monolith-os/monolith
1
0
Fork 0
Code Issues Pull requests 2 Projects Releases 12 Packages 1 Wiki Activity Actions

Fix Secure Boot enrollment: distinct ujust recipe enroll-monolith-secure-boot-key #18

Merged
Mondrethos merged 2 commits from fix-secureboot-ujust-import into main 2026-06-28 07:50:23 +00:00
Conversation 1 Commits 2 Files changed 2 +8 -2
Mondrethos commented 2026-06-28 06:53:41 +00:00 (Migrated from github.com)
Copy link

Problem

ujust enroll-secure-boot-key ran the upstream ublue recipe (key akmods-ublue.der, password universalblue) instead of Monolith's (key akmods-monolith.der, password monolith). Since Monolith signs its kernel/modules with the monolith key, the on-screen universalblue prompt enrolls the wrong key and Secure Boot still can't validate the kernel.

Two things were wrong:

  1. The recipe file was named 60-monolith-secureboot.just, which ublue's main justfile never imports — it only does import? "60-custom.just". So our recipe sat on disk doing nothing.
  2. Renaming to 60-custom.just gets it imported, but a recipe named the same as the upstream one still loses: ublue imports 00-default.just (which owns enroll-secure-boot-key) before 60-custom.just, and among sibling imports the first definition wins. Verified against just 1.51:
    • first sibling import wins (not last)
    • the importing file beats files it imports

Fix

  • Put the recipe in 60-custom.just (the file ublue actually imports), and
  • give it a distinct name, enroll-monolith-secure-boot-key, so there's no collision to lose.

Both commands now coexist; the monolith one reliably enrolls the monolith key with password monolith. README updated to reference the new command.

The upstream enroll-secure-boot-key still exists and enrolls the ublue key — harmless (an extra, unused MOK), just not what monolith users want.

## Problem `ujust enroll-secure-boot-key` ran the **upstream** ublue recipe (key `akmods-ublue.der`, password `universalblue`) instead of Monolith's (key `akmods-monolith.der`, password `monolith`). Since Monolith signs its kernel/modules with the *monolith* key, the on-screen `universalblue` prompt enrolls the wrong key and Secure Boot still can't validate the kernel. Two things were wrong: 1. The recipe file was named `60-monolith-secureboot.just`, which ublue's main justfile never imports — it only does `import? "60-custom.just"`. So our recipe sat on disk doing nothing. 2. Renaming to `60-custom.just` gets it imported, but a recipe **named the same** as the upstream one still loses: ublue imports `00-default.just` (which owns `enroll-secure-boot-key`) **before** `60-custom.just`, and among sibling imports the *first* definition wins. Verified against `just` 1.51: - first sibling import wins (not last) - the importing file beats files it imports ## Fix - Put the recipe in `60-custom.just` (the file ublue actually imports), **and** - give it a distinct name, `enroll-monolith-secure-boot-key`, so there's no collision to lose. Both commands now coexist; the monolith one reliably enrolls the monolith key with password `monolith`. README updated to reference the new command. The upstream `enroll-secure-boot-key` still exists and enrolls the ublue key — harmless (an extra, unused MOK), just not what monolith users want.
github-actions[bot] commented 2026-06-28 06:53:50 +00:00 (Migrated from github.com)
Copy link

🧪 Test this PR on a real install

Once the build checks on this PR pass, a signed test image is published for each edition. Pick the one matching your hardware and, from an existing Monolith install (which already has the signing policy), rebase onto it:

monolith-gnome

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith-gnome:pr-18-44
systemctl reboot

monolith-gnome-nvidia

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith-gnome-nvidia:pr-18-44
systemctl reboot

The tags are rebuilt on every new commit here, so rpm-ostree upgrade pulls the latest build. When you're done testing, return to your edition's released image (:latest).

The test tags stop updating once this PR is merged or closed.

### 🧪 Test this PR on a real install **Once the build checks on this PR pass**, a signed test image is published for each edition. Pick the one matching your hardware and, from an existing Monolith install (which already has the signing policy), rebase onto it: **`monolith-gnome`** ```bash rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith-gnome:pr-18-44 systemctl reboot ``` **`monolith-gnome-nvidia`** ```bash rpm-ostree rebase ostree-image-signed:docker://ghcr.io/mondrethos/monolith-gnome-nvidia:pr-18-44 systemctl reboot ``` The tags are rebuilt on every new commit here, so `rpm-ostree upgrade` pulls the latest build. When you're done testing, return to your edition's released image (`:latest`). _The test tags stop updating once this PR is merged or closed._
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
dependencies
Pull requests that update a dependency file

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
github_actions
Pull requests that update GitHub Actions code

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
bug
dependencies
documentation
duplicate
enhancement
github_actions
good first issue
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
monolith-os/monolith!18
No description provided.