Ensure file signing hook is run when initrd is rebuilt #271
Conversation
Initrd is rebuilt when a DKMS module or firmware package is installed as of these commits to mkinitcpio: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/aff81712789b9f2c1664fe1cfb5c1ecdbc5c993b https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/3576b03d29420ccd1913eaa18c7f8950e7de3103
Joseph-DiGiovanni
temporarily deployed
to
Build, sign, release binaries
GitHub Actions
Inactive
Joseph-DiGiovanni
temporarily deployed
to
Build, sign, release binaries
GitHub Actions
Inactive
Joseph-DiGiovanni
temporarily deployed
to
Build, sign, release binaries
GitHub Actions
Inactive
|
How about also adding an initcpio hook? That way it it almost guaranteed to call sbctl every time when the kernel gets rebuilt. Regardless what triggered it (or if the user itself triggered it and forgot that they have to sign the kernel too, *not me*) Also see #218 |
|
At that point I'd rather just deprecate the pacman hook and replace with kernel-install or mkinitcpio hooks. |
|
It doesn't hurt to have it. I kinda like have the "double protection" of two independent hooks making sure that the image is really signed. But yea, the pacman one is then basically completely useless... |
|
Actually, I realized this would be a bad idea, maybe. We do sign more then just the initrd. Namely things like |
|
Good point. So we should keep both. For the sake of not breaking anything we should keep it as is with the exception of the usr/lib/initcpio/* target and my other additions. It will attempt to sign twice most of the time but this is preferable to not signing at all. |
It doesn't hurt and sbctl noops already if these files are already signed. I'd say still stick with it is better to have a potentially useless pacman hook in addition to the initcpio one than risking a non bootable system because of unforeseen circumstances.... |
Co-authored-by: Morten Linderud <morten@linderud.pw>
|
Thanks! |
Joseph-DiGiovanni
temporarily deployed
to
Build, sign, release binaries
GitHub Actions
Inactive
Joseph-DiGiovanni
temporarily deployed
to
Build, sign, release binaries
GitHub Actions
Inactive
Joseph-DiGiovanni
temporarily deployed
to
Build, sign, release binaries
GitHub Actions
Inactive
Initrd is rebuilt when a DKMS module or firmware package is installed or updated as of these commits to mkinitcpio: https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/aff81712789b9f2c1664fe1cfb5c1ecdbc5c993b https://gitlab.archlinux.org/archlinux/mkinitcpio/mkinitcpio/-/commit/3576b03d29420ccd1913eaa18c7f8950e7de3103
Without this change, images created by mkinitcpio will not be automatically signed for secure boot in the events mentioned above.