Skip to content

Update secure boot scripts to current bash/sbctl standards#1

Merged
pyrotiger merged 1 commit intomainfrom
copilot/update-script-to-current-standards
May 2, 2026
Merged

Update secure boot scripts to current bash/sbctl standards#1
pyrotiger merged 1 commit intomainfrom
copilot/update-script-to-current-standards

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 2, 2026

Several correctness and robustness issues in setup.sh and 90-sbctl.hook, plus broken local file:// links in the README.

setup.sh

  • set -eset -euo pipefail (catches unset vars and pipeline failures)
  • Fix word-splitting bug in file-signing loop: for file in $FILES_TO_SIGNmapfile -t array with proper quoting — handles paths with spaces
  • Add || true to sbctl verify pipeline; sbctl exits 1 when unsigned files exist, which killed the script under pipefail
  • find /boot/vmlinuz-* (shell glob, not a valid find invocation) → find /boot -maxdepth 1 -name 'vmlinuz-*' with while IFS= read -r

90-sbctl.hook

  • sbctl sign -s /boot/vmlinuz-* expands to multiple args but sbctl sign takes exactly one file — replaced with sbctl sign-all, which re-signs all paths previously enrolled with -s
# Before — broken with multiple kernels installed
Exec = /usr/bin/bash -c 'sbctl sign -s /boot/vmlinuz-* && sbctl sign -s /boot/efi/EFI/garuda/grubx64.efi'

# After
Exec = /usr/bin/sbctl sign-all

README.md

  • Replace file:///home/pyro/Development/projects/secure-boot/... hardcoded local paths with relative links

@pyrotiger pyrotiger marked this pull request as ready for review May 2, 2026 07:04
Copilot AI review requested due to automatic review settings May 2, 2026 07:04
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 2, 2026

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@pyrotiger pyrotiger merged commit ce7367a into main May 2, 2026
4 checks passed
@pyrotiger pyrotiger deleted the copilot/update-script-to-current-standards branch May 2, 2026 07:05
Copilot AI reviewed May 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s Secure Boot automation for the Garuda Linux + GRUB workflow by modernizing the shell script, simplifying the pacman hook, and fixing repository-local documentation links. It fits the codebase’s purpose of providing a small, self-contained guide plus helper scripts for configuring Secure Boot.

Changes:

  • Hardens setup.sh with stricter bash options and revised logic for discovering/signing unsigned files and kernel images.
  • Replaces the hook’s broken glob-based signing command with sbctl sign-all.
  • Fixes README.md links so they point to repo files instead of a developer’s local filesystem.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
setup.sh Updates the interactive setup flow’s error handling and file-signing logic.
90-sbctl.hook Changes the pacman hook to use sbctl sign-all and refreshes the header comments.
README.md Converts hardcoded local file:// links to relative repository links.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread setup.sh
# Use the smart verify | sed command from the guide
# Note: We use a loop for better visibility/handling
FILES_TO_SIGN=$(sudo sbctl verify | grep "✗" | awk '{print $2}')
mapfile -t FILES_TO_SIGN < <(sudo sbctl verify | awk '/✗/{print $2}' || true)
Comment thread setup.sh
# Use the smart verify | sed command from the guide
# Note: We use a loop for better visibility/handling
FILES_TO_SIGN=$(sudo sbctl verify | grep "✗" | awk '{print $2}')
mapfile -t FILES_TO_SIGN < <(sudo sbctl verify | awk '/✗/{print $2}' || true)
Comment thread 90-sbctl.hook
# Note: sbctl often provides its own hooks, but this is for manual signing.

# Save to /etc/pacman.d/hooks/90-sbctl.hook
# Re-signs all enrolled EFI binaries after kernel or GRUB updates.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pyrotiger pyrotiger

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pyrotiger