Enable signing of boot.efi #40
Description
What would you like to be added:
To be able to create OCI images we added the _pxe feature directly to gardenlinux-ccloud. However, the below tweak was created to omit signitures for images created here.
Signatures need to be enabled in the gardenlinux-ccloud repo with the necessary keys. Then the _pxe feature can be symlinked like others.
diff ./features/_pxe/image.pxe.tar.gz ./gardenlinux/features/_pxe/image.pxe.tar.gz
76a77,88
> if [ -f "$cert_base.key" ]; then
> key_params=(--key "$cert_base.key")
> elif [ -f "$cert_base.arn" ]; then
> key_params=(--engine pkcs11 --key "pkcs11:token=$(basename "$(cat "$cert_base.arn")" | cut -c -32)")
> else
> echo "neither $cert_base.key nor $cert_base.arn exists, but at least one is required" >&2
> exit 1
> fi
>
> # sign unified image
> datefudge -s "@$BUILDER_TIMESTAMP" sbsign --cert "$cert_base.crt" "${key_params[@]}" --output boot.efi unified_image
>
80c92
< tar --create --mtime="@$BUILDER_TIMESTAMP" --sort name --numeric-owner --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime vmlinuz initrd root.squashfs | gzip > "$output"
---
> tar --create --mtime="@$BUILDER_TIMESTAMP" --sort name --numeric-owner --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime vmlinuz initrd root.squashfs boot.efi | gzip > "$output"