]> git.ipfire.org Git - thirdparty/mkosi.git/commit
projects / thirdparty / mkosi.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ff02388) | patch
Sign systemd-boot EFI binaries under /usr
authorMichael A Cassaniti <michael@cassaniti.id.au>
Mon, 8 Aug 2022 13:03:37 +0000 (23:03 +1000)
committerDaan De Meyer <daan.j.demeyer@gmail.com>
Mon, 5 Sep 2022 08:15:11 +0000 (10:15 +0200)
commit90fe5d87f555baa0bcee29dcadeb68ed5fc9ec73
treeeb69ba61ed867b78b83362656c275c6060ae755etree
parentff0238897d52429d52071ffd0297948c9d6d7e1dcommit | diff
Sign systemd-boot EFI binaries under /usr

If secure boot signing is enabled with UEFI then `systemd-boot` binaries which
are at `/usr/lib/systemd/boot/efi` should be signed with the same signing key
that is used for EFI binaries within the ESP. In comparison to signed ESP
binaries, the '.signed' extension will be kept.

Without this change, any tool that copies these binaries into the ESP will
(likely) be copying an unsigned copy of `systemd-boot`. The service
`systemd-boot-update.service` is just one example of a service that will
regularly attempt to update `systemd-boot` within the ESP.
mkosi/__init__.py diff | blob | blame | history
Mirror of https://github.com/systemd/mkosi.git