hrmm.. gpg throwing errors and killing chroot

src/ipxe_local/00-general.sed

@@ -1,7 +1,10 @@
+## Enable IPv6 support
 s/^#undef([[:space:]]*NET_PROTO_IPV6)/#define\1/g
+## Enable HTTPS
 s/^#undef([[:space:]]*DOWNLOAD_PROTO_HTTPS)/#define\1/g
+s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g
+## Enable FTP
 s/^#undef([[:space:]]*DOWNLOAD_PROTO_FTP)/#define\1/g
 ## Currently broken for EFI building
 #s@^//(#define[[:space:]]*CONSOLE_CMD)@\1@g
 #s@^//(#define[[:space:]]*IMAGE_PNG@\1@g
-s@^//(#define[[:space:]]*IMAGE_TRUST_CMD@\1@g

src/ipxe_local/EMBED

@@ -1,4 +1,8 @@
 #!ipxe
 
 dhcp
+## TODO: signed kernel and initrd
+#imgtrust --permanent
+#imgverify vmlinuz path/to/vmlinuz.sig
+#imgverify initrd path/to/initrd.sig
 chain https://bdisk.square-r00t.net

src/ipxe_local/ssl/openssl.cnf

@@ -0,0 +1,33 @@
+[ ca ]
+default_ca             = ca_default
+
+[ ca_default ]
+certificate            = crts/ca.crt
+private_key            = keys/ca.key
+serial                 = txt/ca.srl
+database               = txt/ca.idx
+#new_certs_dir          = signed
+new_certs_dir          = crts
+#default_md             = default
+default_md             = sha512
+policy                 = policy_anything
+preserve               = yes
+default_days           = 90
+unique_subject         = no
+
+[ policy_anything ]
+countryName            = optional
+stateOrProvinceName    = optional
+localityName           = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = optional
+emailAddress           = optional
+
+[ cross ]
+basicConstraints       = critical,CA:true
+keyUsage               = critical,cRLSign,keyCertSign
+
+[ codesigning ]
+keyUsage                = digitalSignature
+extendedKeyUsage        = codeSigning