Name: systemd-boot-sign Version: 0.1 Release: 1%{?dist} Summary: rpm trigger to sign systemd-boot bootloader for x6 License: Unlicense Requires: systemd BuildArch: noarch %description Simple rpm package which uses file trigger to automatically sign systemd-boot bootloader efi binary when it is updated. systemd-boot-update.service (or) bootctl command will automatically use the signed binary if it's present. %prep %build %install %check %transfiletriggerin -- /usr/lib/systemd/boot/efi loader=/usr/lib/systemd/boot/efi/systemd-bootx64.efi while read -r line; do if [ "$line" = "$loader" ] && [ -f /etc/kernel/uki.conf ]; then key=$(awk -F= '$1=="SecureBootPrivateKey"{print $2}' /etc/kernel/uki.conf) cert=$(awk -F= '$1=="SecureBootCertificate"{print $2}' /etc/kernel/uki.conf) echo "Signing $loader key: $key cert: $cert" /usr/lib/systemd/systemd-sbsign \ --private-key="$key" \ --certificate="$cert" \ --output="$loader.signed" \ sign "$loader" fi done %files %changelog * Tue Jan 21 2025 scarletstorm - 0.1 - Init package