Package Details: sbupdate-git 0.r113.4e6d106-1

Git Clone URL: https://aur.archlinux.org/sbupdate-git.git (read-only, click to copy)
Package Base: sbupdate-git
Description: Generate and sign kernel images for UEFI Secure Boot
Upstream URL: https://github.com/andreyv/sbupdate
Keywords: boot uefi
Licenses: GPL3
Conflicts: sbupdate
Provides: sbupdate
Submitter: andreyv
Maintainer: andreyv
Last Packager: andreyv
Votes: 35
Popularity: 1.21
First Submitted: 2016-08-19 10:22 (UTC)
Last Updated: 2021-03-19 17:20 (UTC)

Latest Comments

andreyv commented on 2022-04-05 18:46 (UTC)

@traysh sbupdate does not sign extra files in hook mode (see README for details), so renaming the hook will not help. I intend to add specific support for systemd-boot-update.service later, but for now you can systemctl edit systemd-boot-update.service and add a manual sign command.

traysh commented on 2022-04-05 17:55 (UTC) (edited on 2022-04-05 17:58 (UTC) by traysh)

Hello!

I use systemd-boot with Secure Boot, so I installed the aur package systemd-boot-pacman-hook, as sugested in the wiki.

It installs /usr/share/libalpm/hooks/95-systemd-boot.hook, which runs /usr/bin/systemctl restart systemd-boot-update.service whenever systemd is updated.

But that is incompatible with this package due to a small detail: 95-systemd-boot.hook is sorted after 95-sbupdate.hook, so the new systemd binary on the EFI partition will be installed after sbupdate is run, thus will not be signed. And that will my system unable to Secure Boot until I manually run sbupdate.

Would you consider renaming 95-sbupdate.hook to 96-sbupdate.hook, which would eliminate this problem? Pretty please?

Thank you

ranixon commented on 2021-06-25 14:38 (UTC)

Thanks @petercxy, now is installed.

petercxy commented on 2021-06-25 08:50 (UTC)

The GPG key F6532C30466E8B3E seems to be unavailable for now due to issues with the MIT keyserver (?).

As a temporary workaround, the key is available via GitHub at https://github.com/andreyv.gpg, so something like

curl https://github.com/andreyv.gpg | gpg --import

would allow the signature checks to pass.

@ranixon

ranixon commented on 2021-06-24 18:46 (UTC) (edited on 2021-06-24 18:53 (UTC) by ranixon)

I tried to install it using makepkg -si and i got this error

==> Verifying source file signatures with gpg...
sbupdate git repo ... FAILED (unknown public key F6532C30466E8B3E) 

andreyv commented on 2021-03-19 17:24 (UTC)

I think trusting GitHub's key would be no better than fetching the GitHub source with HTTPS.

So I added just the main key — thanks.

VannTen commented on 2021-03-15 08:44 (UTC) (edited on 2021-03-15 08:45 (UTC) by VannTen)

with the validpgpkeys part yes (it constrains which keys are allowed to validate the commits)

However Github sign the merges done on github.com with :

pub   rsa2048 2017-08-16 [SC]
      5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
uid           [ unknown] GitHub (web-flow commit signing) <noreply@github.com>

So adding your key and this one to validpgpkeys should to the trick.

andreyv commented on 2021-03-14 17:56 (UTC)

Thanks.

Sometimes there are also commits from other people. Merging on GitHub won't sign them with the needed key. Would makepkg abort in such case?

VannTen commented on 2021-03-02 20:36 (UTC)

I noticed that you sign your commits. So could you maybe use

source=("git+https://github.com/andreyv/sbupdate.git?signed")
validpgpkeys=('96F281C741F4F2693E96885BF6532C30466E8B3E') # not required

in the PKGBUILD ?

andreyv commented on 2019-12-01 09:56 (UTC)

Fixed.

bbaserdem commented on 2019-11-12 18:33 (UTC)

There is no official release version, but usually git packages should conflict and provide the base form, so that they are interchangeable with stable release packages in the future.

andreyv commented on 2019-11-10 09:55 (UTC) (edited on 2019-11-10 09:55 (UTC) by andreyv)

Configuration changes in version 0.r98.be9c5ea:

  • The INITRD variable no longer accepts multiple initramfs files. Use the new CONFIGS variable instead.

andreyv commented on 2019-05-25 18:25 (UTC) (edited on 2019-05-25 18:56 (UTC) by andreyv)

Configuration changes in version 0.r84.aa95459:

  • Config file renamed to /etc/sbupdate.conf
  • Default key directory changed to /etc/efi-keys
  • KEYFILE and CRTFILE options are removed. The script now handles lowercase and uppercase variants automatically.

wincraft71 commented on 2018-02-01 13:42 (UTC)

@andreyv

That is awesome, thank you. It worked with the new options

andreyv commented on 2018-01-24 21:47 (UTC)

@wincraft71 Should work now, see new configuration options.

andreyv commented on 2018-01-22 06:52 (UTC)

@wincraft71 There is a pull request for that, I'll get to it soon. Now the script follows Rodsbooks' convention.

wincraft71 commented on 2018-01-22 06:27 (UTC)

The script should be changed to look for "db." files in the KEY_DIR /boot/efikeys instead of "DB." files for compatibility with cryptboot (https://aur.archlinux.org/packages/cryptboot/).