actually, the secure boot signing key (AND our cosign key) is an org global secrets, so we could use

actually, the secure boot signing key (AND our cosign key) is an org global secrets, so we could use it in main if the choice was made to sign the whole kernel there, but i'm not yet convinced we should do so, even if it is the right choice for bluefin

Bbsherman actually, the secure boot signing key (AND our cosign key) is an org global secr...

Kyle Gospo•6/18/24, 8:04 PM

the signing action has a self-check

Kyle Gospo•6/18/24, 8:04 PM

that uses the key located in /etc/pki bla bla bla

Kyle Gospo•6/18/24, 8:04 PM

that won't be there (unless it's added)

KKyle Gospo that won't be there (unless it's added)

bshermanOP•6/18/24, 8:05 PM

right, the global secret would need to be injected at the correct location as part of a build step

Kyle Gospo•6/18/24, 8:05 PM

Yep

Kyle Gospo•6/18/24, 8:08 PM

@j0rge that error might be transitory now that I think about it

Kyle Gospo•6/18/24, 8:08 PM

we aren't

:latest

:latest

in a PR

j0rge•6/18/24, 8:08 PM

should I rerun the checks?

Kyle Gospo•6/18/24, 8:09 PM

rerunning them would do nothing

Kyle Gospo•6/18/24, 8:09 PM

would have to merge

Kyle Gospo•6/18/24, 8:09 PM

or make some not-to-be-merged version that is purely for testing

j0rge•6/18/24, 8:09 PM

well, it's already broken so what do we have to lose?

Kyle Gospo•6/18/24, 8:09 PM

https://github.com/ublue-os/bluefin/pull/1404

GitHub

feat: Add kernel signer to sign Fedora kernel with ublue's keys for...

Kyle Gospo•6/18/24, 8:09 PM

your call

KKyle Gospo your call

bshermanOP•6/18/24, 8:10 PM

speaking of calls... have a second?

Bbsherman speaking of calls... have a second?

Kyle Gospo•6/18/24, 8:10 PM

sure, I was about to get lunch and get back to real work, I'll call you in a moment

j0rge•6/18/24, 8:10 PM

@Kyle Gospo but if there was an error it'll be localized right?

Jj0rge @Kyle Gospo but if there was an error it'll be localized right?

Kyle Gospo•6/18/24, 8:11 PM

wouldn't build

KKyle Gospo sure, I was about to get lunch and get back to real work, I'll call you in a mom...

bshermanOP•6/18/24, 8:11 PM

tty is fine

Kyle Gospo•6/18/24, 8:11 PM

worst case is the same issue you have now

j0rge•6/18/24, 8:11 PM

ack, merging

KKyle Gospo https://github.com/ublue-os/bluefin/pull/1404

bshermanOP•6/18/24, 8:11 PM

this is failing due to no local registry, no?

j0rge•6/18/24, 8:17 PM

should we just pin the last known kernel for now?

j0rge•6/18/24, 8:17 PM

I can back this out.

Jj0rge should we just pin the last known kernel for now?

Kyle Gospo•6/18/24, 8:18 PM

Not a bad way to go

Kyle Gospo•6/18/24, 8:18 PM

But let's see if this works

Kyle Gospo•6/18/24, 8:18 PM

Should be there anyway

Jj0rge I can back this out.

bshermanOP•6/18/24, 8:18 PM

let's watch it

j0rge•6/18/24, 8:18 PM

it failed already, same issue

j0rge•6/18/24, 8:19 PM

does anybody remember how to pin a kernel?

EyeCantCU•6/18/24, 8:21 PM

I think we need to fetch it from Koji and do an override replace?

EEyeCantCU I think we need to fetch it from Koji and do an override replace?

bshermanOP•6/18/24, 8:25 PM

that's how pin/rollback of package works, yes

j0rge•6/18/24, 8:25 PM

I have no idea how to do this, does someone have cycles to help out?

j0rge•6/18/24, 8:26 PM

looks like if we had a newer bootupd it might have helped

EEyeCantCU I think we need to fetch it from Koji and do an override replace?

RoyalOughtness•6/18/24, 8:26 PM

it's probably less jank at that point to pin the entire upstream image

EyeCantCU•6/18/24, 8:26 PM

I'm taking a look but more eyes would be appreciated

j0rge•6/18/24, 8:26 PM

yeah that might be a better idea

j0rge•6/18/24, 8:26 PM

just pin the entire thing lol

EEyeCantCU I'm taking a look but more eyes would be appreciated

Kyle Gospo•6/18/24, 8:26 PM

Figuring out why your action can't connect to the local registry in bluefin would also help

Kyle Gospo•6/18/24, 8:26 PM

Since bluefin should be signed with the akmod key anyway

EyeCantCU•6/18/24, 8:27 PM

I'll start there

KKyle Gospo Figuring out why your action can't connect to the local registry in bluefin woul...

bshermanOP•6/18/24, 8:28 PM

yep @EyeCantCU, the local registry issue is what blocked signing in bluefin

EyeCantCU•6/18/24, 8:29 PM

Am I looking at the wrong job right now? It looks like it was able to pull and sign the image: https://github.com/ublue-os/bluefin/actions/runs/9571552636/job/26388915091#step:12:478

EEyeCantCU Am I looking at the wrong job right now? It looks like it was able to pull and s...

bshermanOP•6/18/24, 8:30 PM

ok, well maybe @j0rge simply reverted too quickly

EEyeCantCU Am I looking at the wrong job right now? It looks like it was able to pull and s...

bshermanOP•6/18/24, 8:30 PM

it was failing in the PR builds, but you are right, that looks correct

EyeCantCU•6/18/24, 8:30 PM

Let's revert the revert?

j0rge•6/18/24, 8:30 PM

lol

j0rge•6/18/24, 8:31 PM

ok so am i reverting the revert?

bshermanOP•6/18/24, 8:31 PM

yeah, the failures i saw on the non-reverted PR merge (getting confusing now) were not the kernel signing

Jj0rge ok so am i reverting the revert?

bshermanOP•6/18/24, 8:31 PM

yes, i think it should work

actually, the secure boot signing key (AND our cosign key) is an org global secrets, so we could use

Similar Threads

Similar Threads

Similar Threads