]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
sd-journal: allow to verify sealed journals even when sealing support is disabled
authorYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 27 Jun 2026 06:20:27 +0000 (15:20 +0900)
committerYu Watanabe <watanabe.yu+github@gmail.com>
Sat, 27 Jun 2026 15:00:11 +0000 (00:00 +0900)
Of course, if disabled, seal tags cannot be verified, hence the check is skipped.

src/libsystemd/sd-journal/journal-verify.c

index b8cc3555f6b1238715442882bd888ceed9a130bb..dd3b6f32d49e925e864a97c47a7b9e0b67756ff2 100644 (file)
@@ -841,8 +841,14 @@ int journal_file_verify(
                 r = journal_file_auth_load_key(f, key);
                 if (r < 0)
                         return log_error_errno(r, "Failed to load verification key: %m");
-        } else if (JOURNAL_HEADER_SEALED(f->header))
-                return -ENOKEY;
+        } else if (JOURNAL_HEADER_SEALED(f->header)) {
+                /* For a sealed journal file, request the verification key when journal sealing is supported.
+                 * Otherwise, log that seal verification is skipped. */
+                if (journal_auth_supported())
+                        return -ENOKEY;
+                else
+                        log_notice("Journal file is sealed, but journal sealing support is disabled. Skipping seal verification.");
+        }
 
         r = var_tmp_dir(&tmp_dir);
         if (r < 0) {
@@ -1147,7 +1153,7 @@ int journal_file_verify(
                                 }
                         }
 
-                        if (JOURNAL_HEADER_SEALED(f->header)) {
+                        if (JOURNAL_HEADER_SEALED(f->header) && journal_auth_supported()) {
                                 uint64_t q, rt, rt_end;
 
                                 debug(p, "Checking tag %"PRIu64"...", le64toh(o->tag.seqnum));