Update secure boot config: use single replace rule with both certs

Replace convoluted Source10 duplication and piecemeal delete_line approach with a single comprehensive replace rule matching kernel a8. Add almalinuxsecureboot0.cer, use pesign_name_0 almalinuxsecureboot0.
2026-03-09 10:47:40 +00:00 · 2026-03-09 10:47:40 +00:00 · 43bb0133d3
commit 43bb0133d3
parent 707097a675
2 changed files with 34 additions and 41 deletions
--- a/config.yaml
+++ b/config.yaml
@ -3,7 +3,10 @@ actions:
  - add_files:
      - type: "source"
        name: "almalinuxsecurebootca0.cer"
-        number: 10
+        modify_spec: false
+      - type: "source"
+        name: "almalinuxsecureboot0.cer"
+        modify_spec: false
      - type: "source"
        name: "almalinuxdup1.x509"
        number: 100
@ -58,30 +61,45 @@ actions:
              CN = AlmaLinux kernel signing key
              emailAddress = security@almalinux.org
        count: 1
-      - target: "spec"
-        find: "Source10: almalinuxsecurebootca0.cer"
-        replace: |
-              Source10: almalinuxsecurebootca0.cer
-              Source11: almalinuxsecurebootca0.cer
-        count: 1
      - target: "spec"
        find: |
+              Source10: redhatsecurebootca3.cer
+              Source11: centossecurebootca2.cer
+              Source12: centossecureboot201.cer
+              Source13: redhatsecureboot501.cer
+              Source14: redhatsecureboot302.cer
+              Source15: redhatsecureboot303.cer
+              Source16: redhatsecurebootca7.cer
+              %if 0%{?centos}
+              %define secureboot_ca_0  %{SOURCE11}
+              %define secureboot_key_0 %{SOURCE12}
+              %define pesign_name_0 centossecureboot201
+              %else
+
              %ifarch x86_64 aarch64
              %define secureboot_ca_0 %{SOURCE10}
              %define secureboot_key_0 %{SOURCE13}
              %define pesign_name_0 redhatsecureboot501
              %endif
-        replace: |
+
+              %ifarch s390x
              %define secureboot_ca_0 %{SOURCE10}
-              %define secureboot_ca_1 %{SOURCE11}
-              %define secureboot_ca_2 %{SOURCE11}
+              %define secureboot_key_0 %{SOURCE14}
+              %define pesign_name_0 redhatsecureboot302
+              %endif

-              %define secureboot_key_0 %{SOURCE10}
-              %define pesign_name_0 almalinuxsecurebootca0
-
-              %ifarch x86_64 aarch64
-              %define secureboot_key_1 %{SOURCE11}
-              %define pesign_name_1 almalinuxsecurebootca0
+              %ifarch ppc64le
+              %define secureboot_ca_0 %{SOURCE16}
+              %define secureboot_key_0 %{SOURCE15}
+              %define pesign_name_0 redhatsecureboot701
+              %endif
+              %endif
+        replace: |
+              Source10: almalinuxsecurebootca0.cer
+              Source11: almalinuxsecureboot0.cer
+              %define secureboot_ca_0  %{SOURCE10}
+              %define secureboot_key_0 %{SOURCE11}
+              %define pesign_name_0 almalinuxsecureboot0
        count: 1
      - target: "spec"
        find: |
@ -142,31 +160,6 @@ actions:
  - delete_line:
      - target: "spec"
        lines:
-          - |
-            Source10: redhatsecurebootca3.cer
-            Source11: centossecurebootca2.cer
-            Source12: centossecureboot201.cer
-            Source13: redhatsecureboot501.cer
-            Source14: redhatsecureboot302.cer
-            Source15: redhatsecureboot303.cer
-            Source16: redhatsecurebootca7.cer
-            %if 0%{?centos}
-            %define secureboot_ca_0  %{SOURCE11}
-            %define secureboot_key_0 %{SOURCE12}
-            %define pesign_name_0 centossecureboot201
-            %else
-          - |
-            %ifarch s390x
-            %define secureboot_ca_0 %{SOURCE10}
-            %define secureboot_key_0 %{SOURCE14}
-            %define pesign_name_0 redhatsecureboot302
-            %endif
-          - |
-            %ifarch ppc64le
-            %define secureboot_ca_0 %{SOURCE16}
-            %define secureboot_key_0 %{SOURCE15}
-            %define pesign_name_0 redhatsecureboot701
-            %endif
          - |
            Source100: rheldup3.x509
            Source101: rhelkpatch1.x509
--- a/files/almalinuxsecureboot0.cer
+++ b/files/almalinuxsecureboot0.cer