unredacted/linux-hardened-unredacted
2
1
Fork 0
Code Issues 1 Pull requests Projects Releases 6 Packages Wiki Activity Actions

fix(secure-boot): document manual MOK enrollment + publish the cert #11

Merged
zach merged 2 commits from fix/mok-docs-manual into main 2026-06-06 05:54:37 +00:00
Conversation 0 Commits 2 Files changed 4 +43 -15
zach commented 2026-06-06 05:42:59 +00:00
Owner
Copy link

The docs claimed apt install auto-places the signing cert at /var/lib/shim-signed/mok/ and queues MOK enrollment — but there is no postinst that does this, and the public cert was never actually published despite signing-key-procedures.md implying it was. End users on Secure Boot had no working path to trust the key.

This fixes both halves:

  • build-kernel.yml: in the sign step, convert the signing cert PEM→DER (openssl x509 -outform DER) and attach unredacted-hardened.der as a release asset, so every release ships the public cert.
  • docs: rewrite the MOK flow in secure-boot.md to the real manual procedure — download unredacted-hardened.der from the release, verify its SHA-256 fingerprint, sudo mokutil --import, reboot, enroll. Updated install.md + first-build.md to match.

Operator note: each release's notes should now include the cert's SHA-256 fingerprint so users can verify the download.

The docs claimed `apt install` auto-places the signing cert at `/var/lib/shim-signed/mok/` and queues MOK enrollment — but there is no postinst that does this, and the public cert was never actually published despite signing-key-procedures.md implying it was. End users on Secure Boot had no working path to trust the key. This fixes both halves: - **build-kernel.yml**: in the sign step, convert the signing cert PEM→DER (`openssl x509 -outform DER`) and attach `unredacted-hardened.der` as a release asset, so every release ships the public cert. - **docs**: rewrite the MOK flow in secure-boot.md to the real manual procedure — download `unredacted-hardened.der` from the release, verify its SHA-256 fingerprint, `sudo mokutil --import`, reboot, enroll. Updated install.md + first-build.md to match. Operator note: each release's notes should now include the cert's SHA-256 fingerprint so users can verify the download.
fix(secure-boot): document manual MOK enrollment + publish the cert
All checks were successful
validate / pycompile (pull_request) Successful in 4s
Details
validate / shellcheck (pull_request) Successful in 14s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
5eb1b17a4d 
The docs (secure-boot.md, install.md, first-build.md) described an
AUTOMATIC MOK enrollment during `apt install` — the kernel .deb placing the
cert at /var/lib/shim-signed/mok/ and queueing it via mokutil, with a
password prompt. That does not happen: the .deb ships no such postinst
(build-debs.sh ships only the sysctl one), so a Secure Boot user got no
prompt and an unbootable kernel with no clear recovery. And the cert wasn't
actually downloadable anywhere, despite signing-key-procedures.md claiming
it "gets published with each release".

Make the manual flow both honest and possible:
- build-kernel.yml: write the PUBLIC signing cert to unredacted-hardened.der
  (openssl PEM->DER) in the sign step and attach it as a release asset
  (alongside final.config / manifest.json). Additive; the private key never
  leaves the step's tmpfs.
- secure-boot.md: rewrite MOK enrollment as the manual flow — download
  unredacted-hardened.der from the release, verify its fingerprint,
  `mokutil --import`, set the one-time password, reboot, enroll. Note the
  auto-enroll postinst is a planned enhancement, not shipped.
- install.md / first-build.md: stop implying auto-enrollment; point at the
  manual flow.

Verified: build-kernel.yml yamllint-clean; the PEM->DER conversion and the
user-side `openssl x509 -inform DER ... -fingerprint` both work. Edits avoid
the secure-boot.md / install.md regions the open Ubuntu PR (#9) touches, so
the two merge cleanly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merge branch 'main' into fix/mok-docs-manual
All checks were successful
validate / shellcheck (pull_request) Successful in 12s
Details
validate / yamllint (pull_request) Successful in 12s
Details
validate / workflow-expressions (pull_request) Successful in 4s
Details
validate / pycompile (pull_request) Successful in 4s
Details
validate / no-placeholder-digests (pull_request) Has been skipped
Details
validate / intent-matches-policy (pull_request) Successful in 4s
Details
7bc821d412
zach merged commit 14778fff42 into main 2026-06-06 05:54:37 +00:00
zach deleted branch fix/mok-docs-manual 2026-06-06 05:54:40 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
unredacted/linux-hardened-unredacted!11
No description provided.