Don't require sbsigntools for secure boot auto enroll unless required

If bootctl 257 or newer is installed, we don't use sbsigntools anymore
so don't require it in that case.

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 928a973db5a297ef16f1e64495157943c39c2f1e..fec4cf2dc29a7a021db45261edd0b9fe3065ece5 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2631,7 +2631,15 @@ def check_tools(config: Config, verb: Verb) -> None:
                 reason="sign verity roothash signature with OpenSSL engine",
             )
 
-        if want_efi(config) and config.secure_boot and config.secure_boot_auto_enroll:
+        if (
+            want_efi(config)
+            and config.secure_boot
+            and config.secure_boot_auto_enroll
+            and (
+                not config.find_binary("bootctl")
+                or systemd_tool_version("bootctl", sandbox=config.sandbox) < "257~devel"
+            )
+        ):
             check_tool(config, "sbsiglist", reason="set up systemd-boot secure boot auto-enrollment")
             check_tool(config, "sbvarsign", reason="set up systemd-boot secure boot auto-enrollment")