From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 14 Apr 2025 01:19:14 +0000 (+0100)
Subject: mkosi-obs: append certs from mkosi.uefi.db/ to 'db'
X-Git-Tag: v26~244
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc86100e5192529d719c6c1b565c2f2acbb7fae5;p=thirdparty%2Fmkosi.git

mkosi-obs: append certs from mkosi.uefi.db/ to 'db'

Allow appending an arbitrary number of certs to the autoenrolled UEFI
db. Expects list of PEM formatted files. Only implemented for OBS
builds for now.
---

diff --git a/mkosi/resources/mkosi-obs/mkosi.postoutput b/mkosi/resources/mkosi-obs/mkosi.postoutput
index e1fb12ee5..9f9aa9dc2 100755
--- a/mkosi/resources/mkosi-obs/mkosi.postoutput
+++ b/mkosi/resources/mkosi-obs/mkosi.postoutput
@@ -110,6 +110,15 @@ if ((${#DDIS[@]} > 0)); then
     cert-to-efi-sig-list -g "$guid" /usr/src/packages/SOURCES/_projectcert.crt db.esl
     cp db.esl KEK.esl
     cp db.esl PK.esl
+
+    # If there are any additional certs, concatenate them
+    for cert in /usr/src/packages/SOURCES/*/mkosi.uefi.db/*.crt; do
+        test -f "$cert" || continue
+        cert-to-efi-sig-list -g "$guid" "$cert" tmp.esl
+        cat tmp.esl >>db.esl
+        rm -f tmp.esl
+    done
+
     for i in *.esl; do
         sign-efi-sig-list -o -g "$guid" -t "$(date -d "@${SOURCE_DATE_EPOCH:-0}" "+%Y-%m-%d %H:%M:%S")" "${i%.esl}" "$i" "${i%.esl}.auth"
     done