From 93fc2123c3e12f0722a3487c5bb188a7a2935688 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 17 Feb 2026 15:00:08 +0000
Subject: [PATCH] [ci] Include CA certificate file alongside signed binaries

Include the relevant CA certificate in the UEFI Secure Boot build
artifacts.  This allows for easy identification of test-signed builds
without having to extract the certificate from the signed binary.

This also eases the process of adding the ephemeral test-signing
certificate to the UEFI trusted certificate list, if a user wants to
test a non-release build with Secure Boot enabled.  (The corresponding
private key is deliberately not preserved, to minimise the attack
surface that this would otherwise open up on the user's system.)

Include the commit hash and build architecture within the ephemeral
test-signing certificate's subject name, to make it obvious that the
scope is limited to signing only that single build.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 .github/workflows/build.yml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 102f087dd..41ed48365 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -238,9 +238,11 @@ jobs:
 
       - name: Test certificate
         run: |
+          COMMITID=$(echo ${{ github.sha }} | cut -c1-9)
+          SUBJECT="iPXE Test Signing (${COMMITID}, ${{ matrix.arch }})"
           openssl req \
               -newkey rsa:2048 -passout 'pass:testpw' -keyout testsign.key \
-              -subj '/CN=Test Signing/' -x509 -out testsign.crt
+              -subj "/CN=${SUBJECT}/" -x509 -out testsign.crt
 
       - name: Certificate chain
         run: |
@@ -260,13 +262,13 @@ jobs:
                   -pass ${{ env.signpass }} \
                   -ts http://timestamp.digicert.com \
                   -in unsigned/${binary} \
-                  -out signed/${binary}
+                  -out ${binary}
           done
 
       - name: Verify
         run: |
           for binary in ${{ env.binaries }} ; do
-              osslsigncode verify -CAfile ${{ env.cacert }} signed/${binary}
+              osslsigncode verify -CAfile ${{ env.cacert }} ${binary}
           done
 
       - name: Upload
@@ -275,8 +277,9 @@ jobs:
           name: ${{ env.bindir }}
           if-no-files-found: error
           path: |
-            signed/ipxe.efi
-            signed/snponly.efi
+            ${{ env.cacert }}
+            ipxe.efi
+            snponly.efi
 
   linux:
     name: Linux / ${{ matrix.arch }}