Move secureboot certificate to a GH actions secret
This also renames the variable for the GPG key to SURFACE_GPG_KEY, since it doesn't really have anything to do with github. Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>
This commit is contained in:
parent
e61f87a22a
commit
a4e2b7acbb
34
.github/workflows/release.yml
vendored
34
.github/workflows/release.yml
vendored
|
@ -10,8 +10,7 @@ on:
|
|||
name: Create kernel release and upload binaries
|
||||
|
||||
env:
|
||||
KEY_ID: C1F105E07DA59F2C
|
||||
KEY_NAME: surface-linux
|
||||
GPG_KEY_ID: C1F105E07DA59F2C
|
||||
|
||||
jobs:
|
||||
build-arch:
|
||||
|
@ -50,7 +49,7 @@ jobs:
|
|||
|
||||
- name: Sign packages
|
||||
env:
|
||||
GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
|
||||
GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
|
||||
run: |
|
||||
cd release
|
||||
|
||||
|
@ -59,7 +58,7 @@ jobs:
|
|||
export GPG_TTY=$(tty)
|
||||
|
||||
# sign packages
|
||||
ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $KEY_ID
|
||||
ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID
|
||||
|
||||
- name: Upload artifacts
|
||||
uses: actions/upload-artifact@v1
|
||||
|
@ -129,14 +128,14 @@ jobs:
|
|||
|
||||
- name: Sign packages
|
||||
env:
|
||||
GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
|
||||
GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
|
||||
run: |
|
||||
# import GPG key
|
||||
echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
|
||||
export GPG_TTY=$(tty)
|
||||
|
||||
# sign package
|
||||
dpkg-sig -g "--batch --no-tty" --sign builder -k $KEY_ID release/*.deb
|
||||
dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID release/*.deb
|
||||
|
||||
- name: Upload artifacts
|
||||
uses: actions/upload-artifact@v1
|
||||
|
@ -158,23 +157,26 @@ jobs:
|
|||
dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
|
||||
dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
|
||||
|
||||
- name: Setup certificates
|
||||
- name: Setup secureboot certificate
|
||||
env:
|
||||
LS_PASSWORD: ${{ secrets.LS_PASSWORD }}
|
||||
SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
|
||||
run: |
|
||||
pkg/secrets/decrypt.sh -p "$LS_PASSWORD" -f pkg/secrets/sb/surface_sb.key.gpg
|
||||
cp pkg/secrets/sb/surface_sb.key pkg/fedora/kernel-surface/surface.key
|
||||
cp pkg/secrets/sb/surface_sb.crt pkg/fedora/kernel-surface/surface.crt
|
||||
cd pkg
|
||||
|
||||
# Install the surface secureboot certificate
|
||||
echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
|
||||
cp keys/surface.crt fedora/kernel-surface/surface.crt
|
||||
|
||||
- name: Build packages
|
||||
run: |
|
||||
pushd pkg/fedora/kernel-surface
|
||||
../makerpm
|
||||
popd
|
||||
cd pkg/fedora/kernel-surface
|
||||
|
||||
# Build the .rpm packages
|
||||
../makerpm
|
||||
|
||||
- name: Sign packages
|
||||
env:
|
||||
GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
|
||||
GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
|
||||
run: |
|
||||
cd pkg/fedora/kernel-surface/out/x86_64
|
||||
|
||||
|
@ -182,7 +184,7 @@ jobs:
|
|||
echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
|
||||
|
||||
# sign packages
|
||||
rpm --resign *.rpm --define "_gpg_name $KEY_NAME"
|
||||
rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"
|
||||
|
||||
- name: Upload artifacts
|
||||
uses: actions/upload-artifact@v1
|
||||
|
|
|
@ -1,26 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIEWTCCA0GgAwIBAgIUXswTRJ9wc3c/U0VZ/zn4gZEQP9AwDQYJKoZIhvcNAQEL
|
||||
BQAwgZMxCzAJBgNVBAYTAkRFMRQwEgYDVQQIDAtCcmFuZGVuYnVyZzEQMA4GA1UE
|
||||
BwwHUG90c2RhbTEVMBMGA1UECgwMRG9yaWFuIFN0b2xsMSAwHgYDVQQDDBdTZWN1
|
||||
cmUgQm9vdCBTaWduaW5nIEtleTEjMCEGCSqGSIb3DQEJARYUZG9yaWFuLnN0b2xs
|
||||
QHRtc3AuaW8wIBcNMTkwNDIzMjI0NjM4WhgPMjExOTAzMzAyMjQ2MzhaMIGTMQsw
|
||||
CQYDVQQGEwJERTEUMBIGA1UECAwLQnJhbmRlbmJ1cmcxEDAOBgNVBAcMB1BvdHNk
|
||||
YW0xFTATBgNVBAoMDERvcmlhbiBTdG9sbDEgMB4GA1UEAwwXU2VjdXJlIEJvb3Qg
|
||||
U2lnbmluZyBLZXkxIzAhBgkqhkiG9w0BCQEWFGRvcmlhbi5zdG9sbEB0bXNwLmlv
|
||||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6RzT8ewIgYtLd8YQA56
|
||||
BMCGXBrauzmYvABaNomTPZPbeLrqIbt3lMaA++yzYWOXjZs9aa31njgrw0I1wqMP
|
||||
DAMMYQAOVBa9Oyp7NzvfHCRYXpZ0k2B3URFVQapVqCs+4l2eEf/36xoqNG+cVMzb
|
||||
mbv19/PU2w4Xc7sLr1h/S3jkvs/I8tuLzxPY9rQsnxeOJz+WanVBkJ7YeQEpqnYV
|
||||
xb/ABHaxmJ7TH42BrwwSljVgKRmONTzmWPqBb7cNNac90hjwKH7J6mAdaHmtUUdV
|
||||
IG2NigS+x3+H2F+C9ePiP29Ge3QIR6ow82k9avgDdngRqTKwalHiMDMhG25n9UIh
|
||||
cwIDAQABo4GgMIGdMB0GA1UdDgQWBBTBi7Ab2CFO1DJIKqoMHDb/sCgu2DAfBgNV
|
||||
HSMEGDAWgBTBi7Ab2CFO1DJIKqoMHDb/sCgu2DAMBgNVHRMBAf8EAjAAMB8GA1Ud
|
||||
JQQYMBYGCCsGAQUFBwMDBgorBgEEAYI3CgMGMCwGCWCGSAGG+EIBDQQfFh1PcGVu
|
||||
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAnSSC
|
||||
xOAGG2QBALMU7IuThbuvcEubY51WOK5sWUTZ6YR6AfcCxDGbTSwk7lqaZ/RgWes1
|
||||
knu0rZ0/s+VUoH5zO9MWOlm+Ji6JxjMh4BfZoQksp8hMCzGzZEIQGdwVhCCw9Wg4
|
||||
En2TO/5/HjeXRtP1Eapt7vllDBangB5/xrMXIUq/7oDnjZHx3e7X456ZUq2Lkg2k
|
||||
gPEhaCEdXEnxQo+eYGxeGxjGMq4QXTYzf2klbNImiTDY6kI0pg+yz80o8Rbk4Sdm
|
||||
YzK3F/oJ1xaC4PL4ho6tVcFSyA+Tclg9dhjgJxsL9Le79HmU2pzXK6D6cpXg7LLp
|
||||
whMV7LE6d/r3SkvHNQ==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,45 +0,0 @@
|
|||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA0kEEAV+39rqAQ/9HMJOBLFEWfScG8cDFYzQuxT59Pb5nBkQDiNmPaFIgPZ6
|
||||
b9fZ59zhTPxLpqUtb5NirR066Ywx0+bLF4G58hRc7GmpTa0N7kgXO89zxm+27zHE
|
||||
Pb/mdAzCI0SyXjgs1duBdPgvmxhxN+0ejI3wa2QBGeW88V6+8vlqXlNjQo0FZANp
|
||||
uRH31MCurdMBF2eNkFjuwRPbplQWPy5yZQSgNiw92W3RkWIeGThzp0nRPSb/SAP9
|
||||
6Ls1CEgVf64SzXsisxXksFSeyMgjMhwZkAgDjBhlTf3QJg3AyXu6TZeqUU/x7ZLz
|
||||
xFqUL65rwfMLjKhrZhpQFCsJkvVQ8eNOkHeD6TOd2xKZ8+alG5Q1Q+j6GQLAYQRD
|
||||
+ChV6cJCY3WlH2Uqf31HS5RxrT1Bnk7DSJeSFpJijA15OCsABeeHOu8uszyHv00I
|
||||
VfV7sZ6nnNM3Kw8d3BJg4pWJSeYe1Iys2Zlo4KTV0q8jFpmbz9JnhhZ1pe7xGMZz
|
||||
r0KfRexgCOXukAzLlJd5tt+bQFkw8ceqFbZeRBo1xbgjYgzIBmNKHJWWJh6L+Hcg
|
||||
HmhXi/z7OZHtpNs3loeb/uTvItv39MBbh6zNDpKhLncmOXDFteVdFaxaC1h77LPW
|
||||
scIeAHXlFxYbuYKXMaygjB8z9nPa6lOpPbz/wYslZWxue/2rcVoro4uphrEMsxnS
|
||||
6gH5jrmBss+62xrAd7UBVB01qt9u3d6vxlcA9lsuYG7YgpfdLDhG0dPQAHERgyfn
|
||||
HMp6m4l7JV7dpTwJgGcb42IgREQGxsAPwGbr0OY+3giMCh/YB5hJaiM2qVk7WajS
|
||||
hIowFPIxpjdB0K71rLrkunBikgsuJHgem9MLpT9FrSVU4uOi2HYSLm6Afa5X2c3G
|
||||
k/fWDvrK9U37pl5NPRT9Q+01MCjKD0s44vKqFW71Y7vYllZko8pNrPqF+lC4UyYj
|
||||
yXVRD3VNRLzf2PxQmKNNSncurYF312zEKkcLRhmhPm2LcG19ADy6tEGtzSxzPOdI
|
||||
daczY0yF/CxF7QbdYyOMvVdEYVGhhf36ZYfB+LmIj1j7mHJlbMSvC0yTaOhEf7rZ
|
||||
rQbhkjhomyMgdphIAm0kFDZfk2sbYlUFt+vlwKckhIAe2wMBFhjQXThkegOJfRK6
|
||||
Wo4ob2E8ZVhOOrwbFKLrF9kDPSZ/TZe/xVAkaGKmcCVNtLitfcMaOVlPujVzLFAJ
|
||||
NMlWp+jn4XGXlRgGtEhnU/QUIbjHhgMwe3eYAMeWxePJ7KmW2Vlw9lraqwMo+hxZ
|
||||
7ShN5d2nZmz7GnUpP1iprTl3Cwqr/QOrUQpZpa4iMWrm2HIStPKi+qAxamkltKwq
|
||||
iAdDPzggCQC5Z92/xc6i5gqhE/Rvto3ZaikMSgrTg/B2qtbhwMiXju0QvO80h27b
|
||||
y1peU37nvqo6lOlHInEiOTU8o18zmXeOC9Io4vZTqLAwVqJt5kQWGnAqpkqYQ/dV
|
||||
xUhuhKTj6W8szNiB6diOJR/TrLJIueLfV9EiekIz3p7hfFOC1Czb2jrXYjTvz7Ri
|
||||
qVB6Ia9ibCADD/b/Grlte2H38uhfdJ5qE/ew5o4S4vkNwwhJlzv+cs6N5rsVVCzj
|
||||
Q/pSlvTHRN8aCtWuAGcOvtvUKdjnSvcpGCS8BKzoc+1cZv4o9e37eQXfwekvst+R
|
||||
Vnj6J73il/HeSlUsBfairCyjlvHVBwkdxT7Iz7P0I7Mnr1P1McUiEaKfGcHrANqT
|
||||
QAM5JGc1fAnKlzCLDLrTM7fycIE4XhKfFFpmX1oDWNvPwJm+fNMx6yLt4FqxMJZo
|
||||
gcu2y7hHawgxP+yBChjqILZj2786HfwgQ5ydb9FqtbPes/8dz9HcoxFz+Fdwywn7
|
||||
EFSs1S1xlAuAwDkrJ9e+00fYzdpBjpL2HB6kvz/DT9uVWNi2CuMXAgZ9gLUGUHJw
|
||||
CxAWouINNi7h4t9N71zZP9OkMsh7qQduT7ow1eXW1Chzc1XgSvK0UvNl2GN2iQu1
|
||||
mIt52rWRTW8i0K0r18FRH8RhqxbYmxfkxHNNKyz+cAGG8HSEpT3W4q4S4z8kVyXp
|
||||
w8RRqUDPUFE/zM8LMe+exdjAsvP7z5gX22GmlHmIcwFcpVakc88gz+NcZ6Yvl5q3
|
||||
ZrB0tV/9hWLCoHC5cmdl9s6vsfZFKCmwm0otBkuUM/hK17AVaNqxCiNHVzh+x+gd
|
||||
VHpm/qzAuALH151CN+0U6G/4LtQxU9YUydQ1Xzb6pNuBP8ckA8FFics3QNSrvXvM
|
||||
aPFUyOGwx5Vp3d4EMp+YCWVwGnFY5vsUsImJU122eBTCVugB3iz3Vr/4brbSZlft
|
||||
Fs4JeJ+Ju9zQLsDYpeD3cVMbzKtxwdv9jHfofkl6muN0j+jBJPef1uzXrff1IGTx
|
||||
Y8peLxpFfu32N6EnhZZRRxX5V0p/gud546/nb+uiOYeT/Cms0bAUXTu519TEVoSR
|
||||
p6MGjQ9F6KBugy4FfYMOJ4wmMMvxzh0dZj7xDjPD7tPogo/ZOpQkf9QlupmqO//4
|
||||
s5Tm9vGSvWREo0lfVtR36v2raIyDjwUz05gkxxvv5A3Spy0KOdEOwMAmFGSIJUWH
|
||||
TY4Nme0=
|
||||
=XFHW
|
||||
-----END PGP MESSAGE-----
|
Binary file not shown.
2
pkg/secrets/.gitignore
vendored
2
pkg/secrets/.gitignore
vendored
|
@ -1,2 +0,0 @@
|
|||
surface_sb.key
|
||||
surface_gpg.key
|
|
@ -1,21 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
PASS=""
|
||||
FILE=""
|
||||
|
||||
while getopts ":p:f:" args; do
|
||||
case "$args" in
|
||||
p)
|
||||
PASS=$OPTARG
|
||||
;;
|
||||
f)
|
||||
FILE=$OPTARG
|
||||
;;
|
||||
esac
|
||||
done
|
||||
shift $((OPTIND-1))
|
||||
|
||||
OUTPUT=$(echo $FILE | sed 's/.gpg$//g')
|
||||
|
||||
gpg --quiet --no-tty --batch --yes --decrypt \
|
||||
--passphrase="$PASS" --output $OUTPUT $FILE
|
Binary file not shown.
Binary file not shown.
Loading…
Reference in a new issue