Bug#1039913: Please add hook for self-signing systemd-boot after upgrade

Michael Biebl biebl at debian.org
Sat Aug 26 14:11:58 BST 2023 

tags 1039913 + wontfix
thanks

Hi

On Thu, 29 Jun 2023 15:56:31 +0200 Marco d'Itri <md at Linux.IT> wrote:
> On Jun 29, Jan Naumann <jan at jans-seite.de> wrote:
> 
> > Could you please add a hook to the postinst that either a local script can be
> > called on installation time which takes care of signing the image (similar to
> > the `/etc/kernel/postinst.d/ mechamism) or add some call to `sbsign` yourself if
> > e.g. the signing key is available at a specific path.
> I am working on packaging sbctl (which I believe is *much* nicer[1] than
> sbsigntool and mokutil), so I plan to do some work in this area in the 
> future.
> But I am not sure yet of which shape this interface should have.
> 
> Part of the issue is that at least sbctl signs the installed binaries in 
> place, while bootctl looks for .efi.signed files in the source 
> directory, and "bootctl install" could also be run manually at any time.
> 
> But since systemd-bootx64.efi comes from /usr/lib/systemd/boot/efi/ it 
> would not be right to have something which is not the package manager 
> install a .efi.signed file there, so I suspect that this cannot be 
> solved just with some shell scripting.
> And for the time being there are zero chances that Debian (or anybody 
> else, I understand) will be able to ship a signed systemd-boot, so this 
> is not a useful interface right now.
> 
> [1] https://blog.bofh.it/debian/id_465

I'm a bit concerned to add such a hook interface without a clear scope 
of that this interface is supposed to provide.

And to be somewhat consistent, I assume such a hook interface would 
actually have to be added to bootctl directly, which is then no longer 
ad Debian specific issue.

For your specific use case, you can probably use a dpkg hook as detailed in
https://unix.stackexchange.com/questions/199511/is-it-possible-to-install-a-hook-that-will-be-called-before-removal-of-a-packa

to do what you want.

I'm thus closing the issue as wontfix.

Regards,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20230826/5ed60a72/attachment-0001.sig>

More information about the Pkg-systemd-maintainers mailing list