mirror of
https://github.com/containers/bootc.git
synced 2026-02-05 06:45:13 +01:00
6f69534f9b
Main goal is to reduce signing logic duplication between the systemd-boot and UKI generation. However, this quickly snowballed into wanting to actually verify by providing a custom secure boot keys to bcvk that things worked. This depends on https://github.com/bootc-dev/bcvk/pull/170 Now as part of that, I ran into what I think are bugs in pesign; this cuts things back over to using sbsign. I'll file a tracker for that separately. Finally as part of this, just remove the TMT example that builds a sealed image but doesn't actually verify it works - it's already drifted from what we do outside here. Ultimately what we need is to shift some of this into the Fedora examples and we just fetch it here anyways. Assisted-by: Claude Code (Sonnet 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
35 lines
928 B
Bash
Executable File
35 lines
928 B
Bash
Executable File
#!/bin/bash
|
|
# Configure system for a specific bootc variant
|
|
set -xeuo pipefail
|
|
|
|
dn=$(dirname $0)
|
|
|
|
VARIANT="${1:-}"
|
|
|
|
if [ -z "$VARIANT" ]; then
|
|
# No variant specified, nothing to do
|
|
exit 0
|
|
fi
|
|
|
|
# Handle variant-specific configuration
|
|
case "${VARIANT}" in
|
|
*-sdboot)
|
|
# Install systemd-boot and remove bootupd;
|
|
# We downloaded this in an earlier phase
|
|
sdboot="usr/lib/systemd/boot/efi/systemd-bootx64.efi"
|
|
sdboot_bn=$(basename ${sdboot})
|
|
rpm -Uvh /run/sdboot-content/out/*.rpm
|
|
# And override with our signed binary
|
|
install -m 0644 /run/sdboot-signed/out/${sdboot_bn} /${sdboot}
|
|
|
|
# Uninstall bootupd
|
|
rpm -e bootupd
|
|
rm -rf /usr/lib/bootupd/updates
|
|
# Clean up package manager caches
|
|
dnf clean all
|
|
rm -rf /var/cache /var/lib/{dnf,rhsm} /var/log/*
|
|
;;
|
|
# Future variants can be added here
|
|
# For Debian support, this could check package manager type and use apt instead
|
|
esac
|