Mark private keys as secrets

Let's ensure that these have a strict access mode.

diff --git a/mkosi/config.py b/mkosi/config.py
index 320f770b55a1bb7c779318d66424d05042fce3eb..073aa74a1113ffae6a7e8f53165597965fe0dde4 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1923,7 +1923,7 @@ SETTINGS = (
         dest="secure_boot_key",
         metavar="PATH",
         section="Validation",
-        parse=config_make_path_parser(),
+        parse=config_make_path_parser(secret=True),
         paths=("mkosi.key",),
         help="UEFI SecureBoot private key in PEM format",
     ),
@@ -1948,7 +1948,7 @@ SETTINGS = (
         dest="verity_key",
         metavar="PATH",
         section="Validation",
-        parse=config_make_path_parser(),
+        parse=config_make_path_parser(secret=True),
         paths=("mkosi.key",),
         help="Private key for signing verity signature in PEM format",
     ),
@@ -1971,7 +1971,7 @@ SETTINGS = (
         dest="passphrase",
         metavar="PATH",
         section="Validation",
-        parse=config_make_path_parser(required=False),
+        parse=config_make_path_parser(required=False, secret=True),
         paths=("mkosi.passphrase",),
         help="Path to a file containing the passphrase to use when LUKS encryption is selected",
     ),