feat: Add notification for secure boot key check

build_files/systemd.sh

@@ -14,3 +14,4 @@ systemctl enable brew-upgrade.timer
 systemctl enable brew-update.timer
 systemctl --global enable ublue-user-setup.service
 systemctl --global enable podman-auto-update.timer
+systemctl enable sb-key-notify.service

system_files/shared/usr/bin/check-sb-key

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+FINGERPRINT="$(openssl x509 -fingerprint -noout -in /etc/pki/akmods/certs/akmods-ublue.der | cut -c 18-)"
+mokutil --list-enrolled | grep -q $FINGERPRINT
+ENROLLED=$?
+mokutil --sb-state | grep -q enabled
+SB_ENABLED=$?
+
+if [[ $ENROLLED -eq 1 ]] && [[ $SB_ENABLED -eq 0 ]]; then
+	echo "Secure Boot enabled. Key missing..."
+	exit 1
+fi
+
+echo "No key enrollment needed at this time."
+exit 0

system_files/shared/usr/lib/systemd/system/sb-key-notify.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Service to check for secure boot key enrollment and send notifications
+
+[Service]
+ExecStart=/usr/libexec/sb-key-notify.sh
+
+[Install]
+WantedBy=multi-user.target
+
+[Timer]
+OnBootSec=1min
+OnUnitActiveSec=3h

system_files/shared/usr/libexec/sb-key-notify.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+/usr/bin/check-sb-key > /dev/null
+
+if [[ $? -eq 1 ]]; then
+    USER_ID=$(/usr/bin/loginctl list-users --output=json | jq -r '.[] | .user')
+    XDG_DIR=$(/usr/bin/loginctl show-user $USER_ID | grep RuntimePath | cut -c 13-)
+    /usr/bin/sudo -u \
+        $USER_ID DISPLAY=:0 \
+        DBUS_SESSION_BUS_ADDRESS=unix:path=$XDG_DIR/bus \
+        notify-send "WARNING" \
+        "This machine has secure boot turned on, but you haven't enrolled Universal Blue's keys. Failing to enroll these before rebooting may cause your system to fail to boot. Follow this link https://docs.projectbluefin.io/introduction#secure-boot for instructions on how to enroll the keys." \
+        -i dialog-warning \
+        -u critical \
+        -a mokutil \
+        --wait