mkrelease.sh: add UEFI signing

mkrelease.sh

@@ -1,11 +1,58 @@
 #!/bin/bash -ex
 
+usage() {
+    cat << EOF
+Usage: $PROGNAME [OPTION]
+
+  -h, --help             Display this help
+  --certdir DIR          Use DIR as certification CA for EFI signing
+EOF
+}
+
+TEMP=$(
+    getopt -o '' \
+        --long certdir: \
+	--long help \
+        -- "$@"
+    )
+
+if (( $? != 0 )); then
+    usage >&2
+    exit 1
+fi
+
+eval set -- "$TEMP"
+unset TEMP
+
+while true; do
+    case "$1" in
+        '--certdir')
+	    CERTDIR="$(readlink -e $2)"
+            shift 2; continue
+            ;;
+        '--help')
+	    usage
+	    exit 0
+            ;;
+        '--')
+            shift
+            break
+            ;;
+        *)
+            echo 'Internal error!' >&2
+            exit 1
+            ;;
+    esac
+done
+
 JSON="$(realpath -e $1)"
 BASEDIR="${JSON%/*}"
 IMAGE="${BASEDIR}/$(jq -r '.name' ${JSON})-$(jq -r '.version' ${JSON})"
 
 (
     cd "$IMAGE"
+    pesign -c DB -s ${CERTDIR:+--certdir $CERTDIR} -i bootx64.efi -o bootx64-signed.efi
+    mv bootx64-signed.efi bootx64.efi
     [[ -f sha512sum.txt ]] || sha512sum * > sha512sum.txt
     [[ -f sha512sum.txt.sig ]] || gpg2 --detach-sign sha512sum.txt
 )