On 28.09.2023 17:58, Philip Couling wrote:
I'm having trouble getting grub-mkstandalone to recognise the public key
passed in via --pubkey
According to the documentation, adding --pubkey to grub-mkimage should
imply check_signatures=enforce but this doesn't seem to happen for
grub-mkstandalone. (or does it?).
The documentation doesn't mention what format the public key file should
be. So I've tried both gpg --export
That is correct
and and gpg --export --armor. However
when I try the command "list_trusted", I get no results and attempting to
cat a signed file results in an error saying the public key could not be
found.
I'm currently invoking with:
grub-mkstandalone --output=../build/grub/EFI/BOOT/BOOTX64.EFI
--format=x86_64-efi --pubkey=../artefacts/grub.pgp
boot/grub/grub.cfg=./grub.cfg
Any suggestions on what I'm missing?
You need to include pgp module into core. The memory occupied by
embedded modules (including public key(s)) is freed after they are
processed during initialization.
