mkosi-obs: split and sign dm-verity roothashes

diff --git a/mkosi/resources/mkosi-obs/mkosi.conf b/mkosi/resources/mkosi-obs/mkosi.conf
index 392146c0c2213c861b8bcf9cbeda1c6405e30077..641eae962179f5e4f1f7e0736b30ea59cdda88d4 100644 (file)
--- a/mkosi/resources/mkosi-obs/mkosi.conf
+++ b/mkosi/resources/mkosi-obs/mkosi.conf
@@ -3,7 +3,7 @@
 SandboxTrees=/usr/src/packages/SOURCES:/usr/src/packages/SOURCES
 
 [Output]
-SplitArtifacts=pcrs
+SplitArtifacts=pcrs,roothash
 
 [Validation]
 SignExpectedPcrCertificate=/usr/src/packages/SOURCES/_projectcert.crt

diff --git a/mkosi/resources/mkosi-obs/mkosi.postoutput b/mkosi/resources/mkosi-obs/mkosi.postoutput
index 64b3b4fb487f103837a0a65323d2e6be64e9d709..585eeb0dc9a72c811d9294343178861d1c1276ba 100755 (executable)
--- a/mkosi/resources/mkosi-obs/mkosi.postoutput
+++ b/mkosi/resources/mkosi-obs/mkosi.postoutput
@@ -13,8 +13,10 @@ declare -a UKIS
 UKIS=( "$(find "$OUTPUTDIR" -type f -name "*.efi" -printf '%P\n')" )
 declare -a KERNELS
 KERNELS=( "$(find "$OUTPUTDIR" -type f -name "vmlinu*" -printf '%P\n')" )
+declare -a ROOTHASHES
+ROOTHASHES=( "$(find "$OUTPUTDIR" -type f -name "*.roothash" -printf '%P\n')" )
 
-if ((${#UKIS[@]} == 0)) && ((${#KERNELS[@]} == 0)); then
+if ((${#UKIS[@]} == 0)) && ((${#KERNELS[@]} == 0)) && ((${#ROOTHASHES[@]} == 0)); then
     echo "No unsigned files found, exiting"
     exit 0
 fi
@@ -44,6 +46,12 @@ for f in "${KERNELS[@]}"; do
     pesign --force -n sql:"$nss_db" -i "${OUTPUTDIR}/${f}" -E "hashes/kernels/$f"
 done
 
+for f in "${ROOTHASHES[@]}"; do
+    test -f "${OUTPUTDIR}/${f}" || continue
+    mkdir -p hashes/roothashes
+    cp "${OUTPUTDIR}/$f" hashes/roothashes/
+done
+
 # Pack everything into a CPIO archive and place it where OBS expects it
 pushd hashes
 find . -type f | cpio -H newc -o >"$OUTPUTDIR/hashes.cpio.rsasign"