#!/bin/bash # create the system seed for TPM-backed FDE in the live layer of the installer. set -eux case ${PASS:-} in *.live) ;; *) exit 0 ;; esac if [ -n "${SUBPROJECT:-}" ]; then echo "We don't run Ubuntu Desktop hooks for this project." exit 0 fi . config/binary . config/functions # Generation of the model: # * At https://github.com/canonical/models one can find a repo of raw, # unsigned, input .json files, and their signed .model equivalents. # * At least once per cycle, update the json for the new Ubuntu version. # To do this, take the previous cycle ubuntu-classic-$ver-amd64.json file, # rename for the new version, and do any necessary updates including fixing # the versions of tracks. # * When this is done, the json needs to be signed. This needs to be done by # a Canonical employee - try asking someone who has recently opened PRs on # https://github.com/canonical/models with the signed models. # * Ensure the signed and unsigned version of the models are updated in the # models repo. # * The signed model can then be placed here in livecd-rootfs at # live-build/${PROJECT}/ubuntu-classic-amd64.model # env SNAPPY_STORE_NO_CDN=1 snap known --remote model series=16 brand-id=canonical model=ubuntu-classic-2410-amd64 > config/classic-model.model model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64.model # for the dangerous subproject, we need the dangerous model! if [ $SUBPROJECT = "dangerous" ]; then model=/usr/share/livecd-rootfs/live-build/${PROJECT}/ubuntu-classic-amd64-dangerous.model fi channel="" if [ -n "${CHANNEL:-}" ]; then channel="--channel $CHANNEL" fi # Set UBUNTU_STORE_COHORT_KEY="+" to force prepare-image to fetch the latest # snap versions regardless of phasing status env SNAPPY_STORE_NO_CDN=1 UBUNTU_STORE_COHORT_KEY="+" snap prepare-image \ --classic $model $channel chroot mv chroot/system-seed/systems/* chroot/system-seed/systems/enhanced-secureboot-desktop rsync -av chroot/system-seed/{systems,snaps} chroot/var/lib/snapd/seed rm -rf chroot/system-seed/