commit: c8860a2542ee49185bfbe1cd295be05bc2bf7bae
Author: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
AuthorDate: Thu Sep 11 20:06:24 2025 +0000
Commit: Nowa Ammerlaan <nowa <AT> gentoo <DOT> org>
CommitDate: Thu Sep 11 20:18:45 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8860a25
sys-kernel/gentoo-kernel-bin: set SECUREBOOT_SIGN_CERT to used cert
For these builds we use the same key for modules, kernel image and
UKI. Therefore, certs/signing_key.x509 is the certificate that was
used for secureboot signing and we can thus use it to verify in
kernel-install.eclass that the signing was successful and to remove
padding if required.
Signed-off-by: Nowa Ammerlaan <nowa <AT> gentoo.org>
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.41.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.42.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43-r1.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.44.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45_p1.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.46.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3-r1.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.4.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5_p1.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.6.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.7.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.101.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102-r1.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.103.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.104.ebuild | 8 ++++++++
sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.105.ebuild | 8 ++++++++
21 files changed, 168 insertions(+)
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.41.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.41.ebuild
index 2862f0b72bcd..c211130cb9cc 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.41.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.41.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.42.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.42.ebuild
index cd4077f4f953..b5044d4862f2 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.42.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.42.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43-r1.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43-r1.ebuild
index cdfee2d90f33..86aaad2d6d32 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43-r1.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43-r1.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43.ebuild
index 6c6427c6b155..5eb40f5f2eff 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.43.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.44.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.44.ebuild
index a416a38d8522..4f68aebc1f23 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.44.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.44.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45.ebuild
index a2aaaf3f4fb9..a73455061e56 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45_p1.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45_p1.ebuild
index f335289e1c5d..2887686fd88f 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45_p1.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.45_p1.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.46.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.46.ebuild
index 7574b97e8828..d2f18c401795 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.46.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.12.46.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3-r1.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3-r1.ebuild
index 9ed7e2a80c9f..41f32dbd9de0 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3-r1.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3-r1.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3.ebuild
index 0e40263ff805..9e02e951efc9 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.3.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.4.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.4.ebuild
index 0d1a2ea5aab4..783dcc589889 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.4.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.4.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5.ebuild
index 902b3a5d0967..265c24739811 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5_p1.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5_p1.ebuild
index 556b027f0ca7..353ef601dff8 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5_p1.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.5_p1.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.6.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.6.ebuild
index d67990ef90d9..07ad3b65b6ac 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.6.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.6.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.7.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.7.ebuild
index 930f2ca49cf4..c9300edd8e06 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.7.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.16.7.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.101.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.101.ebuild
index 31a8f6c4a64a..9f6e21f59d28 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.101.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.101.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102-r1.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102-r1.ebuild
index 784dc0926d7f..0a3b30af7ad5 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102-r1.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102-r1.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102.ebuild
index 12144b927194..8ef4e1756961 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.102.ebuild
@@ -152,6 +152,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.103.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.103.ebuild
index eef9c25aeee7..34076d98026e 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.103.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.103.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.104.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.104.ebuild
index e758730f5935..807a3b134079 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.104.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.104.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
diff --git a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.105.ebuild
b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.105.ebuild
index c5d69f025b1b..025d439a03b3 100644
--- a/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.105.ebuild
+++ b/sys-kernel/gentoo-kernel-bin/gentoo-kernel-bin-6.6.105.ebuild
@@ -157,6 +157,14 @@ src_configure() {
local image="${kernel_dir}/$(dist-kernel_get_image_path)"
local uki="${image%/*}/uki.efi"
+
+ # Override user variable with the cert used during build
+ openssl x509 \
+ -inform DER -in "${kernel_dir}/certs/signing_key.x509" \
+ -outform PEM -out "${T}/cert.pem" ||
+ die "Failed to convert pcrpkey to PEM format"
+ export SECUREBOOT_SIGN_CERT=${T}/cert.pem
+
if [[ -s ${uki} ]]; then
# We need to extract the plain image for the test phase
# and USE=-generic-uki.
