From a56820d16a6e73c89dab9611f5602f3e67baee4c Mon Sep 17 00:00:00 2001
From: Richard Maw <richard.maw@codethink.co.uk>
Date: Fri, 3 May 2024 11:05:26 +0100
Subject: [PATCH] mkosi: Fix particle profile

The sbsign and ukify part was moved into a finalize script
rather than a postinst.chroot script so was using host tools
instead of just-built.
---
 .../system/mkosi.conf.d/20-particle/mkosi.finalize   |  9 ---------
 .../mkosi.conf.d/20-particle/mkosi.postinst.chroot   | 12 ++++++++++++
 2 files changed, 12 insertions(+), 9 deletions(-)
 create mode 100755 mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot

diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
index f5523983d2e..69f95548648 100755
--- a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.finalize
@@ -4,12 +4,3 @@ set -e
 
 mkdir -p "$BUILDROOT"/usr/share/factory/mkosi
 cp --archive --recursive --no-target-directory --reflink=auto "$BUILDROOT"/etc "$BUILDROOT"/usr/share/factory/mkosi
-
-# sbsign is not available on CentOS Stream
-if command -v sbsign &>/dev/null; then
-    # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
-    addons_dir=/efi/loader/addons
-    mkdir -p "$addons_dir"
-    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
-    ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
-fi
diff --git a/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot
new file mode 100755
index 00000000000..95e0552d915
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/20-particle/mkosi.postinst.chroot
@@ -0,0 +1,12 @@
+#!/bin/bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -e
+
+# sbsign is not available on CentOS Stream
+if command -v sbsign &>/dev/null; then
+    # Ensure that side-loaded PE addons are loaded if signed, and ignored if not
+    addons_dir=/efi/loader/addons
+    mkdir -p "$addons_dir"
+    ukify build --secureboot-private-key mkosi.key --secureboot-certificate mkosi.crt --cmdline this_should_be_here -o "$addons_dir/good.addon.efi"
+    ukify build --cmdline this_should_not_be_here -o "$addons_dir/bad.addon.efi"
+fi