verity: copy signing certificate to /usr/lib/verity.d/

If a signing certificate for verity is specified copy it in the image
to /usr/lib/verity.d/ so that it can be used for userspace verification
when not using secure boot

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index d2dc1c0fe5763c3a94f74b3b13cbd10f73203402..b694e971b781e4ffb035c573a0818c1226d38f13 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -511,6 +511,25 @@ def configure_autologin(context: Context) -> None:
         )
 
 
+def configure_verity_certificate(context: Context) -> None:
+    if not context.config.verity_certificate:
+        return
+
+    # TODO: support providers after https://github.com/systemd/systemd/pull/39962 is merged
+    if context.config.verity_certificate_source.type != CertificateSourceType.file:
+        return
+
+    veritydir = context.root / "usr/lib/verity.d"
+    with umask(~0o755):
+        veritydir.mkdir(parents=True, exist_ok=True)
+
+    # dissect wants .crt and will ignore anything else
+    dest = veritydir / context.config.verity_certificate.with_suffix(".crt").name
+
+    with umask(~0o644):
+        shutil.copy(context.config.verity_certificate, dest)
+
+
 @contextlib.contextmanager
 def setup_build_overlay(context: Context, volatile: bool = False) -> Iterator[None]:
     d = context.workspace / "build-overlay"
@@ -3931,6 +3950,7 @@ def build_image(context: Context) -> None:
         configure_initrd(context)
         configure_ssh(context)
         configure_clock(context)
+        configure_verity_certificate(context)
 
         if manifest:
             manifest.record_extension_release()