generate-efi not triggered when arch-secure-boot is updated

[ShellCode33]

Would it make sense to add arch-secure-boot itself to 95-arch-secure-boot-generate-efi.hook ? Though I don't know how it would behave when arch-secure-boot is being installed for the first time.

People that have a broken install because of #17 must run arch-secure-boot generate-efi manually after they have upgraded arch-secure-boot package

[maximbaz]

I like the idea! On the initial installation you would probably get "Error: Secure Boot keys are not generated yet", but perhaps it's acceptable... Oooor what if we remove the Operation = Install though from the hook? All the targets are hard dependencies of arch-secure-boot anyway, so all we really care about if any of those files get updated on the system?

[ShellCode33]

What if some of the packages are reinstalled and not upgraded ? Or let's you already have arch-secure-boot installed and configured but after some time you decide to install fwupd ? I don't think removing Operation = Install is the way to go. The most resilient option might be to create a new hook only for arch-secure-boot that would only have Operation = Upgrade

EDIT: oh I didn't catch the fact that they are hard dependencies. (maybe some of them should be optional?) In that case I guess removing Operation = Install would work indeed

[maximbaz]

(maybe some of them should be optional?)

Good question - my aim for this particular project always was to keep it very very minimal (and thus very opinionated), basically with a single code path, that everyone is testing. For such a critical security component, in the presence of existing bootloaders and customizable alternatives (example), I felt I wanted something with as little variation and cyclomatic complexity as possible, where every line of code counts.

What if some of the packages are reinstalled and not upgraded ?

This is interesting - reinstall is also considered an update:

Installations are considered an upgrade if the package or file is already present on the system regardless of whether the new package version is actually greater than the currently installed version. For Path triggers, this is true even if the file changes ownership from one package to another.

[ShellCode33]

So apparently FYI, the update hook is being triggered as soon as it is being installed:

(1/1) upgrading arch-secure-boot                                            
:: Running post-transaction hooks...
(1/4) Arming ConditionNeedsUpdate...
(2/4) Generating signed EFI boot files
Generating EFI images...
Signing Unsigned original image

I was expecting this not to be triggered until the next update, but that's nice

[maximbaz]

That's interesting, very helpful for our case :grin: