search

andreyv / sbupdate

Generate and sign kernel images for UEFI Secure Boot on Arch Linux
GNU General Public License v3.0
225 stars 20 forks source link

sbudpate fails when using grub sigchecks #50

Closed Keridos closed 2 years ago

Keridos commented 2 years ago

GRUB2's external signature check leaves a signature for each file in /boot/ with the name filename.sig.

This seems to break the kernel detection making it fail on signing the initramfs:

(10/11) Updating UEFI kernel images...
Generating and signing linux-signed.efi
warning: gap in section table:
    .sbat   : 0x0000de00 - 0x0000e000,
    .sdmagic: 0x0000e120 - 0x0000e320,
gaps in the section table may result in different checksums
warning: data remaining[34759168 vs 34770271]: gaps between PE/COFF sections?
warning: gap in section table:
    .sbat   : 0x0000de00 - 0x0000e000,
    .sdmagic: 0x0000e120 - 0x0000e320,
gaps in the section table may result in different checksums
warning: data remaining[34759168 vs 34770272]: gaps between PE/COFF sections?
Signing Unsigned original image
Generating and signing linux.sig-signed.efi
cat: /boot/initramfs-linux.sig.img: No such file or directory

Solution might be to simly ignore all *.sig files in /boot while performing the secure boot signing.

Maryse47 commented 2 years ago

The sig files could be ignored although you shouldn't need grub while using sbupdate.