commit sbctl for openSUSE:Factory

3 Jan 2024

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sbctl for openSUSE:Factory checked in at 2024-01-03 12:27:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sbctl (Old)
 and      /work/SRC/openSUSE:Factory/.sbctl.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "sbctl"

Wed Jan  3 12:27:17 2024 rev:2 rq:1135886 version:0.13

Changes:
--------

--- /work/SRC/openSUSE:Factory/sbctl/sbctl.changes	2023-11-22 18:54:57.460344740 +0100
+++ /work/SRC/openSUSE:Factory/.sbctl.new.28375/sbctl.changes	2024-01-03 12:27:21.064656156 +0100
@@ -1,0 +2,26 @@
+Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith <jsmithfpv@gmail.com>
+
+- Update to version 0.13:
+  * --export,-e and --database-path,-d now work properly and don't
+    overwrite the create-keys variables internally
+  * remove erronous dbx enrollment. Previous release implemented
+    support for dbx that doesn't really work as expected. It
+    would also fail to enroll keys for previously setup clients.
+    Implementation has been removed and will be iterated upon at a
+    later date.
+  * make: fix github artifact upload
+  * Change shebang
+  * Ensure file signing hook is run when initrd is rebuilt
+  * Fixed typo, removed mention enroll-keys enables Secure Boot
+    automatically
+  * Ignore Setup mode and immutable variables for export
+  * Specify file origin + always print signing message
+  * tests/utils/certs.go: drop keyUsage bitfield
+  * update manpage docs
+  * allow specifying keys and GUID paths
+  * Update README.md
+  * keys.go: drop the keyUsage bitfield
+  * Check and return Open errs
+  * Update documentation for custom dbx
+
+-------------------------------------------------------------------

Old:
----
  sbctl-0.12.tar.gz

New:
----
  sbctl-0.13.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sbctl.spec ++++++
--- /var/tmp/diff_new_pack.JnrHGn/_old	2024-01-03 12:27:22.056692383 +0100
+++ /var/tmp/diff_new_pack.JnrHGn/_new	2024-01-03 12:27:22.060692529 +0100
@@ -17,7 +17,7 @@
 
 
 Name:           sbctl
-Version:        0.12
+Version:        0.13
 Release:        0
 Summary:        Secure Boot key manager
 License:        MIT

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.JnrHGn/_old	2024-01-03 12:27:22.096693843 +0100
+++ /var/tmp/diff_new_pack.JnrHGn/_new	2024-01-03 12:27:22.100693990 +0100
@@ -1,7 +1,7 @@
 <servicedata>
   <service name="tar_scm">
     <param name="url">https://github.com/Foxboron/sbctl.git</param>
-    <param name="changesrevision">748bc59d24a4d14087d8d92431606c5fb57afeb0</param>
+    <param name="changesrevision">ee7cf4a33c6fb3be8f192641420d8c4234f7ae31</param>
   </service>
 </servicedata>
 (No newline at EOF)

++++++ sbctl-0.12.tar.gz -> sbctl-0.13.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/Makefile new/sbctl-0.13/Makefile
--- old/sbctl-0.12/Makefile	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/Makefile	2023-12-23 23:02:48.000000000 +0100
@@ -45,7 +45,7 @@
 	mkdir -p releases
 	git archive --prefix=${PROGNM}-${TAG}/ -o releases/${PROGNM}-${TAG}.tar.gz ${TAG};
 	gpg --detach-sign -o releases/${PROGNM}-${TAG}.tar.gz.sig releases/${PROGNM}-${TAG}.tar.gz
-	hub release create -m "Release: ${TAG}" -a releases/${PROGNM}-${TAG}.tar.gz.sig -a releases/${PROGNM}-${TAG}.tar.gz ${TAG}
+	gh release upload ${TAG} releases/${PROGNM}-${TAG}.tar.gz.sig releases/${PROGNM}-${TAG}.tar.gz ${TAG}
 
 .PHONY: push-aur
 push-aur:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/README.md new/sbctl-0.13/README.md
--- old/sbctl-0.12/README.md	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/README.md	2023-12-23 23:02:48.000000000 +0100
@@ -57,12 +57,17 @@
 
 For Arch Linux:
 ```
-$ pacman -S sbctl
+# pacman -S sbctl
 ```
 
 For Alpine Linux:
 ```
-$ apk add sbctl
+# apk add sbctl
+```
+
+For Gentoo Linux:
+```
+# emerge --ask app-crypt/sbctl
 ```
 
 You can find a updated list of [sbctl packages on
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/certs/builtin.go new/sbctl-0.13/certs/builtin.go
--- old/sbctl-0.12/certs/builtin.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/certs/builtin.go	2023-12-23 23:02:48.000000000 +0100
@@ -13,7 +13,6 @@
 var (
 	efiGlobalGuid                 = util.EFIGUID{0x8be4df61, 0x93ca, 0x11d2, [8]uint8{0xaa, 0x0d, 0x00, 0xe0, 0x98, 0x03, 0x2b, 0x8c}}
 	defaultSignatureDatabaseNames = map[string]string{
-		"dbx": "dbxDefault",
 		"db":  "dbDefault",
 		"KEK": "KEKDefault",
 		"PK":  "PKDefault",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/create-keys.go new/sbctl-0.13/cmd/sbctl/create-keys.go
--- old/sbctl-0.12/cmd/sbctl/create-keys.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/cmd/sbctl/create-keys.go	2023-12-23 23:02:48.000000000 +0100
@@ -8,21 +8,26 @@
 	"github.com/spf13/cobra"
 )
 
+var (
+	exportPath   string = sbctl.KeysPath
+	databasePath string = sbctl.DatabasePath
+)
+
 var createKeysCmd = &cobra.Command{
 	Use:   "create-keys",
 	Short: "Create a set of secure boot signing keys",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		if err := sbctl.CreateDirectory(sbctl.KeysPath); err != nil {
+		if err := sbctl.CreateDirectory(exportPath); err != nil {
 			return err
 		}
-		uuid, err := sbctl.CreateGUID(sbctl.DatabasePath)
+		uuid, err := sbctl.CreateGUID(databasePath)
 		if err != nil {
 			return err
 		}
 		logging.Print("Created Owner UUID %s\n", uuid)
-		if !sbctl.CheckIfKeysInitialized(sbctl.KeysPath) {
+		if !sbctl.CheckIfKeysInitialized(exportPath) {
 			logging.Print("Creating secure boot keys...")
-			err := sbctl.InitializeSecureBootKeys(sbctl.KeysPath)
+			err := sbctl.InitializeSecureBootKeys(exportPath)
 			if err != nil {
 				logging.NotOk("")
 				return fmt.Errorf("couldn't initialize secure boot: %w", err)
@@ -36,7 +41,15 @@
 	},
 }
 
+func createKeysCmdFlags(cmd *cobra.Command) {
+	f := cmd.Flags()
+	f.StringVarP(&exportPath, "export", "e", sbctl.KeysPath, "export file path. defaults to "+sbctl.KeysPath)
+	f.StringVarP(&databasePath, "database-path", "d", sbctl.DatabasePath, "location to create GUID file. defaults to "+sbctl.DatabasePath)
+}
+
 func init() {
+	createKeysCmdFlags(createKeysCmd)
+
 	CliCommands = append(CliCommands, cliCommand{
 		Cmd: createKeysCmd,
 	})
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/enroll-keys.go new/sbctl-0.13/cmd/sbctl/enroll-keys.go
--- old/sbctl-0.12/cmd/sbctl/enroll-keys.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/cmd/sbctl/enroll-keys.go	2023-12-23 23:02:48.000000000 +0100
@@ -51,7 +51,7 @@
 var (
 	systemEventlog       = "/sys/kernel/security/tpm0/binary_bios_measurements"
 	enrollKeysCmdOptions = EnrollKeysCmdOptions{
-		Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db", "dbx"}},
+		Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db"}},
 		Export:  stringset.StringSet{Allowed: []string{"esl", "auth"}},
 	}
 	enrollKeysCmd = &cobra.Command{
@@ -90,19 +90,12 @@
 		return err
 	}
 
-	dbxPem, err := fs.ReadFile(filepath.Join(keydir, "dbx", "dbx.pem"))
-	if err != nil {
-		return err
-	}
-
 	// Create the signature databases
-	var sigdb, sigdbx, sigkek, sigpk *signature.SignatureDatabase
+	var sigdb, sigkek, sigpk *signature.SignatureDatabase
 
 	if !enrollKeysCmdOptions.Append {
 		sigdb = signature.NewSignatureDatabase()
 
-		sigdbx = signature.NewSignatureDatabase()
-
 		sigkek = signature.NewSignatureDatabase()
 
 		sigpk = signature.NewSignatureDatabase()
@@ -113,11 +106,6 @@
 			return err
 		}
 
-		sigdbx, err = efi.Getdbx()
-		if err != nil {
-			return err
-		}
-
 		sigkek, err = efi.GetKEK()
 		if err != nil {
 			return err
@@ -133,10 +121,6 @@
 		return err
 	}
 
-	if err = sigdbx.Append(signature.CERT_X509_GUID, guid, dbxPem); err != nil {
-		return err
-	}
-
 	if err = sigkek.Append(signature.CERT_X509_GUID, guid, KEKPem); err != nil {
 		return err
 	}
@@ -168,13 +152,6 @@
 			}
 			sigdb.AppendDatabase(oemSigDb)
 
-			// dbx
-			oemSigDbx, err := certs.GetOEMCerts(oem, "dbx")
-			if err != nil {
-				return fmt.Errorf("could not enroll db keys: %w", err)
-			}
-			sigdbx.AppendDatabase(oemSigDbx)
-
 			// KEK
 			oemSigKEK, err := certs.GetOEMCerts(oem, "KEK")
 			if err != nil {
@@ -193,13 +170,6 @@
 			}
 			sigdb.AppendDatabase(customSigDb)
 
-			// dbx
-			customSigDbx, err := certs.GetCustomCerts(keydir, "dbx")
-			if err != nil {
-				return fmt.Errorf("could not enroll custom dbx keys: %w", err)
-			}
-			sigdbx.AppendDatabase(customSigDbx)
-
 			// KEK
 			customSigKEK, err := certs.GetCustomCerts(keydir, "KEK")
 			if err != nil {
@@ -217,8 +187,6 @@
 				switch cert {
 				case "db":
 					sigdb.AppendDatabase(builtinSigDb)
-				case "dbx":
-					sigdbx.AppendDatabase(builtinSigDb)
 				case "KEK":
 					sigkek.AppendDatabase(builtinSigDb)
 				case "PK":
@@ -236,11 +204,6 @@
 				return err
 			}
 
-			sigdbx, err := sbctl.SignDatabase(sigdbx, KEKKey, KEKPem, "dbx")
-			if err != nil {
-				return err
-			}
-
 			sigkek, err := sbctl.SignDatabase(sigkek, PKKey, PKPem, "KEK")
 			if err != nil {
 				return err
@@ -252,9 +215,6 @@
 			if err := fs.WriteFile("db.auth", sigdb, 0o644); err != nil {
 				return err
 			}
-			if err := fs.WriteFile("dbx.auth", sigdbx, 0o644); err != nil {
-				return err
-			}
 			if err := fs.WriteFile("KEK.auth", sigkek, 0o644); err != nil {
 				return err
 			}
@@ -266,9 +226,6 @@
 			if err := fs.WriteFile("db.esl", sigdb.Bytes(), 0o644); err != nil {
 				return err
 			}
-			if err := fs.WriteFile("dbx.esl", sigdbx.Bytes(), 0o644); err != nil {
-				return err
-			}
 			if err := fs.WriteFile("KEK.esl", sigkek.Bytes(), 0o644); err != nil {
 				return err
 			}
@@ -285,10 +242,6 @@
 			if err := sbctl.Enroll(sigdb, KEKKey, KEKPem, value); err != nil {
 				return err
 			}
-		case "dbx":
-			if err := sbctl.Enroll(sigdbx, KEKKey, KEKPem, value); err != nil {
-				return err
-			}
 		case "KEK":
 			if err := sbctl.Enroll(sigkek, PKKey, PKPem, value); err != nil {
 				return err
@@ -307,9 +260,6 @@
 	if err := sbctl.Enroll(sigdb, KEKKey, KEKPem, "db"); err != nil {
 		return err
 	}
-	if err := sbctl.Enroll(sigdbx, KEKKey, KEKPem, "dbx"); err != nil {
-		return err
-	}
 	if err := sbctl.Enroll(sigkek, PKKey, PKPem, "KEK"); err != nil {
 		return err
 	}
@@ -322,7 +272,7 @@
 
 func RunEnrollKeys(cmd *cobra.Command, args []string) error {
 	// SetupMode is not necessarily required on a partial enrollment
-	if !efi.GetSetupMode() && enrollKeysCmdOptions.Partial.Value == "" {
+	if !efi.GetSetupMode() && enrollKeysCmdOptions.Partial.Value == "" && enrollKeysCmdOptions.Export.Value == "" {
 		return ErrSetupModeDisabled
 	}
 
@@ -359,7 +309,7 @@
 	if len(enrollKeysCmdOptions.BuiltinFirmwareCerts) >= 1 {
 		oems = append(oems, "firmware-builtin")
 	}
-	if !enrollKeysCmdOptions.IgnoreImmutable {
+	if !enrollKeysCmdOptions.IgnoreImmutable && enrollKeysCmdOptions.Export.Value == "" {
 		if err := sbctl.CheckImmutable(); err != nil {
 			return err
 		}
@@ -401,8 +351,6 @@
 	switch hierarchy {
 	case "db":
 		fallthrough
-	case "dbx":
-		fallthrough
 	case "KEK":
 		fallthrough
 	case "PK":
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/import-keys.go new/sbctl-0.13/cmd/sbctl/import-keys.go
--- old/sbctl-0.12/cmd/sbctl/import-keys.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/cmd/sbctl/import-keys.go	2023-12-23 23:02:48.000000000 +0100
@@ -18,8 +18,6 @@
 	Force     bool
 	DbCert    string
 	DbKey     string
-	DbxCert   string
-	DbxKey    string
 	KEKCert   string
 	KEKKey    string
 	PKCert    string
@@ -58,8 +56,6 @@
 		"KEK/KEK.pem",
 		"db/db.key",
 		"db/db.pem",
-		"dbx/dbx.key",
-		"dbx/dbx.pem",
 	}
 	dir, err := filepath.Abs(dir)
 	if err != nil {
@@ -90,7 +86,6 @@
 		Cert string
 	}{
 		{"db", importKeysCmdOptions.DbKey, importKeysCmdOptions.DbCert},
-		{"dbx", importKeysCmdOptions.DbxKey, importKeysCmdOptions.DbxCert},
 		{"KEK", importKeysCmdOptions.KEKKey, importKeysCmdOptions.KEKCert},
 		{"PK", importKeysCmdOptions.PKKey, importKeysCmdOptions.PKCert},
 	}
@@ -142,8 +137,6 @@
 	f := cmd.Flags()
 	f.StringVarP(&importKeysCmdOptions.DbCert, "db-cert", "", "", "Database (db) certificate")
 	f.StringVarP(&importKeysCmdOptions.DbKey, "db-key", "", "", "Database (db) key")
-	f.StringVarP(&importKeysCmdOptions.DbxCert, "dbx-cert", "", "", "Forbidden Database (dbx) certificate")
-	f.StringVarP(&importKeysCmdOptions.DbxKey, "dbx-key", "", "", "Forbidden Database (dbx) key")
 	f.StringVarP(&importKeysCmdOptions.KEKCert, "kek-cert", "", "", "Key Exchange Key (KEK) certificate")
 	f.StringVarP(&importKeysCmdOptions.KEKKey, "kek-key", "", "", "Key Exchange Key (KEK) key")
 	f.StringVarP(&importKeysCmdOptions.PKCert, "pk-cert", "", "", "Platform Key (PK) certificate")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/reset.go new/sbctl-0.13/cmd/sbctl/reset.go
--- old/sbctl-0.12/cmd/sbctl/reset.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/cmd/sbctl/reset.go	2023-12-23 23:02:48.000000000 +0100
@@ -24,7 +24,7 @@
 
 var (
 	resetCmdOpts = resetCmdOptions{
-		Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db", "dbx"}},
+		Partial: stringset.StringSet{Allowed: []string{"PK", "KEK", "db"}},
 	}
 	resetCmd = &cobra.Command{
 		Use:   "reset",
@@ -53,10 +53,6 @@
 		if err := resetDB(paths...); err != nil {
 			return err
 		}
-	case "dbx":
-		if err := resetDBX(paths...); err != nil {
-			return err
-		}
 	case "KEK":
 		if err := resetKEK(paths...); err != nil {
 			return err
@@ -85,19 +81,6 @@
 	return nil
 }
 
-func resetDBX(certPaths ...string) error {
-	KEKKey := filepath.Join(sbctl.KeysPath, "KEK", "KEK.key")
-	KEKPem := filepath.Join(sbctl.KeysPath, "KEK", "KEK.pem")
-
-	if err := resetDatabase(KEKKey, KEKPem, "dbx", certPaths...); err != nil {
-		return err
-	}
-
-	logging.Ok("Removed Fobidden Signature Database!")
-	logging.Println("Use `sbctl enroll-keys` to enroll the Forbidden Signature Database again.")
-	return nil
-}
-
 func resetKEK(certPaths ...string) error {
 	PKKey := filepath.Join(sbctl.KeysPath, "PK", "PK.key")
 	PKPem := filepath.Join(sbctl.KeysPath, "PK", "PK.pem")
@@ -146,8 +129,6 @@
 		switch efivar {
 		case "db":
 			db, err = efi.Getdb()
-		case "dbx":
-			db, err = efi.Getdbx()
 		case "KEK":
 			db, err = efi.GetKEK()
 		case "PK":
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/cmd/sbctl/rotate-keys.go new/sbctl-0.13/cmd/sbctl/rotate-keys.go
--- old/sbctl-0.12/cmd/sbctl/rotate-keys.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/cmd/sbctl/rotate-keys.go	2023-12-23 23:02:48.000000000 +0100
@@ -26,7 +26,7 @@
 
 var (
 	rotateKeysCmdOptions = RotateKeysCmdOptions{
-		Partial: stringset.StringSet{Allowed: []string{hierarchy.PK.String(), hierarchy.KEK.String(), hierarchy.Db.String(), hierarchy.Dbx.String()}},
+		Partial: stringset.StringSet{Allowed: []string{hierarchy.PK.String(), hierarchy.KEK.String(), hierarchy.Db.String()}},
 	}
 	rotateKeysCmd = &cobra.Command{
 		Use:   "rotate-keys",
@@ -44,7 +44,6 @@
 	PK  *KeyCertPair
 	KEK *KeyCertPair
 	Db  *KeyCertPair
-	Dbx *KeyCertPair
 }
 
 func ReadKeysFromDir(src string) (*Keys, error) {
@@ -66,10 +65,6 @@
 		return &k, err
 	}
 
-	k.Dbx, err = ReadPair(src, hierarchy.Dbx)
-	if err != nil {
-		return &k, err
-	}
 	return &k, err
 }
 
@@ -105,8 +100,6 @@
 		sl, err = efi.GetKEK()
 	case hierarchy.Db:
 		sl, err = efi.Getdb()
-	case hierarchy.Dbx:
-		sl, err = efi.Getdbx()
 	}
 
 	if err != nil {
@@ -208,10 +201,6 @@
 		return fmt.Errorf("could not rotate db: %v", err)
 	}
 
-	if err := rotateCerts(hierarchy.Dbx, oldKeys.Dbx.Cert, newKeys.Dbx.Cert, newKeys.KEK); err != nil {
-		return fmt.Errorf("could not rotate db: %v", err)
-	}
-
 	logging.Ok("Enrolled new keys into UEFI!")
 
 	if err := SignAll(); err != nil {
@@ -267,13 +256,6 @@
 
 		importKeyDst = sbctl.DBKey
 		importCertDst = sbctl.DBCert
-	case hierarchy.Dbx.String():
-		if err := rotateCerts(hierarchy.Dbx, oldKeys.Dbx.Cert, newCert, oldKeys.KEK); err != nil {
-			return fmt.Errorf("could not rotate dbx: %v", err)
-		}
-
-		importKeyDst = sbctl.DBXKey
-		importCertDst = sbctl.DBXCert
 	}
 
 	logging.Ok("Enrolled new key of hierarchy %s into UEFI!", hiera)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/contrib/kernel-install/91-sbctl.install new/sbctl-0.13/contrib/kernel-install/91-sbctl.install
--- old/sbctl-0.12/contrib/kernel-install/91-sbctl.install	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/contrib/kernel-install/91-sbctl.install	2023-12-23 23:02:48.000000000 +0100
@@ -1,8 +1,10 @@
 #!/bin/sh
+#  This file is part of sbctl.
 
 COMMAND="$1"
 KERNEL_VERSION="$2"
 ENTRY_DIR_ABS="$3"
+# shellcheck disable=SC2034  # Unused variables left for readability
 KERNEL_IMAGE="$4"
 
 IMAGE_FILE="$ENTRY_DIR_ABS/linux"
@@ -25,13 +27,12 @@
 
 case "$COMMAND" in
 add)
-	[ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] &&
-		printf 'Signing kernel %s\n' "$IMAGE_FILE"
+	printf 'sbctl: Signing kernel %s\n' "$IMAGE_FILE"
 	sbctl sign -s "$IMAGE_FILE" 1>/dev/null
 	;;
 remove)
 	[ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] &&
-		printf 'Removing kernel %s from signing database\n' "$IMAGE_FILE"
+		printf 'sbctl: Removing kernel %s from signing database\n' "$IMAGE_FILE"
 	sbctl remove-file "$IMAGE_FILE" 1>/dev/null
 	;;
 esac
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/contrib/mkinitcpio/sbctl new/sbctl-0.13/contrib/mkinitcpio/sbctl
--- old/sbctl-0.12/contrib/mkinitcpio/sbctl	1970-01-01 01:00:00.000000000 +0100
+++ new/sbctl-0.13/contrib/mkinitcpio/sbctl	2023-12-23 23:02:48.000000000 +0100
@@ -0,0 +1,3 @@
+#!/usr/bin/bash
+echo "Signing EFI binaries..."
+/usr/bin/sbctl sign-all -g
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/contrib/pacman/ZZ-sbctl.hook new/sbctl-0.13/contrib/pacman/ZZ-sbctl.hook
--- old/sbctl-0.12/contrib/pacman/ZZ-sbctl.hook	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/contrib/pacman/ZZ-sbctl.hook	2023-12-23 23:02:48.000000000 +0100
@@ -7,7 +7,6 @@
 Target = efi/*
 Target = usr/lib/modules/*/vmlinuz
 Target = usr/lib/modules/*/extramodules/*
-Target = usr/lib/initcpio/*
 Target = usr/lib/**/efi/*.efi*
 
 [Action]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/docs/sbctl.8.txt new/sbctl-0.13/docs/sbctl.8.txt
--- old/sbctl-0.12/docs/sbctl.8.txt	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/docs/sbctl.8.txt	2023-12-23 23:02:48.000000000 +0100
@@ -29,12 +29,21 @@
         Creates a set of signing keys used to sign EFI binaries. Currently, it
         will create the following keys:
         * Platform Key
-        * Key Exchange key
+        * Key Exchange Key
         * Signature Database Key
 
+        *-e*, *--export*;;
+                The directory to persist the exported keys.
+
+                Default: "/usr/share/secureboot/keys/"
+
+        *-d*, *--database-path*;;
+                Path to save the GUID file when generating keys.
+
+                Default: "/usr/share/secureboot/"
+
 **enroll-keys**::
-        Enrolls the creates key into the EFI variables. This puts the computer
-        out of SetupMode and enables Secure Boot.
+        Enrolls the created key into the EFI variables. 
 
         Note that some devices have hardware firmware that is signed and
         validated when Secure Boot is enabled. Failing to validate this firmware
@@ -54,8 +63,9 @@
                 This feature is experimental
 
         *-c*, *--custom*;;
-                Enroll custom KEK and db certificates from "/usr/share/secureboot/keys/custom/KEK/"
-                and "/usr/share/secureboot/keys/custom/db/", respectively.
+                Enroll custom KEK and db certificates from "/usr/share/secureboot/keys/custom/KEK/",
+                "/usr/share/secureboot/keys/custom/db/",
+                respectively.
 
         *-f*, *--firmware-builtin*;;
                 Enroll signatures from dbDefault, KEKDefault or PKDefault. This
@@ -88,7 +98,7 @@
         *-p*, *--partial*;;
                Enroll keys only for the hierarchy specified.
                
-               Valid values are: db, dbx, KEK, PK.
+               Valid values are: db, KEK, PK.
 
         *--custom-bytes*;;
                Enroll a custom bytefile provided by its path to the efivar specified by partial. 
@@ -157,7 +167,7 @@
         *-p*, *--partial*;;
                Reset keys only for the hierarchy specified.
                
-               Valid values are: db, dbx, KEK, PK.
+               Valid values are: db, KEK, PK.
 
 **rotate-keys**::
         Rotate the secure boot keys and replace them with newly generated keys.
@@ -170,7 +180,7 @@
         *-p*, *--partial*;;
                Rotate keys only for the hierarchy specified.
                
-               Valid values are: db, dbx, KEK, PK.
+               Valid values are: db, KEK, PK.
 
         *-k*, *--key-file*;;
                Key file to be appended for the specified hierarchy.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/keys.go new/sbctl-0.13/keys.go
--- old/sbctl-0.12/keys.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/keys.go	2023-12-23 23:02:48.000000000 +0100
@@ -35,8 +35,6 @@
 	KEKCert      = filepath.Join(KeysPath, "KEK", "KEK.pem")
 	DBKey        = filepath.Join(KeysPath, "db", "db.key")
 	DBCert       = filepath.Join(KeysPath, "db", "db.pem")
-	DBXKey       = filepath.Join(KeysPath, "dbx", "dbx.key")
-	DBXCert      = filepath.Join(KeysPath, "dbx", "dbx.pem")
 	DBPath       = filepath.Join(DatabasePath, "files.db")
 
 	GUIDPath = filepath.Join(DatabasePath, "GUID")
@@ -59,7 +57,6 @@
 		SignatureAlgorithm: x509.SHA256WithRSA,
 		NotBefore:          time.Now(),
 		NotAfter:           time.Now().AddDate(5, 0, 0),
-		KeyUsage:           x509.KeyUsageDigitalSignature,
 		Subject: pkix.Name{
 			Country:    []string{name},
 			CommonName: name,
@@ -242,10 +239,10 @@
 		Key:         "db",
 		Description: "Database Key",
 	},
-	{
-		Key:         "dbx",
-		Description: "Forbidden Database Key",
-	},
+	// {
+	// 	Key:         "dbx",
+	// 	Description: "Forbidden Database Key",
+	// },
 }
 
 // Check if we have already intialized keys in the given output directory
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/sbctl.go new/sbctl-0.13/sbctl.go
--- old/sbctl-0.12/sbctl.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/sbctl.go	2023-12-23 23:02:48.000000000 +0100
@@ -171,10 +171,16 @@
 		return nil, err
 	}
 
-	one, _ := fs.Fs.Open(microcode)
+	one, err := fs.Fs.Open(microcode)
+	if err != nil {
+		return nil, err
+	}
 	defer one.Close()
 
-	two, _ := fs.Fs.Open(initramfs)
+	two, err := fs.Fs.Open(initramfs)
+	if err != nil {
+		return nil, err
+	}
 	defer two.Close()
 
 	_, err = io.Copy(tmpFile, one)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/sbctl-0.12/tests/utils/certs.go new/sbctl-0.13/tests/utils/certs.go
--- old/sbctl-0.12/tests/utils/certs.go	2023-10-20 20:54:47.000000000 +0200
+++ new/sbctl-0.13/tests/utils/certs.go	2023-12-23 23:02:48.000000000 +0100
@@ -24,7 +24,6 @@
 		SignatureAlgorithm: x509.SHA256WithRSA,
 		NotBefore:          time.Now(),
 		NotAfter:           time.Now().AddDate(5, 0, 0),
-		KeyUsage:           x509.KeyUsageDigitalSignature,
 		Subject: pkix.Name{
 			Country:    []string{"Test Suite Key"},
 			CommonName: "Test Suite",

++++++ vendor.tar.gz ++++++

    

Source-Sync

tags

participants (1)