1 files changed, 13 insertions, 4 deletions

diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
index 1dc03186..8494a5c8 100755
--- a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -1,7 +1,7 @@
 #!/bin/sh
 SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/MOK.key"
-MOK_CERT="/var/lib/shim-signed/mok/MOK.pem"
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
 VMLINUZ=$(readlink /boot/vmlinuz)
 
 # All Linux Kernel modules need to be cryptographically signed
@@ -13,10 +13,19 @@ find /lib/modules -type f -name \*.ko | while read MODULE; do
     fi
 done
 
-if [ ! -f ${MOK_KEY} ]; then
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
     echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
 else
     echo "I: Signing Linux Kernel for Secure Boot"
-    sbsign --key ${MOK_KEY} --cert ${MOK_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+    sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
     sbverify --list /boot/${VMLINUZ}
+    rm -f ${KERNEL_KEY}
 fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+    if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+        echo "Found private key - bailing out"
+        exit 1
+    fi
+done
+