@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.
For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.
@SleepyMario
Is using one of the forks instead an option? Or is that madness.
Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.
My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.
Pinned Comments
gilbs commented on 2023-09-02 18:05 (UTC) (edited on 2023-09-02 18:37 (UTC) by gilbs)
@andreyv Thanks for your outstanding work on this project! It was quite useful while it was alive and I am grateful that you took from your personal time to maintain it for almost 7 years 🙏. Given that mkinitcpio is now able to generate UKIs and that there already exist many tools to sign boot images, it sounds like a fairly reasonable decision to retire sbupdate. However, I would only suggest to add a final commit, just to display a deprecation warning to users when they sign an image with sbupdate. Many users might not be aware that the project EOLed just by looking at the PKGBUILD. I only realized it EOLed when I stumbled upon the git repository by accident.
For the records, I switched to mkinitcpio to generate the UKI, and after some hesitancy I opted for sbctl for the signature. Thanks to the archwiki, the process was straightforward. I was initially reluctant to switch to a bloated tool like sbctl, but the key enrollment and image signature processes were so smooth that it eventually earned my vote… Otherwise I would probably have written some manual hooks to sign the UKI with sbsign, which I guess would also have been OK.
@SleepyMario
Is there any properly maintained fork of sbupdate in the wild? I found this one: sbupdate-mkinitcpio (which has a deceptive name IMHO) that switched from pacman hooks to a systemd unit to trigger the signature script.
My personal suggestion would be to refrain from using such fork (unless I'm missing some use case). mkinitcpio can generate the UKI for you, and you can sign it with whatever tools you want (sbsign+some manually written pacman hooks, or sbctl and its shipped hooks). It's not a lot of work.
andreyv commented on 2023-08-12 05:44 (UTC)
@mephinet I no longer have the capability to develop the tool, and anyway it's largely obsolete — see https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot for replacements.