Merge branch 'main' into flatpak

.dockerignore

@@ -0,0 +1,5 @@
+.devcontainer
+.github
+.gitignore
+action.yml
+Containerfile

.github/workflows/build-and-test.yml

@@ -16,6 +16,8 @@ env:
   VERSION: '39'
   VARIANT: 'Server'
   FLATPAK_REFS: app/org.videolan.VLC/x86_64/stable runtime/org.kde.Platform/x86_64/5.15-23.08
+  SECURE_BOOT_KEY_URL: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
+  ENROLLMENT_PASSWORD: 'container-installer'
 
 jobs:
   build-container:
@@ -91,6 +93,8 @@ jobs:
           version: ${{ env.VERSION }}
           variant: ${{ env.VARIANT }}
           flatpak_remote_refs: ${{ env.FLATPAK_REFS }}
+          secure_boot_key_url: ${{ env.SECURE_BOOT_KEY_URL }}
+          enrollment_password: ${{ env.ENROLLMENT_PASSWORD }}
 
       - name: Rename ISO
         run: |

Containerfile

@@ -11,11 +11,7 @@ ENV VERSION="${VERSION}"
 ENV WEB_UI="false"
 
 RUN mkdir /build-container-installer
-COPY /external /build-container-installer/external
+COPY / /build-container-installer/
-COPY /lorax_templates /build-container-installer/lorax_templates
-COPY /xorriso /build-container-installer/xorriso
-COPY /Makefile /build-container-installer
-COPY /entrypoint.sh /
 
 WORKDIR /build-container-installer
 
@@ -23,5 +19,5 @@ RUN dnf install -y make && make install-deps
 
 VOLUME /build-container-installer/build
 
-ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
+ENTRYPOINT ["/bin/bash", "/build-container-installer/entrypoint.sh"]
 

Makefile

@@ -12,7 +12,9 @@ ADDITIONAL_TEMPLATES =
 FLATPAK_REMOTE_NAME = flathub
 FLATPAK_REMOTE_URL = https://flathub.org/repo/flathub.flatpakrepo
 FLATPAK_REMOTE_REFS = 
-
+ENROLLMENT_PASSWORD =
+SECURE_BOOT_KEY_URL =
+ADDITIONAL_TEMPLATES = ""
 ROOTFS_SIZE = 4
 
 # Generated vars
@@ -22,11 +24,11 @@ _IMAGE_REPO_ESCAPED = $(subst /,\/,$(IMAGE_REPO))
 _IMAGE_REPO_DOUBLE_ESCAPED = $(subst \,\\\,$(_IMAGE_REPO_ESCAPED))
 _VOLID = $(firstword $(subst -, ,$(IMAGE_NAME)))-$(ARCH)-$(IMAGE_TAG)
 _REPO_FILES = $(subst /etc/yum.repos.d,repos,$(REPOS))
-_LORAX_TEMPLATES = $(subst .in,,$(shell ls lorax_templates/*.tmpl.in))
+_LORAX_TEMPLATES = $(subst .in,,$(shell ls lorax_templates/*.tmpl.in)) $(foreach file,$(shell ls lorax_templates/scripts/post),lorax_templates/post_$(file).tmpl)
 _FLATPAK_TEMPLATES = $(_BASE_DIR)/external/fedora-lorax-templates/ostree-based-installer/lorax-embed-flatpaks.tmpl
 _FLATPAK_REPO_URL = $(shell curl -L $(FLATPAK_REMOTE_URL) | grep -i '^URL=' | cut -d= -f2)
 _FLATPAK_REPO_GPG = $(shell curl -L $(FLATPAK_REMOTE_URL) | grep -i '^GPGKey=' | cut -d= -f2)
-_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED FLATPAK_REMOTE_NAME FLATPAK_REMOTE_URL FLATPAK_REMOTE_REFS _FLATPAK_REPO_URL _FLATPAK_REPO_GPG
+_TEMPLATE_VARS = ARCH VERSION IMAGE_REPO IMAGE_NAME IMAGE_TAG VARIANT WEB_UI REPOS _IMAGE_REPO_ESCAPED _IMAGE_REPO_DOUBLE_ESCAPED FLATPAK_REMOTE_NAME FLATPAK_REMOTE_URL FLATPAK_REMOTE_REFS _FLATPAK_REPO_URL _FLATPAK_REPO_GPG ENROLLMENT_PASSWORD
 
 ifeq ($(VARIANT),Server)
 _LORAX_ARGS = --macboot --noupgrade
@@ -55,6 +57,7 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 	$(eval _ISO_FILE = usr/share/anaconda/interactive-defaults.ks)
 	
 	header=0; \
+	skip=0; \
 	while read -r line; \
 	do \
 		if [[ $$line =~ ^\<\% ]]; \
@@ -64,10 +67,20 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 		else \
 			if [[ $$header == 0 ]]; \
 			then \
+				if [[ $$line =~ ^##\ (.*)$$ ]]; \
+				then \
+					echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \
+					skip=1; \
+				else \
 					echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				fi; \
 				header=1; \
 			fi; \
-	    echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \
+			if [[ $$skip == 0 ]]; \
+			then \
+				echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \
+			fi; \
+			skip=0; \
 		fi; \
 	done < lorax_templates/scripts/post/$*
 	echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl
@@ -76,18 +89,30 @@ lorax_templates/post_%.tmpl: lorax_templates/scripts/post/%
 	$(eval _ISO_FILE = usr/share/anaconda/post-scripts/configure_upgrades.ks)
 
 	header=0; \
+	skip=0; \
 	while read -r line; \
 	do \
 		if [[ $$line =~ ^\<\% ]]; \
 		then \
+			echo $$line >> lorax_templates/post_$*.tmpl; \
 			echo >> lorax_templates/post_$*.tmpl; \
 		else \
 			if [[ $$header == 0 ]]; \
 			then \
+				if [[ $$line =~ ^##\ (.*)$$ ]]; \
+				then \
+					echo "append $(_ISO_FILE) \"%post --erroronfail $${BASH_REMATCH[1]}\"" >> lorax_templates/post_$*.tmpl; \
+					skip=1; \
+				else \
 					echo "append $(_ISO_FILE) \"%post --erroronfail\"" >> lorax_templates/post_$*.tmpl; \
+				fi; \
 				header=1; \
 			fi; \
-	    echo "append $(_ISO_FILE) \"$$line\"" >> lorax_templates/post_$*.tmpl; \
+			if [[ $$skip == 0 ]]; \
+			then \
+				echo "append $(_ISO_FILE) \"$${line//\"/\\\"}\"" >> lorax_templates/post_$*.tmpl; \
+			fi; \
+			skip=0; \
 		fi; \
 	done < lorax_templates/scripts/post/$*
 	echo "append $(_ISO_FILE) \"%end\"" >> lorax_templates/post_$*.tmpl
@@ -110,6 +135,13 @@ repos/%.repo: /etc/yum.repos.d/%.repo
 boot.iso: $(_LORAX_TEMPLATES) $(_REPO_FILES)
 	rm -Rf $(_BASE_DIR)/results || true
 	rm /etc/rpm/macros.image-language-conf || true
+
+	# Download the secure boot key
+	if [ -n "$(SECURE_BOOT_KEY_URL)" ]; \
+	then \
+    	curl --fail -L -o $(_BASE_DIR)/sb_pubkey.der $(SECURE_BOOT_KEY_URL); \
+	fi
+
 	lorax -p $(IMAGE_NAME) -v $(VERSION) -r $(VERSION) -t $(VARIANT) \
 		--isfinal --squashfs-only --buildarch=$(ARCH) --volid=$(_VOLID) \
 		$(_LORAX_ARGS) \

action.yml

@@ -29,6 +29,13 @@ inputs:
     description: Enable Anaconda WebUI
     required: false
     default: "false"
+  enrollment_password:
+    description: Used for supporting secure boot (requires SECURE_BOOT_KEY_URL to be defined)
+    required: false
+    default: "container-installer"
+  secure_boot_key_url:
+    description: Secure boot key that is installed from URL location
+    required: false
   action_version:
     description: Version of the action container to run
     deprecationMessage: No longer used. github.action_ref replaces the need for this. Will be removed in a future version.
@@ -70,4 +77,5 @@ runs:
           FLATPAK_REMOTE_NAME=${{ inputs.flatpak_remote_name }} \
           FLATPAK_REMOTE_URL=${{ inputs.flatpak_remote_url }} \
           FLATPAK_REMOTE_REFS="${{ inputs.flatpak_remote_refs }}"
-
+          ENROLLMENT_PASSWORD=${{ inputs.enrollment_password }} \
+          SECURE_BOOT_KEY_URL=${{ inputs.secure_boot_key_url }} \

lorax_templates/scripts/post/enroll-secureboot-key

@@ -0,0 +1,26 @@
+<%page args="enrollment_password "/>
+## --nochroot
+
+set -oue pipefail
+
+readonly ENROLLMENT_PASSWORD=${enrollment_password}
+readonly SECUREBOOT_KEY="/run/install/repo/sb_pubkey.der"
+
+if [[ ! -d "/sys/firmware/efi" ]]; then
+	echo "EFI mode not detected. Skipping key enrollment."
+	exit 0
+fi
+
+if [[ ! -f "$SECUREBOOT_KEY" ]]; then
+	echo "Secure boot key not provided: $SECUREBOOT_KEY"
+	exit 0
+fi
+
+SYS_ID="$(cat /sys/devices/virtual/dmi/id/product_name)"
+if [[ ":Jupiter:Galileo:" =~ ":$SYS_ID:" ]]; then
+	echo "Steam Deck hardware detected. Skipping key enrollment."
+	exit 0
+fi
+
+mokutil --timeout -1 || :
+echo -e "$ENROLLMENT_PASSWORD\n$ENROLLMENT_PASSWORD" | mokutil --import "$SECUREBOOT_KEY" || :

xorriso/gen_input.sh.in

@@ -5,12 +5,14 @@ echo "-outdev $(pwd)/build/deploy.iso"
 echo "-boot_image any replay"
 echo "-joliet on"
 echo "-compliance joliet_long_names"
+if [ -f $(pwd)/sb_pubkey.der ]; then
+	echo "-map $(pwd)/sb_pubkey.der sb_pubkey.der"
+	echo "-chmod 0444 /sb_pubkey.der"
+fi
 pushd container >/dev/null
-for file in $(find ${IMAGE_NAME}-${IMAGE_TAG})
+for file in $(find ${IMAGE_NAME}-${IMAGE_TAG}); do
-do
 	echo "-map $(pwd)/${file} ${file}"
 	echo "-chmod 0444 ${file}"
 done
 popd > /dev/null
 echo "-end"
-