sdk_entry: use persistent module signing keys for unofficial builds

For official builds (COREOS_OFFICIAL=1), continue using ephemeral
temporary directories for module signing keys.

For unofficial/development builds, use a persistent directory at
/mnt/host/source/.module-signing-keys to preserve keys across
container restarts.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>

Author: danzatt

sdk_container/src/third_party/coreos-overlay/eclass/coreos-kernel.eclass

@@ -169,6 +169,12 @@ setup_keys() {
 
 	echo "Preparing keys at $sig_key"
 
+	if [[ ${COREOS_OFFICIAL:-0} -eq 0 ]]; then
+          # Allow portage sandbox to write to the module signing key directory,
+          # which is in home for unofficial builds
+          addwrite "${MODULE_SIGNING_KEY_DIR}"
+        fi
+
 	mkdir -p $MODULE_SIGNING_KEY_DIR
 	pushd $MODULE_SIGNING_KEY_DIR
 

sdk_lib/sdk_entry.sh

@@ -67,7 +67,13 @@ fi
 
 # Create key directory if not already configured in .bashrc
 if ! grep -q 'export MODULE_SIGNING_KEY_DIR' /home/sdk/.bashrc; then
-    MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
+    # For official builds, use ephemeral keys. For unofficial builds, use persistent directory
+    if [[ ${COREOS_OFFICIAL:-0} -eq 1 ]]; then
+        MODULE_SIGNING_KEY_DIR=$(su sdk -c "mktemp -d")
+    else
+        MODULE_SIGNING_KEY_DIR="/home/sdk/.module-signing-keys"
+        su sdk -c "mkdir -p '$MODULE_SIGNING_KEY_DIR'"
+    fi
     if [[ ! "$MODULE_SIGNING_KEY_DIR" || ! -d "$MODULE_SIGNING_KEY_DIR" ]]; then
         echo "Failed to create directory for module signing keys."
     else