:${PATH}"
-
 cd "${DATA_DIR}"
+
+# Sign UEFI binaries for Secure Boot.
+for bin in vmlinuz grub shim
+do
+        [ -e "coreos_production_image.$bin" ] || continue
+        gpg2 --verify "coreos_production_image.$bin.sig"
+        mv "coreos_production_image.$bin" "$bin.unsigned"
+        pesign --in="$bin.unsigned" \
+               --out="coreos_production_image.$bin" \
+               --certdir="${KEYS_DIR}" \
+               --certificate='CoreOS Secure Boot Certificate' \
+               --sign
+done
+
+# Sign the delta, with the Secure Boot signed kernel.
 ./core_sign_update \
     --image "${DATA_DIR}/coreos_production_update.bin" \
     --kernel "${DATA_DIR}/coreos_production_image.vmlinuz" \