78 lines
1.8 KiB
Bash
78 lines
1.8 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -euxo pipefail
|
|
|
|
if [ -z "${1:-}" ]; then
|
|
$0 setup-builddeps
|
|
$0 setup-secureboot
|
|
$0 build-packages
|
|
$0 sign-packages
|
|
exit
|
|
fi
|
|
|
|
pacman()
|
|
{
|
|
command pacman --noconfirm "$@"
|
|
}
|
|
|
|
case "${1:-}" in
|
|
setup-builddeps)
|
|
# Update the container
|
|
pacman -Syu
|
|
|
|
# Install makepkg deps
|
|
pacman -S sudo binutils fakeroot base-devel git
|
|
|
|
# Install tools for singing the kernel for secureboot
|
|
pacman -S sbsigntools
|
|
;;
|
|
setup-secureboot)
|
|
if [ -z "${SB_KEY:-}" ]; then
|
|
echo "WARNING: No secureboot key configured, skipping signing."
|
|
exit
|
|
fi
|
|
|
|
# Install the surface secureboot certificate
|
|
echo "${SB_KEY}" | base64 -d > pkg/arch/kernel/MOK.key
|
|
cp pkg/keys/surface.crt pkg/arch/kernel/MOK.crt
|
|
;;
|
|
build-packages)
|
|
pushd pkg/arch/kernel || exit 1
|
|
|
|
# Fix permissions (can't makepkg as root)
|
|
echo "nobody ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
|
|
chown -R nobody .
|
|
|
|
# Package compression settings (Matches latest Arch)
|
|
export PKGEXT='.pkg.tar.zst'
|
|
export COMPRESSZST=(zstd -c -T0 --ultra -20 -)
|
|
export MAKEFLAGS="-j2"
|
|
|
|
# Build
|
|
su nobody --pty -p -s /bin/bash -c 'makepkg -sf --skippgpcheck --noconfirm'
|
|
|
|
# Prepare release
|
|
mkdir release
|
|
find . -name '*.pkg.tar.zst' -type f -print0 | xargs -0 -I '{}' mv {} release
|
|
|
|
popd || exit 1
|
|
;;
|
|
sign-packages)
|
|
if [ -z "${GPG_KEY:-}" ] || [ -z "${GPG_KEY_ID:-}" ]; then
|
|
echo "WARNING: No GPG key configured, skipping signing."
|
|
exit
|
|
fi
|
|
|
|
pushd pkg/arch/kernel/release || exit 1
|
|
|
|
# import GPG key
|
|
echo "${GPG_KEY}" | base64 -d | gpg --import --no-tty --batch --yes
|
|
|
|
# sign packages
|
|
find . -name '*.pkg.tar.zst' -type f -print0 | xargs -0 -I '{}' \
|
|
gpg --detach-sign --batch --no-tty -u "${GPG_KEY_ID}" {}
|
|
|
|
popd || exit 1
|
|
;;
|
|
esac
|