diff options
| author | Brli | 2024-04-23 09:00:02 +0800 |
|---|---|---|
| committer | Brli | 2024-04-23 09:00:02 +0800 |
| commit | f7e9ae0a0e79c5ee185a373d89d4e050752a5527 (patch) | |
| tree | 850893c22efd6766ae364ff84d4387a545a56b90 /PKGBUILD | |
| parent | 1afc800cb51f4a577472e70267033fa7e4a1fee3 (diff) | |
| download | aur-secureboot-helper.tar.gz | |
fix several lines
Diffstat (limited to 'PKGBUILD')
| -rw-r--r-- | PKGBUILD | 32 |
1 files changed, 13 insertions, 19 deletions
@@ -3,7 +3,7 @@ # 2. Some UEFI firmware requires the keys to be in FAT filesystem in order they can be imported, consider cp the keys to your ESP before reboot # 3. Read the Secure Boot Archwiki (https://wiki.archlinux.org/index.php/Secure_Boot) _sign_location="etc/secureboot/keys" -_gen_new_key="$GEN_NEW_KEY" +_gen_new_key="${GEN_NEW_KEY:-true}" # Maintainer: BrLi <brli@chakralinux.org> pkgname=secureboot-helper @@ -34,6 +34,7 @@ backup=($_sign_location/db/db.auth $_sign_location/PK/PK.key $_sign_location/PK/rm_PK.auth $_sign_location/GUID.txt) +install=install source=(secureboot-helper-kernel.hook secureboot-helper-systemd.hook secureboot-helper-ucode.hook @@ -43,7 +44,7 @@ source=(secureboot-helper-kernel.hook secureboot-helper.sysusers uki-sbsign.post) b2sums=('e91df3a7cb2797210666d22716b9e93153d1a4571f90b0cd85f0d5e3f6a18b12f8892c40bce144859e6509107a76db20a855b1922180406f086c32d591febc0a' - '1dbbe7d5a44ff7751f4237f0e5c803091f7c289d030f647b89b22d99acb43aa7c2981c49234e3f6db035f02118295a2ffa9f7bc57d95da1e119e3a10700ccaae' + 'c101d87484749a315a0f50951d6ecb46819a9ab684807f51f30eea9b7a6af2f28e4cbb8593a3983b32a7029aa75c0618b7040caca53798dae1cc6c534262b6a8' '6e5d318f43fab74dc8e9d8964ff8f1d2f29862da510a05da8d5c6931954b3d5e07969f94ae356f30157dc98f59544945550ad3db1dbcdfc048d6179fe4d00fcd' '9397cee519512c05fd61d08d732e4cf72222a6b44068a5a9de865c43da971157d8385028d18f0d060a47ce5a69b5142bb9506c0af5e536a63c705f028a7a6074' 'acd0ba657a2707620e9dba6f798dfff9323ac35508f32954b4235876bcd9357dda81951c0115d5d3810a4497e1f527abd81539b0a5bdb864203478137716bf1f' @@ -52,43 +53,36 @@ b2sums=('e91df3a7cb2797210666d22716b9e93153d1a4571f90b0cd85f0d5e3f6a18b12f8892c4 'd3c1dd19016f9bf06255d30f05929cc040e05aec51ce6178be9024506c9050de3057e993e5193dbe6043c09b466ebcb80659a1443f4f736b3f399d474c4e41da') prepare() { + export _gen_new_key sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-kernel.hook sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-systemd.hook sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper-ucode.hook sed "s,%SIGN_LOCATION%,$_sign_location,g" -i $srcdir/secureboot-helper.sysusers - if !$_gen_new_key; then - cp -r /etc/secureboot/keys "$srcdir/keys" - fi + [[ $_gen_new_key ]] || cp -r /etc/secureboot/keys "$srcdir/keys" } package() { + export _gen_new_key install -dm500 "$pkgdir/$_sign_location/"{PK,KEK,db} cd $pkgdir/$_sign_location - if $_gen_new_key; then + if [[ $_gen_new_key ]] ; then + touch GUID.txt uuidgen --random > GUID.txt # Platform key msg 'Generating PK.key' cd $pkgdir/$_sign_location/PK - openssl req -newkey rsa:2048 -nodes -keyout PK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Platform Key/" -out PK.crt - openssl x509 -outform DER -in PK.crt -out PK.cer - cert-to-efi-sig-list -g "$(< ../GUID.txt)" PK.crt PK.esl - sign-efi-sig-list -g "$(< ../GUID.txt)" -k PK.key -c PK.crt PK PK.esl PK.auth - sign-efi-sig-list -g "$(< ../GUID.txt)" -c PK.crt -k PK.key PK /dev/null rm_PK.auth + touch PK.{crt,cer,esl,key,auth} + touch rm_PK.auth # Key exchange key msg 'Generating KEK.key' cd $pkgdir/$_sign_location/KEK - openssl req -newkey rsa:2048 -nodes -keyout KEK.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Key Exchange Key/" -out KEK.crt - openssl x509 -outform DER -in KEK.crt -out KEK.cer - cert-to-efi-sig-list -g "$(< GUID.txt)" KEK.crt KEK.esl - sign-efi-sig-list -g "$(< GUID.txt)" -k ../PK/PK.key -c ../PK/PK.crt KEK KEK.esl KEK.auth + touch KEK.{key,crt,cer,esl,auth} # Signature Database key msg 'Generating DB.key' - openssl req -newkey rsa:2048 -nodes -keyout db.key -new -x509 -sha256 -days 3650 -subj "/CN=Self-generated Signature Database key/" -out db.crt - openssl x509 -outform DER -in db.crt -out db.cer - cert-to-efi-sig-list -g "$(< ../GUID.txt)" db.crt db.esl - sign-efi-sig-list -g "$(< ../GUID.txt)" -k ../KEK/KEK.key -c ../KEK/KEK.crt db db.esl db.auth + cd $pkgdir/$_sign_location/db + touch db.{key,crt,cer,esl,auth} else cp -ra $srcdir/keys/* ./ fi |