From 538a3e0741a940216fb149f4cdb8a6f85a367802 Mon Sep 17 00:00:00 2001
From: Robert Sturla <robertsturla@outlook.com>
Date: Thu, 8 Aug 2024 18:43:18 +0100
Subject: [PATCH] chore: update secureboot enrolment password (#60)

* chore: update secureboot enrollment password

* Rename images to remove "base-"

* Properly remove base- from the name

* Actually change image names

* Remove hyphen from before base

* Remove duplicate checkout
Correctly check for base string in image name

* Update README with SecureBoot information and remove outdated selinux info
---
 .github/workflows/build.yml     | 22 +++++++++++++---------
 .github/workflows/build_iso.yml |  4 ++--
 README.md                       | 33 +++++++++++++++++++++++++--------
 3 files changed, 40 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ded1e40..3c83178 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -43,8 +43,6 @@ jobs:
         uses: ublue-os/remove-unwanted-software@v7
         with:
           remove-android: 'true'
-      - name: Checkout
-        uses: actions/checkout@v2
 
       - name: Checkout Push to Registry action
         uses: actions/checkout@v4
@@ -78,15 +76,21 @@ jobs:
           done
           echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT
 
+          IMAGE_NAME="cosmic-${{ matrix.flavor }}"
+          if [[ "$IMAGE_NAME" == *-base* ]]; then
+            IMAGE_NAME="${IMAGE_NAME//-base/}"
+          fi
+          echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
+
       # Build metadata
       - name: Image Metadata
         uses: docker/metadata-action@v5
         id: meta
         with:
           images: |
-            cosmic-${{ matrix.flavor }}
+            ${{ env.IMAGE_NAME }}
           labels: |
-            org.opencontainers.image.title=cosmic-${{ matrix.flavor }}
+            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
             org.opencontainers.image.version=${{ matrix.version }}
             org.opencontainers.image.description=${{ env.description }}
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
@@ -126,11 +130,11 @@ jobs:
         with:
           rechunk: 'ghcr.io/hhd-dev/rechunk:v0.8.1'
           ref: 'raw-img'
-          prev-ref: "${{ env.IMAGE_REGISTRY }}/cosmic-${{ matrix.flavor }}:${{ matrix.version }}"
+          prev-ref: "${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ matrix.version }}"
           skip_compression: true
           version: ${{ matrix.version }}
           labels: |
-            org.opencontainers.image.title=cosmic-${{ matrix.flavor }}
+            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
             org.opencontainers.image.description=${{ env.description }}
             io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/cosmic/main/README.md
             io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4
@@ -140,7 +144,7 @@ jobs:
           IMAGE=$(podman pull ${{ steps.rechunk.outputs.ref }})
           sudo rm -rf ${{ steps.rechunk.outputs.output }}
           for tag in ${{ steps.generate-tags.outputs.alias_tags }}; do
-            podman tag $IMAGE cosmic-${{ matrix.flavor }}:$tag
+            podman tag $IMAGE ${{ env.IMAGE_NAME }}:$tag
           done
 
       # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR.
@@ -166,7 +170,7 @@ jobs:
         id: push
         with:
           registry: ${{ steps.registry_case.outputs.lowercase }}
-          image: cosmic-${{ matrix.flavor }}
+          image: ${{ env.IMAGE_NAME }}
           tags: ${{ steps.generate-tags.outputs.alias_tags }}
           extra-args: |
             --disable-content-trust
@@ -178,7 +182,7 @@ jobs:
       - name: Sign container image
         if: github.event_name != 'pull_request'
         run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/cosmic-${{ matrix.flavor }}@${TAGS}
+          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ env.IMAGE_NAME }}@${TAGS}
         env:
           TAGS: ${{ steps.push.outputs.digest }}
           COSIGN_EXPERIMENTAL: false
diff --git a/.github/workflows/build_iso.yml b/.github/workflows/build_iso.yml
index 375b983..d6cfe53 100644
--- a/.github/workflows/build_iso.yml
+++ b/.github/workflows/build_iso.yml
@@ -24,7 +24,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        image_name: [cosmic-silverblue, cosmic-base, cosmic-silverblue-nvidia, cosmic-base-nvidia]
+        image_name: [cosmic, cosmic-nvidia, cosmic-silverblue,cosmic-silverblue-nvidia]
         fedora_version: [40]
 
     steps:
@@ -41,7 +41,7 @@ jobs:
           version: ${{ matrix.fedora_version }}
           image_tag: ${{ matrix.fedora_version }}-amd64
           secure_boot_key_url: 'https://github.com/ublue-os/akmods/raw/main/certs/public_key.der'
-          enrollment_password: 'ublue-os'
+          enrollment_password: 'universalblue'
           iso_name: ${{ matrix.image_name }}-${{ matrix.fedora_version }}.iso
 
       - name: Upload ISOs and Checksum to Job Artifacts
diff --git a/README.md b/README.md
index 7d7dff6..5589a45 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 
 > NOTES:
 > These images are not associated with System76! If you have issues, please understand they might be COSMIC related, OR they might be related to this image.
-> The COSMIC Desktop Environment is still PRE ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing.
+> The COSMIC Desktop Environment is still ALPHA. Do not daily drive this image on your main workstation unless you know what you're doing.
 
 Like Fedora? Want to try the latest from the work in progress Cosmic Desktop Environment? Want to help find bugs and/or contribute to Cosmic development, but don't want to work in a VM or install Pop!_OS? None of the above things but something else??!?
 
@@ -13,15 +13,9 @@ Go ahead and try one of the ostree images I've created here!
 
 Install a Fedora Atomic Desktop, like [Fedora Silverblue](https://fedoraproject.org/atomic-desktops/silverblue/).
 
-#### Warning
-This image requires disabling SELinux. **This is NOT recommended for production** and is a temporary situation until this work is finished in upstream Fedora. 
-
-    sudo setenforce 0 && getenforce
-
-You can view the SELinux config in `/etc/selinux/config`
 
 #### Variants
-- `cosmic-base`: Just the COSMIC Desktop
+- `cosmic`: Just the COSMIC Desktop
 - `cosmic-silverblue`: Recommended, Fedora Silverblue with COSMIC Desktop added
 - `cosmic-kinoite`: Fedora Kinoite with COSMIC Desktop addded
 
@@ -35,6 +29,29 @@ Rebase to the signed image
 
     rpm-ostree rebase --reboot ostree-image-signed:docker://ghcr.io/ublue-os/VARIANT:40-amd64
 
+
+### Secure Boot
+
+Secure Boot is supported by default on our systems, providing an additional layer of security. After the first installation, you will be prompted to enroll the secure boot key in the BIOS.
+
+Enter the password `universalblue` 
+when prompted to enroll our key.
+
+If this step is not completed during the initial setup, you can manually enroll the key by running the following command in the terminal:
+
+`
+ujust enroll-secure-boot-key
+`
+
+Secure boot is supported with our custom key. The pub key can be found in the root of the akmods repository [here](https://github.com/ublue-os/akmods/raw/main/certs/public_key.der).
+If you'd like to enroll this key prior to installation or rebase, download the key and run the following:
+
+```bash
+sudo mokutil --timeout -1
+sudo mokutil --import secure_boot.der
+```
+
+
 ### Enabling the display manager
 
 Log in with your username and password, then run: