-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign the fwupmgr bootloader #10
Comments
Should solve all of it. |
Indeed. Thanks for the quick answer! Actually, it's there in the README, no idea how I missed it at first. |
I did actually intentionally add it to the README.md for this reason :) It's a nice feature and demonstrates the flexibility. |
Ok, I'm fairly sure this has some bug in functionality now...
Removing the files with EDIT: when running Doing it with absolute paths seems to work fine, but has weird stuff in
It is only regenerating the signed version, not touching the original one, so it isn't a huge bug, but it is always regenerating the signed version. As a PS, disabling color output when piping into something and/or with a command line option would be a welcome feature, but I can try to implement it later. |
Ah, i see the issue. In an attempt at not verifying files twice I did some basic caching of the checked files. Line 52 in 7de0523
It assumes there is some path to the output, and can probably be made more clever. But we should probably verify or have a warning when people add files without absolute paths.
Right, because we don't really know when the file has changed when we save it with |
The entire logging code is a giant hack as I wanted to have the same output format as |
Intuitively, I think it would work like: path: either relative or absolute
The 2nd and 4th options can instead be errors if used without an absolute path.
I think that could work, but why not store checksums for both files? Do you think a user could have some other program make changes to the signed file and still want to use it?
I will take a look at it later! |
Hmm, this seems complicated. It would be better to enforce absolute paths across the board and be consistent I think?
Good point. They could very well sign with multiple db keys, and currently we would just override it. So maybe we should have some logic if the outfile is defined? Ensure we have signed it if it exists? and only create it if it doesn't exist? |
I don't see a problem with it. Would just make the usecase of generating a signed file to use elsewhere a bit trickier, but no big deal.
We'd need proper diagnostics messages for these, I think. But yeah, that sounds ok. |
If the original file ceases existing, it bugs out as well. |
So local code now runs I'll fix the missing file issue as well. |
I think the latest commits fixes several of the issues mentioned in this issue. Please verify :) |
I think you forgot to commit the ChecksumFile function. |
Woopsie, that is correct! fixed :) |
Found two issues, fixed in #15 |
I think this can be closed, thanks! |
Poke me if #11 is OK to merge after this or if there are anything missing :) |
Hey there! I know the
verify
command checks files that are in the ESP partition, but there are other pieces of software that need to be signed and aren't in the ESP. The example I have is thefwupdmgr
bootloader, which lives in/usr/libexec/fwupd/efi/fwupdx64.efi
(on Void, I don't remember where it was on Arch). The issue is that, when trying to check for updates, fwupdmgr fails in the system firmware part on a secure boot protected device, because it can't find the signed version of the bootloader.The part about it failing is probably a bug on their part, which I opened an issue about (fwupd/fwupd#2219), but I don't think it makes sense for them to implement some way of signing the bootloader. Do you think this is something that could be included in
sbctl
? If yes, what would the mechanism for it be? Some system wide configuration file / configuration directory, or hard coded behavior?Thanks!
The text was updated successfully, but these errors were encountered: