Only allow certificate files when not using systemd-sbsign

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index 76dc6ecc219573fc685a9f9330813c2db0be7615..f244c11dbae55598c8e563158c856446a32cc769 100644 (file)
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -595,6 +595,9 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         or context.config.secure_boot_sign_tool == SecureBootSignTool.auto
         and context.config.find_binary("sbsign") is not None
     ):
+        if context.config.secure_boot_certificate_source.type != CertificateSourceType.file:
+            die("Secure boot certificate source must be 'file' when using sbsign as the signing tool")
+
         cmd = [
             "sbsign",
             "--cert", workdir(context.config.secure_boot_certificate),
@@ -633,6 +636,9 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         or context.config.secure_boot_sign_tool == SecureBootSignTool.auto
         and context.config.find_binary("pesign") is not None
     ):
+        if context.config.secure_boot_certificate_source.type != CertificateSourceType.file:
+            die("Secure boot certificate source must be 'file' when using pesign as the signing tool")
+
         pesign_prepare(context)
         run(
             [