commit: 18e8604589afe5cf44ded6bee84c4fe8cf5080be Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org> AuthorDate: Thu Jun 5 12:07:45 2025 +0000 Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org> CommitDate: Sat Jun 14 09:06:16 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18e86045
kernel-build.eclass: fix signing non-zboot image for secureboot If the kernel has been built without EFI_ZBOOT support (requires 6.1+) then the resulting kernel image will be an Image.gz that we cannot sign with sbsign (on arm64 and riscv). So, uncompress this image, then add the signature, and finally recompress it with the same options that the kernel Makefiles use. Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org> Part-of: https://github.com/gentoo/gentoo/pull/42457 Closes: https://github.com/gentoo/gentoo/pull/42457 Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org> eclass/kernel-build.eclass | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index d2d634591fe1..77faf6f651e5 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -497,7 +497,15 @@ kernel-build_src_install() { fi if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then - secureboot_sign_efi_file "${image}" + if [[ ${image} == *.gz ]]; then + # Backwards compatibility with pre-zboot images + gunzip "${image}" || die + secureboot_sign_efi_file "${image%.gz}" + # Use same gzip options as the kernel Makefile + gzip -n -f -9 "${image%.gz}" || die + else + secureboot_sign_efi_file "${image}" + fi fi if [[ ${KERNEL_IUSE_GENERIC_UKI} ]]; then
