Merge remote-tracking branch 'origin/master' into harald-bak

2020-03-13 10:29:49 +01:00 · 2020-03-13 10:29:49 +01:00 · ba9ad138e7
parent 13fbf0b8c6 6368f8d4da
commit ba9ad138e7
1 changed files with 28 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -79,24 +79,26 @@ All configurable files have been whitelisted and moved to /cfg.
 For reproducible squashfs builds use https://github.com/squashfskit/squashfskit. Clone it in the 
 main VerityBook directory and build it.
-```bash
+```console
 $ mkdir dist
 $ sudo ./prepare-root.sh \
  --pkglist pkglist.txt \
  --excludelist excludelist.txt \
  --name VerityBook \
  --logo logo.bmp \
  --reposd <REPOSDIR> \
-  --releasever 29
+  --releasever 31
  --baseoutdir $(realpath dist)
 ```
 This will create the following files and directories:
- ```VerityBook``` - keep this directory around for updates
+- `VerityBook` - keep this directory around for updates
  (includes needed passwd/group history and rpmdb)
- ```VerityBook-29.<datetime>``` - the resulting <IMGDIR>
+- `dist/VerityBook-<HASH>.img` - the root image
- ```VerityBook-latest.json``` - a metadata file for the update server
+- `dist/VerityBook-<HASH>-efi.tgz` - signed efi binaries
-
+- `dist/VerityBook-31.<datetime>.json` - metadata of the image 
-or download a prebuilt [image](https://harald.fedorapeople.org/downloads/veritybook.tgz),
+- `dist/VerityBook-31.<datetime>.json.sig` - signature of the metadata
-unpack and use this as ```<IMGDIR>```.
+- `dist/VerityBook-latest.json` - a symlink to the latest version
 ## Sign the release
@ -108,34 +110,40 @@ Rename ```DB.key``` ```DB.crt``` to ```VerityBook.key``` and ```VerityBook.crt``
 Optionally copy ```Shell.efi``` (might be ```/usr/share/edk2/ovmf/Shell.efi```) to the veritybook directory.
-```bash
+```console
 $ sudo ./mkrelease.sh VerityBook-latest.json
 ```
 if you want to make deltas:
 ```console
 $ sudo ./mkdelta.sh ${CHECKPOINT:+--checkpoint} dist/VerityBook-latest.json 
 ```
 If `CHECKPOINT` is set, it will remove old images.
 then upload to your update server:
-```bash
+```console
 $ TARBALL="$(jq -r '.name' VerityBook-latest.json)-$(jq -r '.version' VerityBook-latest.json)".tgz
 $ scp "$TARBALL" VerityBook-latest.json <DESTINATION>
 ```
 ## QEMU disk image
-```bash
+```console
 $ sudo ./mkimage.sh <IMGDIR> image.raw
 ```
 or with the json file:
-```bash
+```console
 $ sudo ./mkimage.sh VerityBook-latest.json image.raw
 ```
 ## USB stick
-```bash
+```console
 $ sudo ./mkimage.sh <IMGDIR> /dev/disk/by-path/pci-…-usb…
 ```
 or with the json file:
-```bash
+```console
 $ sudo ./mkimage.sh VerityBook-latest.json /dev/disk/by-path/pci-…-usb…
 ```
@ -163,7 +171,7 @@ If you cannot:
 - use the option ```--crypttpm2```, if you have a TPM2 chip
 - use the option ```--crypt``` otherwise
-```bash
+```console
 $ sudo veritybook-clonedisk <options> <usb stick device> <harddisk device>
 ```
@ -176,15 +184,15 @@ The first boot takes longer as the system tries to bind the LUKS to the TPM2 on
 It also populates ```/var``` with the missing directories.
 You can always clear the data partition via:
-```bash
+```console
 # wipefs --all --force /dev/<disk partition 5>
 ```
 and then either make a xfs
-```bash
+```console
 # mkfs.xfs -L data /dev/<disk partition 5>
 ```
 or LUKS
-```bash
+```console
 # echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 4> /dev/stdin
 # echo -n "zero key" | cryptsetup luksFormat --type luks2 /dev/<disk partition 5> /dev/stdin
 ```
@ -194,7 +202,7 @@ On the media created with mkimage.sh, this is partition number *3*.
 ## Post Boot
 ### Persistent journal
-```bash
+```console
 $ sudo mkdir /var/log/journal
 ```
@ -204,7 +212,7 @@ The initial password is ```zero key```.
 ## Updating
-```bash
+```console
 # systemd-inhibit veritybook-update <UPDATE-URL>
 ```