Pacman hook not triggered on kernel update about arch-secure-boot HOT 3 CLOSED

Hello again 😁

First of all, many thanks for the very detailed report!

I think your suspicion is entirely correct, it looks like the missing Operation = Install is indeed to blame.

Re-reading the docs again:

Operation = Install|Upgrade|Remove

Select the type of operation to match targets against. May be specified multiple times. >>>Installations are considered an upgrade if the package >or file< is already present on the system<<< regardless of whether the new package version is actually greater than the currently installed version

If we now look at the package contents of linux-hardened (or any other kernel for that matter), the file is being created in a new versioned directory every time:

usr/lib/modules/6.5.9-hardened1-1-hardened/vmlinuz

So by this logic, kernel upgrade would always trigger Install operation, not Upgrade.

Would you like to do the honors of re-introducing Operation = Install? You deserve the full credit here 🙂

As we talked in #19, the only downside I think is that the initial installation would fire Error: Secure Boot keys are not generated yet error, but I think it's acceptable price.

from arch-secure-boot.

Sure I can submit a PR. What about Target = usr/lib/systemd/systemd do you think it's worth adding ?

EDIT: do you want me to create a separate hook for Target = usr/bin/arch-secure-boot so that it can be Operation = Upgrade only and prevent the error you are mentioning ?

from arch-secure-boot.

I'm not sure about usr/lib/systemd/systemd itself, but perhaps usr/lib/systemd/boot/efi/linuxx64.efi.stub, since we use it in generating efi files? I don't know how usr/lib/systemd/systemd itself plays a role in efi files, what changes when that binary gets updated...

I think lets avoid a separate hook for now, keep it simple. If nothing else, it is a message to user that they must do something after installation of arch-secure-boot 😅

from arch-secure-boot.