- build-iso.yml: on tag push (v*.*.*), split ISO into 1.9G parts, GPG-sign
the sha256 with GPG_PRIVATE_KEY secret, and auto-create release with
softprops/action-gh-release@v2 attaching part files + sig + reassembly
instructions. Falls back to legacy release.published path.
- build-iso.yml: optional EFI Secure Boot signing step. If MOK_PRIVATE_KEY
+ MOK_CERT secrets are present, sbsign each .efi inside the ISO and
repack with xorriso; otherwise warn and ship unsigned. Refresh sha256.
- release-checksums.yml: new PR-time gate. Validates source + generated
CI kickstart, shellchecks scripts, parses every workflow YAML, and
asserts the split size stays under GitHub'''s 2 GiB asset cap.
- scripts/gen-mok-key.sh: idempotent MOK keypair generator (RSA-4096,
10y), outputs to gitignored build/keys/. Header documents mokutil
enrollment and gh secret upload. exec bit set in index.
- .gitignore: add build/keys/, *.priv, *.der.
User must add GitHub secrets before the next tagged release:
GPG_PRIVATE_KEY — armored private key for sha256 signing
MOK_PRIVATE_KEY — sbsign EFI signing key (PEM)
MOK_CERT — public cert (DER) for sbsign + mokutil enrollment
2782b72ead