From d709382cf1cae75c68eb08c7b061d25758a3c9ca Mon Sep 17 00:00:00 2001 From: Kyle Gospodnetich Date: Tue, 18 Jun 2024 13:11:45 -0700 Subject: [PATCH] feat: Add kernel signer to sign Fedora kernel with ublue's keys for secure boot (#1404) --- .github/workflows/reusable-build.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index 92080adba09..6f64981ca81 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -144,14 +144,18 @@ jobs: if [[ "$IS_LATEST_VERSION" == "true" ]] && \ [[ "$IS_STABLE_VERSION" == "true" ]]; then BUILD_TAGS+=("testing") + echo "DEFAULT_TAG=testing" >> $GITHUB_ENV elif [[ "$IS_GTS_VERSION" == "true" ]]; then BUILD_TAGS+=("gts-testing") + echo "DEFAULT_TAG=gts-testing" >> $GITHUB_ENV fi elif [[ "$IS_LATEST_VERSION" == "true" ]] && \ [[ "$IS_STABLE_VERSION" == "true" ]]; then BUILD_TAGS+=("latest") + echo "DEFAULT_TAG=latest" >> $GITHUB_ENV elif [[ "$IS_GTS_VERSION" == "true" ]]; then BUILD_TAGS+=("gts") + echo "DEFAULT_TAG=gts" >> $GITHUB_ENV fi if [[ "${{ github.event_name }}" == "pull_request" ]]; then @@ -221,6 +225,16 @@ jobs: extra-args: | --target=${{ env.TARGET_NAME }} + - name: Sign kernel + uses: ublue-os/kernel-signer@v0.2.2 + with: + image: ${{ steps.build_image.outputs.image }} + default-tag: ${{ env.DEFAULT_TAG }} + privkey: ${{ secrets.AKMOD_PRIVKEY_20230518 }} + pubkey: /etc/pki/akmods/certs/akmods-ublue.der + tags: ${{ steps.build_image.outputs.tags }} + strip: false + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. # https://github.com/macbre/push-to-ghcr/issues/12 - name: Lowercase Registry