From 923bc732c318f6f632917073f28d6b32885f4db8 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:08:44 -0400 Subject: [PATCH 1/5] chore(ci): Check secureboot signatures --- .github/workflows/reusable-build.yml | 32 ++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index b8b3345..a52cded 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -198,6 +198,38 @@ jobs: labels: ${{ steps.meta.outputs.labels }} oci: false + - name: Check Secureboot Signatures + shell: bash + run: | + set -x + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) || ! $(command -v rpm2cpio)]]; then + sudo apt update + sudo apt install sbsigntool curl openssl rpm2cpio + fi + podman create --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sh + podman export ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) > /tmp/${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1).tar + tar xvf /tmp/${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1).tar -C / + cd /tmp/rpms/ + if [[ "${{ matrix.kernel_flavor }}" == "surface" ]]; then + rpm2cpio kernel-surface-core-"${{ env.kernel_release }}".rpm | cpio -idmv + else + rpm2cpio kernel-core-"${{ env.kernel_release }}".rpm | cpio -idmv + fi + cd ./lib/modules/"${{ env.kernel_release }}"/ + sbverify --list vmlinuz + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der.test + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der.test + else + curl --retry 3 -Lo kernel-sign.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key.der.test + curl --retry 3 -Lo akmods.der https://github.com/ublue-os/kernel-cache/raw/main/certs/public_key_2.der.test + fi + openssl x509 -in kernel-sign.der -out kernel-sign.crt + openssl x509 -in akmods.der -out akmods.crt + sbverify --cert kernel-sign.crt vmlinuz || exit 1 + sbverify --cert akmods.crt vmlinuz || exit 1 + cd $HOME + - name: Lowercase Registry id: registry_case uses: ASzc/change-string-case-action@v6 From ec1aa3d9c233a88742d159b283b80fb12b546a3f Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:13:16 -0400 Subject: [PATCH 2/5] missing space --- .github/workflows/reusable-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index a52cded..ab72d89 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -202,7 +202,7 @@ jobs: shell: bash run: | set -x - if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) || ! $(command -v rpm2cpio)]]; then + if [[ ! $(command -v sbverify) || ! $(command -v curl) || ! $(command -v openssl) || ! $(command -v rpm2cpio) ]]; then sudo apt update sudo apt install sbsigntool curl openssl rpm2cpio fi From 946c39307ac230c013cd18df78ebdd93ca43ebd8 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:21:19 -0400 Subject: [PATCH 3/5] fix variable names --- .github/workflows/reusable-build.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index ab72d89..af5d295 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -206,9 +206,9 @@ jobs: sudo apt update sudo apt install sbsigntool curl openssl rpm2cpio fi - podman create --name ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) "${{ env.IMAGE_NAME }}":$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) sh - podman export ${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1) > /tmp/${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1).tar - tar xvf /tmp/${{env.IMAGE_NAME}}-$(echo "${{ steps.generate-tags.outputs.alias_tags }}" | cut -d " " -f 1).tar -C / + podman create --name "${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)" "${{ matrix.kernel_flavor}}"-kernel:$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1) sh + podman export "${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)" > /tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar + tar xvf tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar -C / cd /tmp/rpms/ if [[ "${{ matrix.kernel_flavor }}" == "surface" ]]; then rpm2cpio kernel-surface-core-"${{ env.kernel_release }}".rpm | cpio -idmv From 1395593532c242161492d51c7bf1ec77f5eb0c10 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:25:08 -0400 Subject: [PATCH 4/5] fix path --- .github/workflows/reusable-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index af5d295..93b60d1 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -208,7 +208,7 @@ jobs: fi podman create --name "${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)" "${{ matrix.kernel_flavor}}"-kernel:$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1) sh podman export "${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)" > /tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar - tar xvf tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar -C / + tar xvf /tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar -C / cd /tmp/rpms/ if [[ "${{ matrix.kernel_flavor }}" == "surface" ]]; then rpm2cpio kernel-surface-core-"${{ env.kernel_release }}".rpm | cpio -idmv From b36fbc61e80a09be46d5392b8e224da596f25f26 Mon Sep 17 00:00:00 2001 From: m2Giles <69128853+m2Giles@users.noreply.github.com> Date: Fri, 19 Jul 2024 21:29:13 -0400 Subject: [PATCH 5/5] change path --- .github/workflows/reusable-build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 93b60d1..2fdf01b 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -208,8 +208,8 @@ jobs: fi podman create --name "${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)" "${{ matrix.kernel_flavor}}"-kernel:$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1) sh podman export "${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)" > /tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar - tar xvf /tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar -C / - cd /tmp/rpms/ + tar xvf /tmp/"${{ matrix.kernel_flavor}}"-kernel-"$(echo "${{ steps.generate_tags.outputs.alias_tags }}" | cut -d " " -f 1)".tar -C /tmp + cd /tmp/tmp/rpms/ if [[ "${{ matrix.kernel_flavor }}" == "surface" ]]; then rpm2cpio kernel-surface-core-"${{ env.kernel_release }}".rpm | cpio -idmv else