search

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager
MIT License
1.35k stars 71 forks source link

pacstrap fails due to mkinitcpio post hook #311

Closed punoko closed 1 month ago

punoko commented 1 month ago

Hello,

pacstrap exits with the following error when invoked with sbctl in the package list, as it is apparently trying to sign before keys have even been created :

# pacstrap -cKM ./sbctl base linux sbctl
...
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img'
  -> Early uncompressed CPIO image generation successful
==> Initcpio image generation successful
==> Running post hooks
  -> Running post hook: [sbctl]
Signing /boot/vmlinuz-linux
couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory
==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1
error: command failed to execute correctly
Full log ``` [root@60753b2172bf /]# truncate -s 2G sbctl.img [root@60753b2172bf /]# losetup -fP --show sbctl.img /dev/loop0 [root@60753b2172bf /]# mkfs.btrfs /dev/loop0 btrfs-progs v6.8.1 See https://btrfs.readthedocs.io for more information. Performing full device TRIM /dev/loop0 (2.00GiB) ... NOTE: several default settings have changed in version 5.15, please make sure this does not affect your deployments: - DUP for metadata (-m dup) - enabled no-holes (-O no-holes) - enabled free-space-tree (-R free-space-tree) Label: (null) UUID: 7ca9a7f5-5c0a-49c1-a38d-10ceb86060fc Node size: 16384 Sector size: 4096 (CPU page size: 4096) Filesystem size: 2.00GiB Block group profiles: Data: single 8.00MiB Metadata: DUP 102.38MiB System: DUP 8.00MiB SSD detected: yes Zoned device: no Features: extref, skinny-metadata, no-holes, free-space-tree Checksum: crc32c Number of devices: 1 Devices: ID SIZE PATH 1 2.00GiB /dev/loop0 [root@60753b2172bf /]# mkdir sbctl [root@60753b2172bf /]# mount -o noatime,compress /dev/loop0 ./sbctl [root@60753b2172bf /]# pacstrap -cKM ./sbctl base linux sbctl ==> Creating install root at ./sbctl gpg: /./sbctl/etc/pacman.d/gnupg/trustdb.gpg: trustdb created gpg: no ultimately trusted keys found gpg: starting migration from earlier GnuPG versions gpg: porting secret keys from '/./sbctl/etc/pacman.d/gnupg/secring.gpg' to gpg-agent gpg: migration succeeded ==> Generating pacman master key. This may take some time. gpg: Generating pacman keyring master key... gpg: directory '/./sbctl/etc/pacman.d/gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/./sbctl/etc/pacman.d/gnupg/openpgp-revocs.d/242E2802084BE1EDF0C2926AE394949382F4D859.rev' gpg: Done ==> Updating trust database... gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u ==> Installing packages to ./sbctl :: Synchronizing package databases... core downloading... extra downloading... resolving dependencies... :: There are 2 providers available for dbus-units: :: Repository core 1) dbus-broker-units 2) dbus-daemon-units Enter a number (default=1): :: There are 3 providers available for initramfs: :: Repository core 1) mkinitcpio :: Repository extra 2) booster 3) dracut Enter a number (default=1): looking for conflicting packages... Package (124) New Version Net Change Download Size core/acl 2.3.2-1 0.32 MiB core/archlinux-keyring 20240429-1 1.66 MiB core/argon2 20190702-5 0.10 MiB 0.03 MiB core/attr 2.5.2-1 0.21 MiB core/audit 4.0.1-3 1.02 MiB core/bash 5.2.026-2 9.20 MiB core/binutils 2.42+r91+g6224493e457-1 39.92 MiB 7.52 MiB core/brotli 1.1.0-2 0.97 MiB core/bzip2 1.0.8-6 0.14 MiB core/ca-certificates 20220905-1 0.00 MiB 0.00 MiB core/ca-certificates-mozilla 3.100-1 1.01 MiB core/ca-certificates-utils 20220905-1 0.01 MiB 0.01 MiB core/coreutils 9.5-1 15.47 MiB core/cryptsetup 2.7.2-1 2.81 MiB core/curl 8.7.1-6 1.81 MiB core/dbus 1.14.10-2 0.89 MiB core/dbus-broker 36-2 0.35 MiB core/dbus-broker-units 36-2 0.00 MiB core/device-mapper 2.03.23-3 0.73 MiB core/diffutils 3.10-1 1.48 MiB 0.34 MiB core/e2fsprogs 1.47.0-2 4.94 MiB core/expat 2.6.2-1 0.41 MiB core/file 5.45-1 8.33 MiB 0.39 MiB core/filesystem 2024.04.07-1 0.02 MiB core/findutils 4.9.0-3 1.32 MiB 0.41 MiB core/gawk 5.3.0-1 3.32 MiB 1.29 MiB core/gcc-libs 14.1.1+r1+g43b730b9134-1 143.27 MiB core/gdbm 1.23-2 0.76 MiB 0.26 MiB core/gettext 0.22.4-1 7.27 MiB 1.84 MiB core/glib2 2.80.2-1 37.83 MiB core/glibc 2.39+r52+gf8e4623421-1 47.25 MiB core/gmp 6.3.0-2 1.01 MiB core/gnupg 2.4.5-1 9.62 MiB core/gnutls 3.8.5-1 5.49 MiB core/gpgme 1.23.2-4 1.47 MiB core/grep 3.11-1 0.87 MiB 0.23 MiB core/gzip 1.13-2 0.15 MiB 0.08 MiB core/hwdata 0.382-1 9.11 MiB core/iana-etc 20240412-1 3.98 MiB core/icu 74.2-2 40.11 MiB core/iproute2 6.8.0-2 2.88 MiB core/iptables 1:1.8.10-1 2.38 MiB 0.43 MiB core/iputils 20240117-1 0.49 MiB core/jansson 2.14-4 0.18 MiB 0.05 MiB core/json-c 0.17-1 0.18 MiB 0.06 MiB core/kbd 2.6.4-1 3.14 MiB 1.25 MiB core/keyutils 1.6.3-2 0.19 MiB 0.10 MiB core/kmod 32-1 0.28 MiB core/krb5 1.21.2-2 4.62 MiB 1.28 MiB core/libarchive 3.7.4-1 1.17 MiB core/libassuan 2.5.7-2 0.22 MiB core/libbpf 1.3.0-1 0.78 MiB 0.24 MiB core/libcap 2.69-4 1.72 MiB core/libcap-ng 0.8.5-2 0.12 MiB core/libelf 0.191-3 2.92 MiB core/libevent 2.1.12-4 1.12 MiB 0.26 MiB core/libffi 3.4.6-1 0.09 MiB core/libgcrypt 1.10.3-1 1.50 MiB 0.58 MiB core/libgpg-error 1.49-1 1.06 MiB core/libidn2 2.3.7-1 0.46 MiB core/libksba 1.6.6-1 0.30 MiB core/libldap 2.6.7-2 0.65 MiB core/libmnl 1.0.5-2 0.03 MiB core/libnetfilter_conntrack 1.0.9-2 0.14 MiB core/libnfnetlink 1.0.2-2 0.05 MiB core/libnftnl 1.2.6-1 0.25 MiB 0.07 MiB core/libnghttp2 1.61.0-1 0.40 MiB core/libnghttp3 1.2.0-1 0.23 MiB core/libnl 3.9.0-1 2.11 MiB 0.41 MiB core/libnsl 2.0.1-1 0.07 MiB core/libp11-kit 0.25.3-1 3.17 MiB 0.50 MiB core/libpcap 1.10.4-1 0.63 MiB 0.28 MiB core/libpsl 0.21.5-2 0.22 MiB core/libsasl 2.1.28-4 0.50 MiB 0.14 MiB core/libseccomp 2.5.5-3 0.24 MiB core/libsecret 0.21.4-1 1.15 MiB core/libssh2 1.11.0-1 0.45 MiB 0.23 MiB extra/libsysprof-capture 46.0-3 0.24 MiB core/libtasn1 4.19.0-1 0.46 MiB 0.14 MiB core/libtirpc 1.3.4-1 0.42 MiB 0.17 MiB core/libunistring 1.2-1 2.49 MiB core/libusb 1.0.27-1 0.21 MiB core/libverto 0.3.2-5 0.07 MiB core/libxcrypt 4.4.36-1 0.18 MiB 0.08 MiB core/libxml2 2.12.6-2 3.46 MiB core/licenses 20240206-1 1.54 MiB core/linux-api-headers 6.8-1 5.54 MiB core/lz4 1:1.9.4-3 0.66 MiB core/mkinitcpio 39-1 0.20 MiB 0.06 MiB core/mkinitcpio-busybox 1.36.1-1 0.51 MiB 0.27 MiB core/mpfr 4.2.1-3 1.01 MiB core/ncurses 6.4_20230520-3 3.94 MiB core/nettle 3.9.1-1 1.04 MiB 0.45 MiB core/npth 1.7-1 0.08 MiB core/openssl 3.3.0-1 10.92 MiB core/p11-kit 0.25.3-1 0.99 MiB 0.23 MiB core/pacman 6.1.0-3 4.78 MiB core/pacman-mirrorlist 20231001-1 0.05 MiB 0.01 MiB core/pam 1.6.1-2 3.20 MiB core/pambase 20230918-1 0.00 MiB 0.00 MiB core/pciutils 3.12.0-1 0.37 MiB core/pcre2 10.43-4 6.36 MiB core/pinentry 1.3.0-1 0.71 MiB core/popt 1.19-1 0.23 MiB 0.07 MiB core/procps-ng 4.0.4-3 2.28 MiB core/psmisc 23.7-1 0.76 MiB core/readline 8.2.010-1 0.74 MiB core/sed 4.9-3 0.70 MiB 0.21 MiB core/shadow 4.15.1-2 3.75 MiB core/sqlite 3.45.3-1 7.90 MiB core/systemd 255.6-1 30.95 MiB core/systemd-libs 255.6-1 2.70 MiB core/systemd-sysvcompat 255.6-1 0.00 MiB core/tar 1.35-2 2.80 MiB 0.76 MiB core/tpm2-tss 4.0.1-1 3.61 MiB 0.94 MiB core/tzdata 2024a-2 2.00 MiB core/util-linux 2.40.1-1 14.47 MiB core/util-linux-libs 2.40.1-1 1.27 MiB core/xz 5.6.1-3 2.46 MiB core/zlib 1:1.3.1-2 0.33 MiB core/zstd 1.5.5-1 1.43 MiB 0.47 MiB core/base 3-2 0.00 MiB 0.00 MiB core/linux 6.8.9.arch1-2 132.59 MiB 132.37 MiB extra/sbctl 0.14-1 6.54 MiB 2.20 MiB Total Download Size: 156.69 MiB Total Installed Size: 707.72 MiB :: Proceed with installation? [Y/n] :: Retrieving packages... linux-6.8.9.arch1-2-x86_64 downloading... binutils-2.42+r91+g6224493e457-1-x86_64 downloading... sbctl-0.14-1-x86_64 downloading... gettext-0.22.4-1-x86_64 downloading... gawk-5.3.0-1-x86_64 downloading... krb5-1.21.2-2-x86_64 downloading... kbd-2.6.4-1-x86_64 downloading... tpm2-tss-4.0.1-1-x86_64 downloading... tar-1.35-2-x86_64 downloading... libgcrypt-1.10.3-1-x86_64 downloading... libp11-kit-0.25.3-1-x86_64 downloading... zstd-1.5.5-1-x86_64 downloading... nettle-3.9.1-1-x86_64 downloading... iptables-1:1.8.10-1-x86_64 downloading... findutils-4.9.0-3-x86_64 downloading... libnl-3.9.0-1-x86_64 downloading... file-5.45-1-x86_64 downloading... diffutils-3.10-1-x86_64 downloading... libpcap-1.10.4-1-x86_64 downloading... mkinitcpio-busybox-1.36.1-1-x86_64 downloading... libevent-2.1.12-4-x86_64 downloading... gdbm-1.23-2-x86_64 downloading... libbpf-1.3.0-1-x86_64 downloading... libssh2-1.11.0-1-x86_64 downloading... grep-3.11-1-x86_64 downloading... p11-kit-0.25.3-1-x86_64 downloading... sed-4.9-3-x86_64 downloading... libtirpc-1.3.4-1-x86_64 downloading... libsasl-2.1.28-4-x86_64 downloading... libtasn1-4.19.0-1-x86_64 downloading... keyutils-1.6.3-2-x86_64 downloading... libxcrypt-4.4.36-1-x86_64 downloading... gzip-1.13-2-x86_64 downloading... popt-1.19-1-x86_64 downloading... libnftnl-1.2.6-1-x86_64 downloading... mkinitcpio-39-1-any downloading... json-c-0.17-1-x86_64 downloading... jansson-2.14-4-x86_64 downloading... argon2-20190702-5-x86_64 downloading... ca-certificates-utils-20220905-1-any downloading... pacman-mirrorlist-20231001-1-any downloading... pambase-20230918-1-any downloading... base-3-2-any downloading... ca-certificates-20220905-1-any downloading... checking keyring... checking package integrity... loading package files... checking for file conflicts... :: Processing package changes... installing iana-etc... installing filesystem... installing linux-api-headers... installing tzdata... Optional dependencies for tzdata bash: for tzselect [pending] glibc: for zdump, zic [pending] installing glibc... Optional dependencies for glibc gd: for memusagestat perl: for mtrace installing gcc-libs... installing ncurses... Optional dependencies for ncurses bash: for ncursesw6-config [pending] installing readline... installing bash... Optional dependencies for bash bash-completion: for tab completion installing acl... installing attr... installing gmp... installing zlib... installing sqlite... installing util-linux-libs... Optional dependencies for util-linux-libs python: python bindings to libmount installing e2fsprogs... Optional dependencies for e2fsprogs lvm2: for e2scrub util-linux: for e2scrub [pending] smtp-forwarder: for e2scrub_fail script installing gdbm... installing openssl... Optional dependencies for openssl ca-certificates [pending] perl installing libsasl... installing libldap... installing keyutils... installing libevent... Optional dependencies for libevent python: event_rpcgen.py installing libverto... installing krb5... installing libtirpc... installing pambase... installing libcap-ng... installing audit... Optional dependencies for audit libldap: for audispd-zos-remote [installed] sh: for augenrules [installed] installing libxcrypt... installing libnsl... installing pam... installing libcap... installing coreutils... installing xz... installing bzip2... installing libseccomp... installing lz4... installing zstd... installing file... installing findutils... installing mpfr... installing gawk... installing pcre2... Optional dependencies for pcre2 sh: for pcre2-config [installed] installing grep... installing libgpg-error... installing libgcrypt... installing systemd-libs... installing procps-ng... installing sed... installing tar... installing libunistring... installing icu... installing libxml2... Optional dependencies for libxml2 python: Python bindings installing gettext... Optional dependencies for gettext git: for autopoint infrastructure updates installing hwdata... installing kmod... installing pciutils... Optional dependencies for pciutils which: for update-pciids grep: for update-pciids [installed] curl: for update-pciids [pending] installing psmisc... installing shadow... installing util-linux... Optional dependencies for util-linux words: default dictionary for look installing gzip... Optional dependencies for gzip less: zless support util-linux: zmore support [installed] diffutils: zdiff/zcmp support [pending] installing licenses... installing libarchive... installing libffi... installing libtasn1... installing libp11-kit... installing p11-kit... installing ca-certificates-utils... installing ca-certificates-mozilla... installing ca-certificates... installing brotli... installing libidn2... installing libnghttp2... installing libnghttp3... installing libpsl... installing libssh2... installing curl... installing nettle... installing gnutls... Optional dependencies for gnutls tpm2-tss: support for TPM2 wrapped keys [pending] installing libksba... installing libassuan... installing libusb... installing npth... installing libsysprof-capture... installing glib2... Optional dependencies for glib2 gvfs: most gio functionality libelf: gresource inspection tool [pending] python: gdbus-codegen, glib-genmarshal, glib-mkenums, gtester-report python-packaging: gdbus-codegen installing json-c... installing tpm2-tss... installing libsecret... Optional dependencies for libsecret org.freedesktop.secrets: secret storage backend installing pinentry... Optional dependencies for pinentry gtk2: gtk2 backend qt5-x11extras: qt backend kwayland5: qt backend gcr: gnome3 backend installing gnupg... Optional dependencies for gnupg pcsclite: for using scdaemon not with the gnupg internal card driver installing gpgme... installing pacman-mirrorlist... installing pacman... Optional dependencies for pacman perl-locale-gettext: translation support in makepkg-template installing archlinux-keyring... installing device-mapper... installing popt... installing argon2... installing cryptsetup... installing expat... installing dbus... installing dbus-broker... installing dbus-broker-units... installing kbd... installing libelf... installing systemd... Initializing machine ID from random generator. Creating group 'sys' with GID 3. Creating group 'mem' with GID 8. Creating group 'ftp' with GID 11. Creating group 'mail' with GID 12. Creating group 'log' with GID 19. Creating group 'smmsp' with GID 25. Creating group 'proc' with GID 26. Creating group 'games' with GID 50. Creating group 'lock' with GID 54. Creating group 'network' with GID 90. Creating group 'floppy' with GID 94. Creating group 'scanner' with GID 96. Creating group 'power' with GID 98. Creating group 'nobody' with GID 65534. Creating group 'adm' with GID 999. Creating group 'wheel' with GID 998. Creating group 'utmp' with GID 997. Creating group 'audio' with GID 996. Creating group 'disk' with GID 995. Creating group 'input' with GID 994. Creating group 'kmem' with GID 993. Creating group 'kvm' with GID 992. Creating group 'lp' with GID 991. Creating group 'optical' with GID 990. Creating group 'render' with GID 989. Creating group 'sgx' with GID 988. Creating group 'storage' with GID 987. Creating group 'tty' with GID 5. Creating group 'uucp' with GID 986. Creating group 'video' with GID 985. Creating group 'users' with GID 984. Creating group 'groups' with GID 983. Creating group 'systemd-journal' with GID 982. Creating group 'rfkill' with GID 981. Creating group 'bin' with GID 1. Creating user 'bin' (n/a) with UID 1 and GID 1. Creating group 'daemon' with GID 2. Creating user 'daemon' (n/a) with UID 2 and GID 2. Creating user 'mail' (n/a) with UID 8 and GID 12. Creating user 'ftp' (n/a) with UID 14 and GID 11. Creating group 'http' with GID 33. Creating user 'http' (n/a) with UID 33 and GID 33. Creating user 'nobody' (Kernel Overflow User) with UID 65534 and GID 65534. Creating group 'dbus' with GID 81. Creating user 'dbus' (System Message Bus) with UID 81 and GID 81. Creating group 'systemd-coredump' with GID 980. Creating user 'systemd-coredump' (systemd Core Dumper) with UID 980 and GID 980. Creating group 'systemd-network' with GID 979. Creating user 'systemd-network' (systemd Network Management) with UID 979 and GID 979. Creating group 'systemd-oom' with GID 978. Creating user 'systemd-oom' (systemd Userspace OOM Killer) with UID 978 and GID 978. Creating group 'systemd-journal-remote' with GID 977. Creating user 'systemd-journal-remote' (systemd Journal Remote) with UID 977 and GID 977. Creating group 'systemd-resolve' with GID 976. Creating user 'systemd-resolve' (systemd Resolver) with UID 976 and GID 976. Creating group 'systemd-timesync' with GID 975. Creating user 'systemd-timesync' (systemd Time Synchronization) with UID 975 and GID 975. Creating group 'tss' with GID 974. Creating user 'tss' (tss user for tpm2) with UID 974 and GID 974. Creating group 'uuidd' with GID 68. Creating user 'uuidd' (n/a) with UID 68 and GID 68. Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service → /usr/lib/systemd/system/getty@.service. Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target → /usr/lib/systemd/system/remote-fs.target. Created symlink /etc/systemd/system/sockets.target.wants/systemd-userdbd.socket → /usr/lib/systemd/system/systemd-userdbd.socket. Optional dependencies for systemd libmicrohttpd: systemd-journal-gatewayd and systemd-journal-remote quota-tools: kernel-level quota management systemd-sysvcompat: symlink package to provide sysvinit binaries [pending] systemd-ukify: combine kernel and initrd into a signed Unified Kernel Image polkit: allow administration as unprivileged user curl: systemd-journal-upload, machinectl pull-tar and pull-raw [installed] gnutls: systemd-journal-gatewayd and systemd-journal-remote [installed] qrencode: show QR codes iptables: firewall features [pending] libbpf: support BPF programs [pending] libpwquality: check password quality libfido2: unlocking LUKS2 volumes with FIDO2 token libp11-kit: support PKCS#11 [installed] tpm2-tss: unlocking LUKS2 volumes with TPM2 [installed] installing systemd-sysvcompat... installing iputils... installing libmnl... installing libnftnl... installing libnl... installing libpcap... installing libnfnetlink... installing libnetfilter_conntrack... installing iptables... installing libbpf... installing iproute2... Optional dependencies for iproute2 db5.3: userspace arp daemon linux-atm: ATM support python: for routel installing base... Optional dependencies for base linux: bare metal support [pending] installing mkinitcpio-busybox... installing jansson... installing binutils... Optional dependencies for binutils debuginfod: for debuginfod server/client functionality installing diffutils... installing mkinitcpio... Optional dependencies for mkinitcpio gzip: Use gzip compression for the initramfs image [installed] xz: Use lzma or xz compression for the initramfs image [installed] bzip2: Use bzip2 compression for the initramfs image [installed] lzop: Use lzo compression for the initramfs image lz4: Use lz4 compression for the initramfs image [installed] mkinitcpio-nfs-utils: Support for root filesystem on NFS installing linux... Optional dependencies for linux wireless-regdb: to set the correct wireless channels of your country linux-firmware: firmware images needed for some devices installing sbctl... :: Running post-transaction hooks... ( 1/14) Creating system user accounts... ( 2/14) Updating journal message catalog... ( 3/14) Reloading system manager configuration... Skipped: Running in chroot. ( 4/14) Reloading user manager configuration... Skipped: Running in chroot. ( 5/14) Updating udev hardware database... ( 6/14) Applying kernel sysctl settings... Skipped: Running in chroot. ( 7/14) Creating temporary files... ( 8/14) Reloading device manager configuration... Skipped: Running in chroot. ( 9/14) Arming ConditionNeedsUpdate... (10/14) Rebuilding certificate stores... (11/14) Updating module dependencies... (12/14) Updating linux initcpios... ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default' ==> Using default configuration file: '/etc/mkinitcpio.conf' -> -k /boot/vmlinuz-linux -g /boot/initramfs-linux.img ==> Starting build: '6.8.9-arch1-2' -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [autodetect] -> Running build hook: [microcode] -> Running build hook: [modconf] -> Running build hook: [kms] ==> WARNING: Possibly missing firmware for module: 'i915' -> Running build hook: [keyboard] ==> WARNING: Possibly missing firmware for module: 'xhci_pci' -> Running build hook: [keymap] -> Running build hook: [consolefont] ==> WARNING: consolefont: no font found in configuration -> Running build hook: [block] -> Running build hook: [filesystems] -> Running build hook: [fsck] ==> WARNING: No fsck helpers found. fsck will not be run on boot. ==> Generating module dependencies ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux.img' ==> WARNING: errors were encountered during the build. The image may not be complete. ==> Running post hooks -> Running post hook: [sbctl] Signing /boot/vmlinuz-linux couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory ==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1 ==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback' ==> Using default configuration file: '/etc/mkinitcpio.conf' -> -k /boot/vmlinuz-linux -g /boot/initramfs-linux-fallback.img -S autodetect ==> Starting build: '6.8.9-arch1-2' -> Running build hook: [base] -> Running build hook: [udev] -> Running build hook: [microcode] -> Running build hook: [modconf] -> Running build hook: [kms] ==> WARNING: Possibly missing firmware for module: 'amdgpu' ==> WARNING: Possibly missing firmware for module: 'ast' ==> WARNING: Possibly missing firmware for module: 'i915' ==> WARNING: Possibly missing firmware for module: 'nouveau' ==> WARNING: Possibly missing firmware for module: 'radeon' ==> WARNING: Possibly missing firmware for module: 'xe' -> Running build hook: [keyboard] ==> WARNING: Possibly missing firmware for module: 'xhci_pci' -> Running build hook: [keymap] -> Running build hook: [consolefont] ==> WARNING: consolefont: no font found in configuration -> Running build hook: [block] ==> WARNING: Possibly missing firmware for module: 'advansys' ==> WARNING: Possibly missing firmware for module: 'aic94xx' ==> WARNING: Possibly missing firmware for module: 'bfa' ==> WARNING: Possibly missing firmware for module: 'cxgb4' ==> WARNING: Possibly missing firmware for module: 'csiostor' ==> WARNING: Possibly missing firmware for module: 'cxgb3' ==> WARNING: Possibly missing firmware for module: 'isci' ==> WARNING: Possibly missing firmware for module: 'qed' ==> WARNING: Possibly missing firmware for module: 'qla1280' ==> WARNING: Possibly missing firmware for module: 'qla2xxx' ==> WARNING: Possibly missing firmware for module: 'wd719x' ==> WARNING: Possibly missing firmware for module: 'ums_eneub6250' -> Running build hook: [filesystems] -> Running build hook: [fsck] ==> Generating module dependencies ==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-fallback.img' -> Early uncompressed CPIO image generation successful ==> Initcpio image generation successful ==> Running post hooks -> Running post hook: [sbctl] Signing /boot/vmlinuz-linux couldn't access /usr/share/secureboot/keys/db/db.pem: no such file or directory ==> ERROR: '/usr/lib/initcpio/post/sbctl' failed with exit code 1 error: command failed to execute correctly (13/14) Reloading system bus configuration... Skipped: Running in chroot. (14/14) Signing EFI binaries... Generating EFI bundles.... ```

This used to work and I'm not sure what changed. I first noticed it from my weekly CI and reproduced on both my own machine and the official docker image. I suppose the hook should check for keys before attempting to sign? Thanks, have a nice day

punoko commented 1 month ago

Upon further investigation it seems that the post hook script (/usr/lib/initcpio/post/sbctl) changed from version 0.13-2 to 0.14-1 https://github.com/Foxboron/sbctl/commit/8e0e68bc0959f4e86ffcde9e8fa3f0a1680bf06e:

#!/usr/bin/bash
- echo "Signing EFI binaries..."
- /usr/bin/sbctl sign-all -g
+ 
+ KERENEL_FILE="$1"
+ UKI_FILE="$3"
+ 
+ IMAGE_FILE="$KERENEL_FILE"
+ if [ -n "$KERNELDESTINATION" ] && [ -f "$KERNELDESTINATION" ]; then
+     IMAGE_FILE="$KERNELDESTINATION"
+ fi
+ if [ -n "$UKI_FILE" ]; then
+     IMAGE_FILE="$UKI_FILE"
+ fi
+ 
+ if [ -z "$IMAGE_FILE" ]; then
+     echo "No kernel or UKI found for signing"
+     exit 0
+ fi
+ 
+ echo "Signing $IMAGE_FILE"
+ sbctl sign -s "$IMAGE_FILE"

sign-all behaved nicely and returned 0 since nothing had been enrolled yet, but sign -s "$IMAGE_FILE" fails as it expects keys to exist