feat: cut over nvidia akmod signing key (#109)

This is the final PR for #100 .

It should be merged at June 17, 2023 0000 UTC, as near as possible.

Changes:
- switches to new MOK/SecureBoot signing key for nvidia (already used by
  other akmods)
- stops providing MOK public keys in ublue-os-nvidia-addons
- updates messaging in README

.github/workflows/build.yml

@@ -83,7 +83,7 @@ jobs:
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               echo "Using test signing key"
           else
-              echo "${{ secrets.AKMOD_PRIVKEY }}" > certs/private_key.priv
+              echo "${{ secrets.AKMOD_PRIVKEY_20230518 }}" > certs/private_key.priv
           fi
           # DEBUG: get character count of key
           wc -c certs/private_key.priv

README.md

@@ -74,20 +74,18 @@ rpm-ostree kargs \
 And then reboot one more time!
 
 ### 3. Enable Secure Boot support
-**IMPORTANT NOTE:** On June 17, 00:00 UTC, we will make a change to the key which is used to sign nvidia kernel modules. The new key is being made available May 17. The new key is `akmods-ublue.der` / `public_key.der.new` in the code blocks below. Until this document is updated to remove the old key, please import BOTH keys! This will ensure your SecureBoot system boots as expected after the cutover on June 17.
+**IMPORTANT NOTE:** On June 17, 00:00 UTC, we changed the key used to sign nvidia kernel modules. If your nvidia kernel modules are not loading, you need to import the new key.
 
 [Secure Boot](https://rpmfusion.org/Howto/Secure%20Boot) support for the nvidia kernel modules can be enabled by enrolling the signing key:
 
 ```
-sudo mokutil --import /etc/pki/akmods/certs/akmods-nvidia.der
 sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
 ```
 
 Alternatively, the key can be enrolled from within this repo:
 
 ```
 sudo mokutil --import ./certs/public_key.der
-sudo mokutil --import ./certs/public_key.der.new
 ```
 
 ## Rolling back and rebasing

build.sh

@@ -45,8 +45,6 @@ modinfo /usr/lib/modules/${KERNEL_VERSION}/extra/${NVIDIA_PACKAGE_NAME}/nvidia{,
 sed -i "s@gpgcheck=0@gpgcheck=1@" /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/nvidia-container-runtime.repo
 
 install -D /etc/pki/akmods/certs/public_key.der /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der
-# copy new public key to facilitate user imports before switching
-install -Dm644 /tmp/certs/public_key.der.new   /tmp/ublue-os-nvidia-addons/rpmbuild/SOURCES/public_key.der.new
 
 rpmbuild -ba \
     --define '_topdir /tmp/ublue-os-nvidia-addons/rpmbuild' \

ublue-os-nvidia-addons.spec

@@ -1,5 +1,5 @@
 Name:           ublue-os-nvidia-addons
-Version:        0.6
+Version:        0.7
 Release:        1%{?dist}
 Summary:        Additional files for nvidia driver support
 
@@ -9,61 +9,54 @@ URL:            https://github.com/ublue-os/nvidia
 BuildArch:      noarch
 Supplements:    mokutil policycoreutils
 
-Source0:        public_key.der
-Source1:        nvidia-container-runtime.repo
-Source2:        lukenukem-asus-linux.repo
-Source3:        jhyub-supergfxctl-plasmoid.repo
-Source4:        config-rootless.toml
-Source5:        nvidia-container.pp
-Source6:        environment
-Source7:        public_key.der.new
+Source0:        nvidia-container-runtime.repo
+Source1:        lukenukem-asus-linux.repo
+Source2:        jhyub-supergfxctl-plasmoid.repo
+Source3:        config-rootless.toml
+Source4:        nvidia-container.pp
+Source5:        environment
 
 %description
-Adds various runtime files for nvidia support. These include a key for importing with mokutil to enable secure boot for nvidia kernel modules
+Adds various runtime files for nvidia support.
 
 %prep
 %setup -q -c -T
 
 
 %build
 # Have different name for *.der in case kmodgenca is needed for creating more keys
-install -Dm0644 %{SOURCE0} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
-install -Dm0644 %{SOURCE1} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
-install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
+install -Dm0644 %{SOURCE0} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
+install -Dm0644 %{SOURCE1} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
 install -Dm0644 %{SOURCE2} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo
 install -Dm0644 %{SOURCE3} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
 install -Dm0644 %{SOURCE4} %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp
 install -Dm0644 %{SOURCE5} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/sway/environment
-install -Dm0644 %{SOURCE6} %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
 
 sed -i 's@enabled=1@enabled=0@g' %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/{lukenukem-asus-linux,jhyub-supergfxctl-plasmoid,nvidia-container-runtime}.repo
 
-install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der            %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
-install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der             %{buildroot}%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
 install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo     %{buildroot}%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
 install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo         %{buildroot}%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
 install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo   %{buildroot}%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo
 install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml %{buildroot}%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
 install -Dm0644 %{buildroot}%{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp             %{buildroot}%{_datadir}/selinux/packages/nvidia-container.pp
 
 %files
-%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
-%attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
 %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
 %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
 %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo
 %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
 %attr(0644,root,root) %{_datadir}/ublue-os/%{_datadir}/selinux/packages/nvidia-container.pp
 %attr(0644,root,root) %{_datadir}/ublue-os/%{_sysconfdir}/sway/environment
-%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-nvidia.der
-%attr(0644,root,root) %{_sysconfdir}/pki/akmods/certs/akmods-ublue.der
 %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/nvidia-container-runtime.repo
 %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/lukenukem-asus-linux.repo
 %attr(0644,root,root) %{_sysconfdir}/yum.repos.d/jhyub-supergfxctl-plasmoid.repo
 %attr(0644,root,root) %{_sysconfdir}/nvidia-container-runtime/config-rootless.toml
 %attr(0644,root,root) %{_datadir}/selinux/packages/nvidia-container.pp
 
 %changelog
+* Sat Jun 17 2023 Benjamin Sherman <benjamin@holyarmy.org> - 0.7
+- Remove MOK keys; now provided by ublue-os-akmods-addons
+
 * Sat Jun 17 2023 RJ Trujillo <eyecantcu@pm.me> - 0.6
 - Add supergfxctl-plasmoid COPR