Arch Linux User Repository

@traysh sbupdate does not sign extra files in hook mode (see README for details), so renaming the hook will not help. I intend to add specific support for systemd-boot-update.service later, but for now you can systemctl edit systemd-boot-update.service and add a manual sign command.

Hello!

I use systemd-boot with Secure Boot, so I installed the aur package systemd-boot-pacman-hook, as sugested in the wiki.

It installs /usr/share/libalpm/hooks/95-systemd-boot.hook, which runs /usr/bin/systemctl restart systemd-boot-update.service whenever systemd is updated.

But that is incompatible with this package due to a small detail: 95-systemd-boot.hook is sorted after 95-sbupdate.hook, so the new systemd binary on the EFI partition will be installed after sbupdate is run, thus will not be signed. And that will my system unable to Secure Boot until I manually run sbupdate.

Would you consider renaming 95-sbupdate.hook to 96-sbupdate.hook, which would eliminate this problem? Pretty please?

Thank you

Thanks @petercxy, now is installed.

The GPG key F6532C30466E8B3E seems to be unavailable for now due to issues with the MIT keyserver (?).

As a temporary workaround, the key is available via GitHub at https://github.com/andreyv.gpg, so something like

curl https://github.com/andreyv.gpg | gpg --import

would allow the signature checks to pass.

@ranixon

I tried to install it using makepkg -si and i got this error

==> Verifying source file signatures with gpg...
sbupdate git repo ... FAILED (unknown public key F6532C30466E8B3E) 

I think trusting GitHub's key would be no better than fetching the GitHub source with HTTPS.

So I added just the main key — thanks.

with the validpgpkeys part yes (it constrains which keys are allowed to validate the commits)

However Github sign the merges done on github.com with :

pub   rsa2048 2017-08-16 [SC]
      5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
uid           [ unknown] GitHub (web-flow commit signing) <noreply@github.com>

So adding your key and this one to validpgpkeys should to the trick.

Thanks.

Sometimes there are also commits from other people. Merging on GitHub won't sign them with the needed key. Would makepkg abort in such case?

I noticed that you sign your commits. So could you maybe use

source=("git+https://github.com/andreyv/sbupdate.git?signed")
validpgpkeys=('96F281C741F4F2693E96885BF6532C30466E8B3E') # not required

in the PKGBUILD ?

Fixed.

There is no official release version, but usually git packages should conflict and provide the base form, so that they are interchangeable with stable release packages in the future.

Configuration changes in version 0.r98.be9c5ea:

• The INITRD variable no longer accepts multiple initramfs files. Use the new CONFIGS variable instead.

Configuration changes in version 0.r84.aa95459:

• Config file renamed to /etc/sbupdate.conf
• Default key directory changed to /etc/efi-keys
• KEYFILE and CRTFILE options are removed. The script now handles lowercase and uppercase variants automatically.

@andreyv

That is awesome, thank you. It worked with the new options

@wincraft71 Should work now, see new configuration options.

@wincraft71 There is a pull request for that, I'll get to it soon. Now the script follows Rodsbooks' convention.

The script should be changed to look for "db." files in the KEY_DIR /boot/efikeys instead of "DB." files for compatibility with cryptboot (https://aur.archlinux.org/packages/cryptboot/).