Package Details: sbupdate-git 0.r133.1bd9722-2

Git Clone URL: https://aur.archlinux.org/sbupdate-git.git (read-only, click to copy)
Package Base: sbupdate-git
Description: Generate and sign kernel images for UEFI Secure Boot
Upstream URL: https://github.com/andreyv/sbupdate
Keywords: boot uefi
Licenses: GPL3
Conflicts: sbupdate
Provides: sbupdate
Submitter: andreyv
Maintainer: andreyv
Last Packager: andreyv
Votes: 34
Popularity: 0.000046
First Submitted: 2016-08-19 10:22 (UTC)
Last Updated: 2023-08-11 11:32 (UTC)

Pinned Comments

gilbs commented on 2023-09-02 18:05 (UTC) (edited on 2023-09-02 18:37 (UTC) by gilbs)

@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.


For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.

@SleepyMario

Is using one of the forks instead an option? Or is that madness.

Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.

My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.

andreyv commented on 2023-08-12 05:44 (UTC)

@mephinet I no longer have the capability to develop the tool, and anyway it's largely obsolete — see https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot for replacements.

Latest Comments

« First ‹ Previous 1 2 3 Next › Last »

traysh commented on 2022-04-05 17:55 (UTC) (edited on 2022-04-05 17:58 (UTC) by traysh)

Hello!

I use systemd-boot with Secure Boot, so I installed the aur package systemd-boot-pacman-hook, as sugested in the wiki.

It installs /usr/share/libalpm/hooks/95-systemd-boot.hook, which runs /usr/bin/systemctl restart systemd-boot-update.service whenever systemd is updated.

But that is incompatible with this package due to a small detail: 95-systemd-boot.hook is sorted after 95-sbupdate.hook, so the new systemd binary on the EFI partition will be installed after sbupdate is run, thus will not be signed. And that will my system unable to Secure Boot until I manually run sbupdate.

Would you consider renaming 95-sbupdate.hook to 96-sbupdate.hook, which would eliminate this problem? Pretty please?

Thank you

ranixon commented on 2021-06-25 14:38 (UTC)

Thanks @petercxy, now is installed.

petercxy commented on 2021-06-25 08:50 (UTC)

The GPG key F6532C30466E8B3E seems to be unavailable for now due to issues with the MIT keyserver (?).

As a temporary workaround, the key is available via GitHub at https://github.com/andreyv.gpg, so something like

curl https://github.com/andreyv.gpg | gpg --import

would allow the signature checks to pass.

@ranixon

ranixon commented on 2021-06-24 18:46 (UTC) (edited on 2021-06-24 18:53 (UTC) by ranixon)

I tried to install it using makepkg -si and i got this error

==> Verifying source file signatures with gpg...
sbupdate git repo ... FAILED (unknown public key F6532C30466E8B3E) 

andreyv commented on 2021-03-19 17:24 (UTC)

I think trusting GitHub's key would be no better than fetching the GitHub source with HTTPS.

So I added just the main key — thanks.

VannTen commented on 2021-03-15 08:44 (UTC) (edited on 2021-03-15 08:45 (UTC) by VannTen)

with the validpgpkeys part yes (it constrains which keys are allowed to validate the commits)

However Github sign the merges done on github.com with :

pub   rsa2048 2017-08-16 [SC]
      5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
uid           [ unknown] GitHub (web-flow commit signing) <noreply@github.com>

So adding your key and this one to validpgpkeys should to the trick.

andreyv commented on 2021-03-14 17:56 (UTC)

Thanks.

Sometimes there are also commits from other people. Merging on GitHub won't sign them with the needed key. Would makepkg abort in such case?

VannTen commented on 2021-03-02 20:36 (UTC)

I noticed that you sign your commits. So could you maybe use

source=("git+https://github.com/andreyv/sbupdate.git?signed")
validpgpkeys=('96F281C741F4F2693E96885BF6532C30466E8B3E') # not required

in the PKGBUILD ?

andreyv commented on 2019-12-01 09:56 (UTC)

Fixed.

silverbluep commented on 2019-11-12 18:33 (UTC)

There is no official release version, but usually git packages should conflict and provide the base form, so that they are interchangeable with stable release packages in the future.