Name:           systemd-boot-local-signing
Version:        0.1
Release:        1%{?dist}
Summary:        Local signing for systemd-boot and fwupd
License:        MIT
ExclusiveArch:  %{efi}
BuildRequires:  efi-srpm-macros
Requires:       systemd-boot-unsigned

%description
Automates signing of systemd-boot and fwupd payloads via RPM triggers.
Essential for Fedora hosts with custom keys enrolled in the firmware.

%install
install -d -m 0755 %{buildroot}/usr/lib/systemd/boot/efi
touch %{buildroot}/usr/lib/systemd/boot/efi/systemd-boot%{efi_arch}.efi.signed

%transfiletriggerin -P 1 -- /usr/lib/systemd/boot/efi /usr/libexec/fwupd/efi
while read -r filename; do
    case "$filename" in
        */systemd-boot*.efi|*/fwupd*.efi)
            src_ctime=$(stat -c %Z "$filename")
            sig_mtime=$(stat -c %Y "${filename}.signed" 2>/dev/null || echo 0)
            if (( src_ctime > sig_mtime )); then
                echo "Signing $filename" >&2
                /usr/lib/systemd/systemd-sbsign sign \
                    --private-key /etc/kernel/secureboot-private-key.pem \
                    --certificate /etc/kernel/secureboot-certificate.pem \
                    --output "${filename}.signed" \
                    "$filename" || exit 1
            fi
            ;;
    esac
done

%files
%ghost /usr/lib/systemd/boot/efi/systemd-boot%{efi_arch}.efi.signed

%changelog
* Thu Feb 12 2026 Shawn Matthiessen - 0.1-1
- Initial package