Set-up secure-boot signing for Arch Linux

.github/workflows/release.yml

@@ -24,7 +24,17 @@ jobs:
       - name: Install build dependencies
         run: |
           # Install makepkg deps
-          pacman -Sy sudo binutils fakeroot grep base-devel git --noconfirm
+          pacman -Sy sudo binutils fakeroot grep base-devel git sbsigntools --noconfirm
+
+      - name: Setup secureboot certificate
+        env:
+          SB_KEY: ${{ secrets.SURFACE_SB_KEY }}
+        run: |
+          cd pkg
+
+          # Install the surface secureboot certificate
+          echo "$SB_KEY" | base64 -d > arch/kernel/MOK.key
+          cp keys/surface.crt arch/kernel/MOK.crt
 
       - name: Build
         run: |

pkg/arch/kernel/PKGBUILD

@@ -87,14 +87,24 @@ _package() {
   optdepends=('crda: to set the correct wireless channels of your country'
               'linux-firmware: firmware images needed for some devices')
 
+  local mok_crt="$PWD/MOK.crt"
+  local mok_key="$PWD/MOK.key"
+
   cd $_srcname
   local kernver="$(<version)"
   local modulesdir="$pkgdir/usr/lib/modules/$kernver"
+  local image_name="$(make -s image_name)"
+
+  # sign boot image if the prequisites are available
+  if [[ -f "$mok_crt" ]] && [[ -f "$mok_key" ]] && [[ -x "$(command -v sbsign)" ]]; then
+    msg2 "Signing boot image..."
+    sbsign --key "$mok_key" --cert "$mok_crt" --output "$image_name" "$image_name"
+  fi
 
   msg2 "Installing boot image..."
   # systemd expects to find the kernel here to allow hibernation
   # https://github.com/systemd/systemd/commit/edda44605f06a41fb86b7ab8128dcf99161d2344
-  install -Dm644 "$(make -s image_name)" "$modulesdir/vmlinuz"
+  install -Dm644 "$image_name" "$modulesdir/vmlinuz"
 
   # Used by mkinitcpio to name the kernel
   echo "$pkgbase" | install -Dm644 /dev/stdin "$modulesdir/pkgbase"