From 46b358f5845fcd7ff0c87f7e87ee69fccb2d4199 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber@stgraber.org>
Date: Mon, 14 Jul 2025 12:09:14 -0400
Subject: [PATCH] scripts: Inject der version of the keys
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber@stgraber.org>
---
 scripts/inject-secure-boot-vars.sh | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scripts/inject-secure-boot-vars.sh b/scripts/inject-secure-boot-vars.sh
index 6bf8700..8e74ee3 100755
--- a/scripts/inject-secure-boot-vars.sh
+++ b/scripts/inject-secure-boot-vars.sh
@@ -23,7 +23,15 @@ fi
 mkdir -p certs/mnt/
 LOOP=$(losetup --show -f -P "$1")
 mount "${LOOP}p1" certs/mnt/
+
+# Push the new enrollment keys.
 rm certs/mnt/loader/keys/auto/*
 cp certs/efi/*.auth certs/mnt/loader/keys/auto/
+
+# Push the keys as DER.
+rm certs/mnt/mkosi.der || true
+mkdir -p certs/mnt/keys/
+cp certs/efi/*.der certs/mnt/keys/ || true
+
 umount certs/mnt/
 losetup -d "${LOOP}"