fix:[#1651] Add MOTD message for SB keys

[jardon]

• Add logic to check for SB enrollment and keys
• Update motd template

Closes #1651

[jardon]

These changes are untested. I'll try to get an environment set up to test them before marking the PR as ready.

[jardon]

The word wrapping is a little broken, but I believe this is an issue with glow and their handling of hyperlinks. Marking as ready since its out of my control and ugly warnings are better than no warnings at all.

[noelmiller]

LGTM, I will let others weigh in though.

[KyleGospo]

The word wrapping is a little broken, but I believe this is an issue with glow and their handling of hyperlinks. Marking as ready since its out of my control and ugly warnings are better than no warnings at all.

I did a workaround for this, you can use ~ in your text and it will become a new line in the final output.

Good for another PR though, I don't want to hold this up over some formatting. LGTM.

[noelmiller]

The word wrapping is a little broken, but I believe this is an issue with glow and their handling of hyperlinks. Marking as ready since its out of my control and ugly warnings are better than no warnings at all.

I did a workaround for this, you can use ~ in your text and it will become a new line in the final output.

Good for another PR though, I don't want to hold this up over some formatting. LGTM.

Is this warning something we would need in Bazzite? Only case I can think of is if someone were to install Bazzite without secure boot on and then turn it on? But then they wouldn't be able to see the message anyway?

[KyleGospo]

Missed this, seems there's a typo here?
``if [[ $ENROLL -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then```

$ENROLL doesn't exist, $ENROLLED is created above.

[jardon]

I'm not sure how I did that, but its fixed. Should be good after the CI clears. I rechecked it in my environment.

[jardon]

The word wrapping is a little broken, but I believe this is an issue with glow and their handling of hyperlinks. Marking as ready since its out of my control and ugly warnings are better than no warnings at all.

I did a workaround for this, you can use ~ in your text and it will become a new line in the final output.

Good for another PR though, I don't want to hold this up over some formatting. LGTM.

Thanks for the tip. I implemented this to clean it up some. Its not perfect, but its better.

[castrojo]

Let's merge this tomorrow (after the :stable builds go out), that way we have a week of it in :latest if we need to tweak the text.

[jardon]

if this merges first, i can refactor this PR to consolidate the logic

[bsherman]

Correct me if I'm wrong, but I believe this needs to be fixed.

[bsherman]

I don't think this actually works.

Example:

$ FINGERPRINT="2B:E9:91:E3:B1:B5:40:70:F4:3D:80:BB:13:EB:C6:57:E5:A3:78:0D"
$ mokutil --list-enrolled |grep $FINGERPRINT

Notice there is no output because the grep match failed...

I think you want something like this:

$ mokutil --list-enrolled --verbose-listing|grep -i $FINGERPRINT
SHA1 Fingerprint: 2b:e9:91:e3:b1:b5:40:70:f4:3d:80:bb:13:eb:c6:57:e5:a3:78:0d

[jardon]

it does work, but not by comparing output. when grep fails to find a match, it gives an exit code of 1. so this just compares the exit code to see if it matches or not.

I've tested it in a VM and it works well. if there's a better option, I'm open to changing it

[bsherman]

I understand the grep -q usage, my point is it will always think the key is not enrolled because of the output from mokutil --list-enrolled vs mokutil --list-enrolled --verbose-listing

$ mokutil --list-enrolled 
2bb010e24d fedoraca
2be991e3b1 ublue kernel

The output above will never have the fingerprint contents.

Adding --verbose-listing does add the fingerprint output to the listing, however, with a lowercased fingerprint, which won't match what you have here.

$ mokutil --list-enrolled --verbose-listing|grep -i sha1
SHA1 Fingerprint: 2b:b0:10:e2:4d:94:c6:32:24:58:89:ba:aa:9e:d0:f3:d5:ef:1f:68
SHA1 Fingerprint: 2b:e9:91:e3:b1:b5:40:70:f4:3d:80:bb:13:eb:c6:57:e5:a3:78:0d

[jardon]

thats not what the included mokutil command produces

mokutil --list-enrolled | grep Finger
SHA1 Fingerprint: 2b:b0:10:e2:4d:94:c6:32:24:58:89:ba:aa:9e:d0:f3:d5:ef:1f:68
SHA1 Fingerprint: 2b:e9:91:e3:b1:b5:40:70:f4:3d:80:bb:13:eb:c6:57:e5:a3:78:0d

[bsherman]

$ which mokutil
/usr/bin/mokutil

$ `which mokutil` --version
0.7.1

$ /usr/bin/mokutil --list-enrolled | grep Finger

Does Bluefin somehow modify mokutil default behavior?

[bsherman]

[bsherman]

Even if there's a version of mokutil where --list-enrolled does show fingerprint, does --verbose-listing not work?

[bsherman]

@jardon and I discovered in a side chat that the difference here is Fedora 39 has mokutil version 0.6.0 and Fedora 40 has version 0.7.1.

And the outputs differ.

[bsherman]

I'm not sure if we want to hard code the fingerprint or read it from the cert on-image?

openssl x509 -fingerprint -noout -in /etc/pki/akmods/certs/akmods-ublue.der

[jardon]

this is a good suggestion. ive implemented this in the notify-send PR

[jardon]

closing in favor of #1661