kernel-source/kernel-cert-subpackage

58 lines
1.4 KiB
Plaintext
Raw Normal View History

%package -n %{-n*}-ueficert
Summary: UEFI Secure Boot Certificate For Package %{-n*}-kmp
Group: System/Kernel
%description -n %{-n*}-ueficert
This package contains the UEFI Secure Boot certificate used to sign
modules in the %{-n*}-kmp packages.
# The scriptlets are reused in kernel-binary.spec.in by a sed script that
# stops at the next line that starts with a percent sign
%post -n %{-n*}-ueficert
if ! command -v mokutil >/dev/null; then
exit 0
fi
# Only apply CA check on the kernel package certs (bsc#1173115)
if [ %{defined _suse_kernel_module_subpackage} = 0 ] && mokutil -h | grep -q "ca-check"; then
MOK_ARG="--ca-check"
else
MOK_ARG=""
fi
# XXX: Only call mokutil if UEFI and shim are used
for cert in @CERTS@; do
cert="/etc/uefi/certs/${cert}.crt"
if ! mokutil --import "$cert" --root-pw ${MOK_ARG}; then
echo "Failed to import $cert"
fi
done
exit 0
%preun -n %{-n*}-ueficert
if ! command -v mokutil >/dev/null; then
exit 0
fi
for cert in @CERTS@; do
cert="/etc/uefi/certs/${cert}.crt"
ln "$cert" "$cert.delete"
done
exit 0
%postun -n %{-n*}-ueficert
if ! command -v mokutil >/dev/null; then
exit 0
fi
for cert in @CERTS@; do
cert="/etc/uefi/certs/${cert}.crt"
if ! test -e "$cert"; then
if ! mokutil --delete "$cert.delete" --root-pw; then
echo "Failed to delete $cert"
fi
fi
rm "$cert.delete"
done
exit 0
%files -n %{-n*}-ueficert
%defattr(-, root, root)
%dir /etc/uefi
/etc/uefi/certs