From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 10 Feb 2025 22:59:03 +0000 (+0000)
Subject: mkosi-obs: split and sign dm-verity roothashes
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F3494%2Fhead;p=thirdparty%2Fmkosi.git

mkosi-obs: split and sign dm-verity roothashes
---

diff --git a/mkosi/resources/mkosi-obs/mkosi.conf b/mkosi/resources/mkosi-obs/mkosi.conf
index 392146c0c..641eae962 100644
--- a/mkosi/resources/mkosi-obs/mkosi.conf
+++ b/mkosi/resources/mkosi-obs/mkosi.conf
@@ -3,7 +3,7 @@
 SandboxTrees=/usr/src/packages/SOURCES:/usr/src/packages/SOURCES
 
 [Output]
-SplitArtifacts=pcrs
+SplitArtifacts=pcrs,roothash
 
 [Validation]
 SignExpectedPcrCertificate=/usr/src/packages/SOURCES/_projectcert.crt
diff --git a/mkosi/resources/mkosi-obs/mkosi.postoutput b/mkosi/resources/mkosi-obs/mkosi.postoutput
index 64b3b4fb4..585eeb0dc 100755
--- a/mkosi/resources/mkosi-obs/mkosi.postoutput
+++ b/mkosi/resources/mkosi-obs/mkosi.postoutput
@@ -13,8 +13,10 @@ declare -a UKIS
 UKIS=( "$(find "$OUTPUTDIR" -type f -name "*.efi" -printf '%P\n')" )
 declare -a KERNELS
 KERNELS=( "$(find "$OUTPUTDIR" -type f -name "vmlinu*" -printf '%P\n')" )
+declare -a ROOTHASHES
+ROOTHASHES=( "$(find "$OUTPUTDIR" -type f -name "*.roothash" -printf '%P\n')" )
 
-if ((${#UKIS[@]} == 0)) && ((${#KERNELS[@]} == 0)); then
+if ((${#UKIS[@]} == 0)) && ((${#KERNELS[@]} == 0)) && ((${#ROOTHASHES[@]} == 0)); then
     echo "No unsigned files found, exiting"
     exit 0
 fi
@@ -44,6 +46,12 @@ for f in "${KERNELS[@]}"; do
     pesign --force -n sql:"$nss_db" -i "${OUTPUTDIR}/${f}" -E "hashes/kernels/$f"
 done
 
+for f in "${ROOTHASHES[@]}"; do
+    test -f "${OUTPUTDIR}/${f}" || continue
+    mkdir -p hashes/roothashes
+    cp "${OUTPUTDIR}/$f" hashes/roothashes/
+done
+
 # Pack everything into a CPIO archive and place it where OBS expects it
 pushd hashes
 find . -type f | cpio -H newc -o >"$OUTPUTDIR/hashes.cpio.rsasign"