mkosi-obs: rearrange second stage so that only unsigned hashes are staged for third

Create cpio for next stage at the very end, after all
signed hashes have been handled and removed, to avoid
resigning already signed files

diff --git a/mkosi/resources/mkosi-obs/mkosi.build b/mkosi/resources/mkosi-obs/mkosi.build
index 447fef12c51ae9a500b2da8bb70a7e38ec73daa7..b4e71d7590dc4aa74c8a4b031b653403ff22d2c5 100755 (executable)
--- a/mkosi/resources/mkosi-obs/mkosi.build
+++ b/mkosi/resources/mkosi-obs/mkosi.build
@@ -90,7 +90,7 @@ while read -r SIG; do
 done < <(find hashes/ukis hashes/kernels -type f \( -name '*efi.sig' -o -name 'vmlinu*.sig' \) -printf '%P\n')
 rm -rf "$OUTPUTDIR"/*.sig hashes/ukis
 
-# If there are signed bootloaders, install them in the ESP
+# Second step: if there are signed bootloaders, install them in the ESP
 while read -r BOOTLOADER; do
     unsigned="$(basename "${BOOTLOADER%.sig}")"
     signed="$(basename "${BOOTLOADER%.sig}".signed)"
@@ -135,7 +135,7 @@ done < <(find "hashes/bootloaders/$(basename "$ddi")/" -type f -iname '*.efi.sig
 rm -rf hashes/bootloaders
 rm -rf nss-db
 
-# Second step: if there are PCR policy signatures, rebuild the JSON
+# Third step: if there are PCR policy signatures, rebuild the JSON
 # blobs with the attached signatures
 while read -r SIG; do
     uki="$OUTPUTDIR/$(basename "$(dirname "${SIG%.sig}")")"
@@ -165,7 +165,7 @@ rm -rf hashes/pcrs
 mkdir -p "$nss_db"
 certutil -N -d sql:"$nss_db" --empty-password
 
-# Third step: now that the JSON blob is rebuilt, merge it in the UKI
+# Fourth step: now that the JSON blob is rebuilt, merge it in the UKI
 while read -r PCRS; do
     uki="${PCRS%.pcrs.sig}.efi"
     ukify --json=short --pcrsig "@$PCRS" --join-pcrsig "$uki" --output "$uki.attached" build
@@ -175,17 +175,6 @@ while read -r PCRS; do
 done < <(find "$OUTPUTDIR" -type f -name '*.pcrs.sig')
 rm -f "$OUTPUTDIR"/*.pcrs*
 
-# Fourth step: take hash of the UKIs after the signed JSON blobs have been merged
-# and prepare for the next iteration
-if [ -d hashes/ukis ]; then
-    pushd hashes
-    find . -type f | cpio -H newc -o >"$OUTPUTDIR/hashes.cpio.rsasign"
-    popd
-    cp /usr/src/packages/SOURCES/mkosi.conf "$OUTPUTDIR"
-    echo "Staging the following files for signing:"
-    cpio -t <"$OUTPUTDIR/hashes.cpio.rsasign"
-fi
-
 # Fifth step: finalize any DDI by attaching the verity roothash signatures
 while read -r SIG; do
     test -f "/usr/src/packages/SOURCES/$(basename "${SIG%roothash.sig}repart.tar")" || continue
@@ -279,4 +268,15 @@ if (( ${#AUTHVARS[@]} > 0 )); then
 fi
 rm -rf hashes/authvars
 
+# Final step: if there are any hashes staged, prepare for the next stage
+rmdir --ignore-fail-on-non-empty hashes
+if [ -d hashes ]; then
+    pushd hashes
+    find . -type f | cpio -H newc -o >"$OUTPUTDIR/hashes.cpio.rsasign"
+    popd
+    cp /usr/src/packages/SOURCES/mkosi.conf "$OUTPUTDIR"
+    echo "Staging the following files for signing:"
+    cpio -t <"$OUTPUTDIR/hashes.cpio.rsasign"
+fi
+
 rm -rf hashes "$nss_db"