Move secureboot certificate to a GH actions secret

This also renames the variable for the GPG key to SURFACE_GPG_KEY, since
it doesn't really have anything to do with github.

Signed-off-by: Dorian Stoll <dorian.stoll@tmsp.io>

.github/workflows/release.yml

@@ -10,8 +10,7 @@ on:
 name: Create kernel release and upload binaries
 
 env:
-  KEY_ID: C1F105E07DA59F2C
-  KEY_NAME: surface-linux
+  GPG_KEY_ID: C1F105E07DA59F2C
 
 jobs:
   build-arch:
@@ -50,7 +49,7 @@ jobs:
 
       - name: Sign packages
         env:
-          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
+          GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
         run: |
           cd release
 
@@ -59,7 +58,7 @@ jobs:
           export GPG_TTY=$(tty)
 
           # sign packages
-          ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $KEY_ID
+          ls *.pkg.tar.zst | xargs -L1 gpg --detach-sign --batch --no-tty -u $GPG_KEY_ID
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v1
@@ -129,14 +128,14 @@ jobs:
 
       - name: Sign packages
         env:
-          GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
+          GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
         run: |
           # import GPG key
           echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
           export GPG_TTY=$(tty)
 
           # sign package
-          dpkg-sig -g "--batch --no-tty" --sign builder -k $KEY_ID release/*.deb
+          dpkg-sig -g "--batch --no-tty" --sign builder -k $GPG_KEY_ID release/*.deb
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v1
@@ -158,23 +157,26 @@ jobs:
         dnf install -y rpmdevtools rpm-sign 'dnf-command(builddep)'
         dnf builddep -y pkg/fedora/kernel-surface/kernel-surface.spec
 
-    - name: Setup certificates
+    - name: Setup secureboot certificate
       env:
-        LS_PASSWORD: ${{ secrets.LS_PASSWORD }}
+        SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
       run: |
-        pkg/secrets/decrypt.sh -p "$LS_PASSWORD" -f pkg/secrets/sb/surface_sb.key.gpg
-        cp pkg/secrets/sb/surface_sb.key pkg/fedora/kernel-surface/surface.key
-        cp pkg/secrets/sb/surface_sb.crt pkg/fedora/kernel-surface/surface.crt
+        cd pkg
+
+        # Install the surface secureboot certificate
+        echo "$SB_KEY" | base64 -d > fedora/kernel-surface/surface.key
+        cp keys/surface.crt fedora/kernel-surface/surface.crt
 
     - name: Build packages
       run: |
-        pushd pkg/fedora/kernel-surface
-          ../makerpm
-        popd
+        cd pkg/fedora/kernel-surface
+
+        # Build the .rpm packages
+        ../makerpm
 
     - name: Sign packages
       env:
-        GPG_KEY: ${{ secrets.GITHUB_GPG_KEY }}
+        GPG_KEY: ${{ secrets.SURFACE_GPG_KEY }}
       run: |
         cd pkg/fedora/kernel-surface/out/x86_64
 
@@ -182,7 +184,7 @@ jobs:
         echo "$GPG_KEY" | base64 -d | gpg --import --no-tty --batch --yes
 
         # sign packages
-        rpm --resign *.rpm --define "_gpg_name $KEY_NAME"
+        rpm --resign *.rpm --define "_gpg_name $GPG_KEY_ID"
 
     - name: Upload artifacts
       uses: actions/upload-artifact@v1

pkg/fedora/kernel-surface/surface.crt

@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEWTCCA0GgAwIBAgIUXswTRJ9wc3c/U0VZ/zn4gZEQP9AwDQYJKoZIhvcNAQEL
-BQAwgZMxCzAJBgNVBAYTAkRFMRQwEgYDVQQIDAtCcmFuZGVuYnVyZzEQMA4GA1UE
-BwwHUG90c2RhbTEVMBMGA1UECgwMRG9yaWFuIFN0b2xsMSAwHgYDVQQDDBdTZWN1
-cmUgQm9vdCBTaWduaW5nIEtleTEjMCEGCSqGSIb3DQEJARYUZG9yaWFuLnN0b2xs
-QHRtc3AuaW8wIBcNMTkwNDIzMjI0NjM4WhgPMjExOTAzMzAyMjQ2MzhaMIGTMQsw
-CQYDVQQGEwJERTEUMBIGA1UECAwLQnJhbmRlbmJ1cmcxEDAOBgNVBAcMB1BvdHNk
-YW0xFTATBgNVBAoMDERvcmlhbiBTdG9sbDEgMB4GA1UEAwwXU2VjdXJlIEJvb3Qg
-U2lnbmluZyBLZXkxIzAhBgkqhkiG9w0BCQEWFGRvcmlhbi5zdG9sbEB0bXNwLmlv
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv6RzT8ewIgYtLd8YQA56
-BMCGXBrauzmYvABaNomTPZPbeLrqIbt3lMaA++yzYWOXjZs9aa31njgrw0I1wqMP
-DAMMYQAOVBa9Oyp7NzvfHCRYXpZ0k2B3URFVQapVqCs+4l2eEf/36xoqNG+cVMzb
-mbv19/PU2w4Xc7sLr1h/S3jkvs/I8tuLzxPY9rQsnxeOJz+WanVBkJ7YeQEpqnYV
-xb/ABHaxmJ7TH42BrwwSljVgKRmONTzmWPqBb7cNNac90hjwKH7J6mAdaHmtUUdV
-IG2NigS+x3+H2F+C9ePiP29Ge3QIR6ow82k9avgDdngRqTKwalHiMDMhG25n9UIh
-cwIDAQABo4GgMIGdMB0GA1UdDgQWBBTBi7Ab2CFO1DJIKqoMHDb/sCgu2DAfBgNV
-HSMEGDAWgBTBi7Ab2CFO1DJIKqoMHDb/sCgu2DAMBgNVHRMBAf8EAjAAMB8GA1Ud
-JQQYMBYGCCsGAQUFBwMDBgorBgEEAYI3CgMGMCwGCWCGSAGG+EIBDQQfFh1PcGVu
-U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAnSSC
-xOAGG2QBALMU7IuThbuvcEubY51WOK5sWUTZ6YR6AfcCxDGbTSwk7lqaZ/RgWes1
-knu0rZ0/s+VUoH5zO9MWOlm+Ji6JxjMh4BfZoQksp8hMCzGzZEIQGdwVhCCw9Wg4
-En2TO/5/HjeXRtP1Eapt7vllDBangB5/xrMXIUq/7oDnjZHx3e7X456ZUq2Lkg2k
-gPEhaCEdXEnxQo+eYGxeGxjGMq4QXTYzf2klbNImiTDY6kI0pg+yz80o8Rbk4Sdm
-YzK3F/oJ1xaC4PL4ho6tVcFSyA+Tclg9dhjgJxsL9Le79HmU2pzXK6D6cpXg7LLp
-whMV7LE6d/r3SkvHNQ==
------END CERTIFICATE-----

pkg/fedora/kernel-surface/surface.key.asc

@@ -1,45 +0,0 @@
------BEGIN PGP MESSAGE-----
-
-hQIMA0kEEAV+39rqAQ/9HMJOBLFEWfScG8cDFYzQuxT59Pb5nBkQDiNmPaFIgPZ6
-b9fZ59zhTPxLpqUtb5NirR066Ywx0+bLF4G58hRc7GmpTa0N7kgXO89zxm+27zHE
-Pb/mdAzCI0SyXjgs1duBdPgvmxhxN+0ejI3wa2QBGeW88V6+8vlqXlNjQo0FZANp
-uRH31MCurdMBF2eNkFjuwRPbplQWPy5yZQSgNiw92W3RkWIeGThzp0nRPSb/SAP9
-6Ls1CEgVf64SzXsisxXksFSeyMgjMhwZkAgDjBhlTf3QJg3AyXu6TZeqUU/x7ZLz
-xFqUL65rwfMLjKhrZhpQFCsJkvVQ8eNOkHeD6TOd2xKZ8+alG5Q1Q+j6GQLAYQRD
-+ChV6cJCY3WlH2Uqf31HS5RxrT1Bnk7DSJeSFpJijA15OCsABeeHOu8uszyHv00I
-VfV7sZ6nnNM3Kw8d3BJg4pWJSeYe1Iys2Zlo4KTV0q8jFpmbz9JnhhZ1pe7xGMZz
-r0KfRexgCOXukAzLlJd5tt+bQFkw8ceqFbZeRBo1xbgjYgzIBmNKHJWWJh6L+Hcg
-HmhXi/z7OZHtpNs3loeb/uTvItv39MBbh6zNDpKhLncmOXDFteVdFaxaC1h77LPW
-scIeAHXlFxYbuYKXMaygjB8z9nPa6lOpPbz/wYslZWxue/2rcVoro4uphrEMsxnS
-6gH5jrmBss+62xrAd7UBVB01qt9u3d6vxlcA9lsuYG7YgpfdLDhG0dPQAHERgyfn
-HMp6m4l7JV7dpTwJgGcb42IgREQGxsAPwGbr0OY+3giMCh/YB5hJaiM2qVk7WajS
-hIowFPIxpjdB0K71rLrkunBikgsuJHgem9MLpT9FrSVU4uOi2HYSLm6Afa5X2c3G
-k/fWDvrK9U37pl5NPRT9Q+01MCjKD0s44vKqFW71Y7vYllZko8pNrPqF+lC4UyYj
-yXVRD3VNRLzf2PxQmKNNSncurYF312zEKkcLRhmhPm2LcG19ADy6tEGtzSxzPOdI
-daczY0yF/CxF7QbdYyOMvVdEYVGhhf36ZYfB+LmIj1j7mHJlbMSvC0yTaOhEf7rZ
-rQbhkjhomyMgdphIAm0kFDZfk2sbYlUFt+vlwKckhIAe2wMBFhjQXThkegOJfRK6
-Wo4ob2E8ZVhOOrwbFKLrF9kDPSZ/TZe/xVAkaGKmcCVNtLitfcMaOVlPujVzLFAJ
-NMlWp+jn4XGXlRgGtEhnU/QUIbjHhgMwe3eYAMeWxePJ7KmW2Vlw9lraqwMo+hxZ
-7ShN5d2nZmz7GnUpP1iprTl3Cwqr/QOrUQpZpa4iMWrm2HIStPKi+qAxamkltKwq
-iAdDPzggCQC5Z92/xc6i5gqhE/Rvto3ZaikMSgrTg/B2qtbhwMiXju0QvO80h27b
-y1peU37nvqo6lOlHInEiOTU8o18zmXeOC9Io4vZTqLAwVqJt5kQWGnAqpkqYQ/dV
-xUhuhKTj6W8szNiB6diOJR/TrLJIueLfV9EiekIz3p7hfFOC1Czb2jrXYjTvz7Ri
-qVB6Ia9ibCADD/b/Grlte2H38uhfdJ5qE/ew5o4S4vkNwwhJlzv+cs6N5rsVVCzj
-Q/pSlvTHRN8aCtWuAGcOvtvUKdjnSvcpGCS8BKzoc+1cZv4o9e37eQXfwekvst+R
-Vnj6J73il/HeSlUsBfairCyjlvHVBwkdxT7Iz7P0I7Mnr1P1McUiEaKfGcHrANqT
-QAM5JGc1fAnKlzCLDLrTM7fycIE4XhKfFFpmX1oDWNvPwJm+fNMx6yLt4FqxMJZo
-gcu2y7hHawgxP+yBChjqILZj2786HfwgQ5ydb9FqtbPes/8dz9HcoxFz+Fdwywn7
-EFSs1S1xlAuAwDkrJ9e+00fYzdpBjpL2HB6kvz/DT9uVWNi2CuMXAgZ9gLUGUHJw
-CxAWouINNi7h4t9N71zZP9OkMsh7qQduT7ow1eXW1Chzc1XgSvK0UvNl2GN2iQu1
-mIt52rWRTW8i0K0r18FRH8RhqxbYmxfkxHNNKyz+cAGG8HSEpT3W4q4S4z8kVyXp
-w8RRqUDPUFE/zM8LMe+exdjAsvP7z5gX22GmlHmIcwFcpVakc88gz+NcZ6Yvl5q3
-ZrB0tV/9hWLCoHC5cmdl9s6vsfZFKCmwm0otBkuUM/hK17AVaNqxCiNHVzh+x+gd
-VHpm/qzAuALH151CN+0U6G/4LtQxU9YUydQ1Xzb6pNuBP8ckA8FFics3QNSrvXvM
-aPFUyOGwx5Vp3d4EMp+YCWVwGnFY5vsUsImJU122eBTCVugB3iz3Vr/4brbSZlft
-Fs4JeJ+Ju9zQLsDYpeD3cVMbzKtxwdv9jHfofkl6muN0j+jBJPef1uzXrff1IGTx
-Y8peLxpFfu32N6EnhZZRRxX5V0p/gud546/nb+uiOYeT/Cms0bAUXTu519TEVoSR
-p6MGjQ9F6KBugy4FfYMOJ4wmMMvxzh0dZj7xDjPD7tPogo/ZOpQkf9QlupmqO//4
-s5Tm9vGSvWREo0lfVtR36v2raIyDjwUz05gkxxvv5A3Spy0KOdEOwMAmFGSIJUWH
-TY4Nme0=
-=XFHW
------END PGP MESSAGE-----

pkg/secrets/.gitignore

@@ -1,2 +0,0 @@
-surface_sb.key
-surface_gpg.key

pkg/secrets/decrypt.sh

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-PASS=""
-FILE=""
-
-while getopts ":p:f:" args; do
-	case "$args" in
-	p)
-		PASS=$OPTARG
-		;;
-	f)
-		FILE=$OPTARG
-		;;
-	esac
-done
-shift $((OPTIND-1))
-
-OUTPUT=$(echo $FILE | sed 's/.gpg$//g')
-
-gpg --quiet --no-tty --batch --yes --decrypt \
-	--passphrase="$PASS" --output $OUTPUT $FILE