We now need the official shim vendor certificate present in the SDK when
building the kernel so that it can be inserted and used to verify the
verity root hash and signed sysexts.
While we're at it, copy the official signing certificate from Azure Key
Vault so that we don't need to fetch it every time, simplifying the
signing code.
This change also partly deals with the eventual expiration of our shim
vendor certificate. We cannot simply replace the shim with one
containing just the new certificate because it needs to be able to boot
kernels from older releases. We therefore now keep all the certificates
in the coreos-sb-keys package as separate dated PEM files that then get
combined into a single DER ESL that the shim build expects. Note that
the shim does not check certificate expiry dates. It is therefore also
no longer necessary to manually convert the certificate to DER format.
The problem of actually upgrading the shim on user systems remains.
Each certificate in the DER ESL requires an owner GUID. We previous used
a zero GUID for the DB certificates, but these were only used for
testing. I have therefore now generated a static GUID for Flatcar that
we should use going forwards.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
Update documentation and ebuilds to reference `main` branch instead `flatcar-master`
This pull request updates references from the `flatcar-master` branch to the `main` branch across various files and documentation. The changes ensure consistency with the updated branch naming convention.
### Documentation updates:
* Updated the link to `kola` in `PREFIX.md` to reference the `main` branch instead of `flatcar-master`.
* Updated the link to `kola` in `ci-automation/README.md` to reference the `main` branch instead of `flatcar-master`.
### Ebuild file updates:
* Changed the `EGIT_COMMIT` comment in `toolbox-9999.ebuild` to reference `main` instead of `flatcar-master`.
* Changed the `EGIT_COMMIT` comment in `update-ssh-keys-9999.ebuild` to reference `main` instead of `flatcar-master`.
* Changed the `EGIT_COMMIT` comment in `nss-usrfiles-9999.ebuild` to reference `main` instead of `flatcar-master`.
This is in reference to this issue: https://github.com/flatcar/Flatcar/issues/1714
