search

zbm-dev / zfsbootmenu

ZFS Bootloader for root-on-ZFS systems with support for snapshots and native full disk encryption
https://zfsbootmenu.org
MIT License
864 stars 66 forks source link

Improve `contrib/zbm-sign.pl` by checking signiture before signing & allow user to define the cert and key file names #693

Open Adito5393 opened 3 days ago

Adito5393 commented 3 days ago

ZFSBootMenu build source

Local build, dracut

ZFSBootMenu version

master

Boot environment distribution

Debian 12

Problem description

The problem with the current implementation for sbsign use case is that it appends the -signed.efi to the file and the generate-zbm script no longer prunes the files corectly when the versions > 1.

Here are my minimal changes to the contrib/zbm-sign.pl:

#     SecureBoot:
#       SignBackup: true
#       DeleteUnsigned: false
#       SignMethod: sbctl
#       KeyDir: /etc/sbkeys
#       KeyFileName: DB.key
#       CrtFileName: DB.crt

  if ( $SignMethod eq "sbctl" ) {
    system "sbctl sign $ZBM/$_";
  } elsif ( $SignMethod eq "sbsign" ) {
    my $verify_output = "sbverify --cert $KeyDir/$CrtFileName $ZBM/$_ 2>&1";
    if ( $verify_output =~ /Signature verification OK/ ) {
      say "File $_ is already signed.";
      next;
    }
    system "sbsign --key $KeyDir/$KeyFileName --cert $KeyDir/$CrtFileName $ZBM/$_ --output $ZBM/$_";
  } else {
    die "Sign method $SignMethod not valid.";
  }
  # Remove the deleting part

Would you be interested in a PR? Feedback on improving my Perl programming skills is welcome.

Steps to reproduce

  1. Install sbsign 0.9.4
  2. Build with the perl script configured etc...
ahesford commented 3 days ago

You are certainly welcome to submit a pull request.