cryptenroll: use a different credential for new new PIN

The TPM2 enrollment is the only of the three token enrollments where the
user picks a PIN at enrollment time (the others have a PIN set for the
token, not for the enrollment). Let's make sure it uses a different
credential for retrieving this PIN, in order to make sure people can
programmatically change PINs via credentials (in which case they need to
supply both).

diff --git a/src/cryptenroll/cryptenroll-tpm2.c b/src/cryptenroll/cryptenroll-tpm2.c
index e5e0cd652949ca1e3c24e1f7feed7f584ec3ac6d..d7497c756b453071866ab82cac66450df96a9cc7 100644 (file)
--- a/src/cryptenroll/cryptenroll-tpm2.c
+++ b/src/cryptenroll/cryptenroll-tpm2.c
@@ -91,7 +91,7 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
                                 .message = "Please enter TPM2 PIN:",
                                 .icon = "drive-harddisk",
                                 .keyring = "tpm2-pin",
-                                .credential = "cryptenroll.tpm2-pin",
+                                .credential = "cryptenroll.new-tpm2-pin",
                         };
 
                         pin = strv_free_erase(pin);