Automatically signing long term kernels with Machine Owner Key (MOK) using post-install script

sign-kernel-longterm.sh

#!/bin/bash
# file: /etc/kernel/postinst.d/sign-kernel-longterm
#
# Create signing keys:
#
# openssl req -new -x509 -newkey rsa:4096 \
#     -keyout MOK.priv \
#     -outform DER -out MOK.der \
#     -nodes -days 36500 -subj "/CN=Descriptive Name/"
#
# openssl x509 -inform der -in MOK.der -out MOK.pem
#
# sudo mkdir -p /etc/pki/sbsign/certs/ /etc/pki/sbsign/private/
# sudo cp MOK.der MOK.pem /etc/pki/sbsign/certs/
# sudo cp MOK.priv /etc/pki/sbsign/private/
# sudo chmod -R 600 /etc/pki/sbsign/private/
#
# sudo mokutil --import /etc/pki/sbsign/certs/MOK.der
# sudo reboot
#
# Enroll MOK -> Continue -> Yes -> Enter password -> OK

set -e

# Get the version of the kernel being installed
kern_version="$1"
kern_file="$2"

# Terminate if it isn't a longterm kernel
case "$kern_version" in
	6.1.*|5.15.*|5.10.*) true ;;
	*) exit 0
esac

public_key=/etc/pki/sbsign/certs/MOK.pem
private_key=/etc/pki/sbsign/private/MOK.priv

if [ ! -e "$public_key" ] && [ ! -e "$private_key" ]; then
	echo "sign-kernel-longterm: '$public_key' is missing!" >&2
	exit 0
fi

if [ ! -e "$private_key" ]; then
	echo "sign-kernel-longterm: '$private_key' is missing!" >&2
	exit 0
fi

if [ ! -x "/usr/bin/sbsign" ]; then
	echo "sign-kernel-longterm: '/usr/bin/sbsign' is missing!" >&2
	echo "sign-kernel-longterm: Probably 'sbsigntools' package isn't installed." >&2
	exit 0
fi

if [ ! -e "$kern_file" ]; then
	echo "sign-kernel-longterm: '$kern_file' is not found!" >&2
	exit 0
fi

echo "sign-kernel-longterm: signing '$kern_version' ..." >&2
/usr/bin/sbsign --key "$private_key" --cert "$public_key" "$kern_file" \
	--output "$kern_file.signed"

if [ -f "$kern_file.signed" ]; then
	mv -f "$kern_file.signed" "$kern_file"
	chmod +x "$kern_file"
	sha512hmac "$kern_file" > "${kern_file/vmlinuz/.vmlinuz}.hmac"
fi