Make sure we only use workdir() for keys if they're a path on disk

author Daan De Meyer <daan.j.demeyer@gmail.com>

Tue, 17 Sep 2024 07:47:04 +0000 (09:47 +0200)

committer Luca Boccassi <luca.boccassi@gmail.com>

Tue, 17 Sep 2024 13:54:23 +0000 (15:54 +0200)
author Daan De Meyer <daan.j.demeyer@gmail.com>
Tue, 17 Sep 2024 07:47:04 +0000 (09:47 +0200)
committer Luca Boccassi <luca.boccassi@gmail.com>
Tue, 17 Sep 2024 13:54:23 +0000 (15:54 +0200)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index 2a0f417167c699d4bdb859779981bbf4addff187..caa76845fce5acf1756b74ca6c81472ac55bf56f 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2692,12 +2692,13 @@ def make_image(
          cmdline += ["--key-file", workdir(context.config.passphrase)]
          options += ["--ro-bind", context.config.passphrase, workdir(context.config.passphrase)]
      if context.config.verity_key:
-        key = workdir(context.config.verity_key) if context.config.verity_key.exists() else context.config.verity_key
-        cmdline += ["--private-key", str(key)]
          if context.config.verity_key_source.type != KeySourceType.file:
              cmdline += ["--private-key-source", str(context.config.verity_key_source)]
          if context.config.verity_key.exists():
+            cmdline += ["--private-key", workdir(context.config.verity_key)]
              options += ["--ro-bind", context.config.verity_key, workdir(context.config.verity_key)]
+        else:
+            cmdline += ["--private-key", context.config.verity_key]
      if context.config.verity_certificate:
          cmdline += ["--certificate", workdir(context.config.verity_certificate)]
          options += ["--ro-bind", context.config.verity_certificate, workdir(context.config.verity_certificate)]
diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py

index 6454a8766ad45553fcc19636cef6321d303cc4e6..4e40a4950ae53a6a3068f9f2ef4e48d476449c66 100644 (file)
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -506,7 +506,6 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
      ):
          cmd: list[PathString] = [
              "sbsign",
-            "--key", workdir(context.config.secure_boot_key),
              "--cert", workdir(context.config.secure_boot_certificate),
              "--output", workdir(output),
          ]
@@ -518,7 +517,10 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
          if context.config.secure_boot_key_source.type == KeySourceType.engine:
              cmd += ["--engine", context.config.secure_boot_key_source.source]
          if context.config.secure_boot_key.exists():
+            cmd += ["--key", workdir(context.config.secure_boot_key)]
              options += ["--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key)]
+        else:
+            cmd += ["--key", workdir(context.config.secure_boot_key)]
          cmd += [workdir(input)]
          run(
              cmd,
@@ -732,7 +734,6 @@ def install_systemd_boot(context: Context) -> None:
                          "sbvarsign",
                          "--attr",
                              "NON_VOLATILE,BOOTSERVICE_ACCESS,RUNTIME_ACCESS,TIME_BASED_AUTHENTICATED_WRITE_ACCESS",
-                        "--key", workdir(context.config.secure_boot_key),
                          "--cert", workdir(context.config.secure_boot_certificate),
                          "--output", workdir(keys / f"{db}.auth"),
                      ]
@@ -746,9 +747,12 @@ def install_systemd_boot(context: Context) -> None:
                      if context.config.secure_boot_key_source.type == KeySourceType.engine:
                          cmd += ["--engine", context.config.secure_boot_key_source.source]
                      if context.config.secure_boot_key.exists():
+                        cmd += ["--key", workdir(context.config.secure_boot_key),]
                          options += [
                              "--ro-bind", context.config.secure_boot_key, workdir(context.config.secure_boot_key),
                          ]
+                    else:
+                        cmd += ["--key", context.config.secure_boot_key]
                      cmd += [db, workdir(context.workspace / "mkosi.esl")]
                      run(
                          cmd,
author	Daan De Meyer <daan.j.demeyer@gmail.com>
	Tue, 17 Sep 2024 07:47:04 +0000 (09:47 +0200)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Tue, 17 Sep 2024 13:54:23 +0000 (15:54 +0200)
mkosi/__init__.py		patch \| blob \| blame \| history
mkosi/bootloader.py		patch \| blob \| blame \| history