if not keyutil:
return
- if want_verity(config):
+ if config.verity != ConfigFeature.disabled and config.verity_certificate and config.verity_key:
run_systemd_sign_tool(
config,
cmdline=[keyutil, "validate"],
stdout=subprocess.DEVNULL,
)
- if want_signed_pcrs(config):
+ if (
+ config.bootable != ConfigFeature.disabled
+ and config.sign_expected_pcr != ConfigFeature.disabled
+ and config.sign_expected_pcr_certificate
+ and config.sign_expected_pcr_key
+ ):
run_systemd_sign_tool(
config,
cmdline=[keyutil, "validate"],