Package Details: sbupdate-git 0.r113.4e6d106-1

Git Clone URL: https://aur.archlinux.org/sbupdate-git.git (read-only, click to copy)
Package Base: sbupdate-git
Description: Generate and sign kernel images for UEFI Secure Boot
Upstream URL: https://github.com/andreyv/sbupdate
Keywords: boot uefi
Licenses: GPL3
Conflicts: sbupdate
Provides: sbupdate
Submitter: andreyv
Maintainer: andreyv
Last Packager: andreyv
Votes: 35
Popularity: 0.027493
First Submitted: 2016-08-19 10:22 (UTC)
Last Updated: 2021-03-19 17:20 (UTC)

Latest Comments

1 2 Next › Last »

andreyv commented on 2022-04-05 18:46 (UTC)

@traysh sbupdate does not sign extra files in hook mode (see README for details), so renaming the hook will not help. I intend to add specific support for systemd-boot-update.service later, but for now you can systemctl edit systemd-boot-update.service and add a manual sign command.

traysh commented on 2022-04-05 17:55 (UTC) (edited on 2022-04-05 17:58 (UTC) by traysh)

Hello!

I use systemd-boot with Secure Boot, so I installed the aur package systemd-boot-pacman-hook, as sugested in the wiki.

It installs /usr/share/libalpm/hooks/95-systemd-boot.hook, which runs /usr/bin/systemctl restart systemd-boot-update.service whenever systemd is updated.

But that is incompatible with this package due to a small detail: 95-systemd-boot.hook is sorted after 95-sbupdate.hook, so the new systemd binary on the EFI partition will be installed after sbupdate is run, thus will not be signed. And that will my system unable to Secure Boot until I manually run sbupdate.

Would you consider renaming 95-sbupdate.hook to 96-sbupdate.hook, which would eliminate this problem? Pretty please?

Thank you

ranixon commented on 2021-06-25 14:38 (UTC)

Thanks @petercxy, now is installed.

petercxy commented on 2021-06-25 08:50 (UTC)

The GPG key F6532C30466E8B3E seems to be unavailable for now due to issues with the MIT keyserver (?).

As a temporary workaround, the key is available via GitHub at https://github.com/andreyv.gpg, so something like

curl https://github.com/andreyv.gpg | gpg --import

would allow the signature checks to pass.

@ranixon

ranixon commented on 2021-06-24 18:46 (UTC) (edited on 2021-06-24 18:53 (UTC) by ranixon)

I tried to install it using makepkg -si and i got this error

==> Verifying source file signatures with gpg...
sbupdate git repo ... FAILED (unknown public key F6532C30466E8B3E) 

andreyv commented on 2021-03-19 17:24 (UTC)

I think trusting GitHub's key would be no better than fetching the GitHub source with HTTPS.

So I added just the main key — thanks.

VannTen commented on 2021-03-15 08:44 (UTC) (edited on 2021-03-15 08:45 (UTC) by VannTen)

with the validpgpkeys part yes (it constrains which keys are allowed to validate the commits)

However Github sign the merges done on github.com with :

pub   rsa2048 2017-08-16 [SC]
      5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
uid           [ unknown] GitHub (web-flow commit signing) <noreply@github.com>

So adding your key and this one to validpgpkeys should to the trick.

andreyv commented on 2021-03-14 17:56 (UTC)

Thanks.

Sometimes there are also commits from other people. Merging on GitHub won't sign them with the needed key. Would makepkg abort in such case?

VannTen commented on 2021-03-02 20:36 (UTC)

I noticed that you sign your commits. So could you maybe use

source=("git+https://github.com/andreyv/sbupdate.git?signed")
validpgpkeys=('96F281C741F4F2693E96885BF6532C30466E8B3E') # not required

in the PKGBUILD ?

andreyv commented on 2019-12-01 09:56 (UTC)

Fixed.