Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add notification for secure boot key check #1661
base: main
Are you sure you want to change the base?
feat: Add notification for secure boot key check #1661
Changes from 23 commits
62e779b
4219f50
4da13af
b75477f
30c1aac
0cfbfc2
cfccc33
64f8a61
6517ab3
8c3985d
196aaa2
5b93743
391e55e
8a49652
aad5db4
9709836
b2f921c
1bf0a3c
f8c31f2
1cc6160
880d75d
edd7750
3efe8f1
87ddcf2
bc88dc3
306bab3
dbc8a65
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This
sudo notify-send
doesn't work when run from a root systemd service as setup here.You can test this in a VM by writing the script to
/usr/local/sbin/sb-key-notify.sh
and the service to/etc/systemd/system/sb-key-notify.service
and make sure you change the path for the script in the service file..Then,
systemctl daemon-reload
andsystemctl enable sb-key-notify
... reboot and/or simplysystemctl start sb-key-notify
... nothing happens.I haven't dug deep into why this fails, but there's a more direct approach which is more what I meant to suggest when I suggested a service.
What I'd do is keep all the testing for if secure boot is enabled and if the key is enrolled or not in a script like this... but the script would be
sbkey-missing-check.sh
or something... and if the conditions warrant a notification, write a file to/run/sbkey-missing-notify
.Then we need this
notify-send
command NOT with the sudo, to run as the user, and that should get setup with a profile.d/skel combo of script and .desktop file, similar to how we do for thebluefin-firstboot
feature.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious why it doesnt work for you. I've tested it in my environment and it works great. Could you check the output of the service?
I had things more split up beforehand. I'm open to seeing what that looks like to implement it using a desktop file, but I'm a little puzzled how we got here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more specificially:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I set this up again on Bluefin:GTS (like i referenced in my comment on the Timer section). My sb-key-notify.service is installed in /etc and the sb-key-notify.sh is in /usr/local/sbin
I did see the notification popup when running
systemctl start sb-key-notify
on this setup, however... upon a reboot.This is the output from the service:
Edit: for the record, i get the same behavior when testing on bluefin:stable (Fedora 40)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
more context:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can, and I will, but I've told you your script works, I do get a notification if running
systemctl start sb-key-notify
while already logged in.The problem is notification from the script upon a boot. I'm not sure if you missed where i showed journal output with the failure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh i misunderstood. ya so on boot, there is no user logged in so loginctl doesn't list a user to pass to the sudo command. ill look into another solution then
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, sorry it wasn't more clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is why I proposed writing a state file from the service, and then having the user's login process (eg, autostart .desktop file) look for that file and run the notification. Then it would work for ANY user who logs in.