verity: do not copy signing cert in addons/portables/extensions

author Luca Boccassi <luca.boccassi@gmail.com>

Wed, 17 Dec 2025 16:03:39 +0000 (16:03 +0000)

committer Daan De Meyer <daan.j.demeyer@gmail.com>

Wed, 17 Dec 2025 16:18:27 +0000 (17:18 +0100)
author Luca Boccassi <luca.boccassi@gmail.com>
Wed, 17 Dec 2025 16:03:39 +0000 (16:03 +0000)
committer Daan De Meyer <daan.j.demeyer@gmail.com>
Wed, 17 Dec 2025 16:18:27 +0000 (17:18 +0100)
diff --git a/mkosi/__init__.py b/mkosi/__init__.py

index f4766ae71244a21caa5bcbf5b5376f617c706b33..b95b3dc8ca665ef0ae360e91c733639829961983 100644 (file)
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -512,6 +512,10 @@ def configure_verity_certificate(context: Context) -> None:
      if context.config.verity_certificate_source.type != CertificateSourceType.file:
          return
  
+    # Makes no sense to ship this in extensions/addons/etc, it's for the rootfs
+    if context.config.output_format.is_extension_or_portable_image():
+        return
+
      veritydir = context.root / "usr/lib/verity.d"
      with umask(~0o755):
          veritydir.mkdir(parents=True, exist_ok=True)
author	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 17 Dec 2025 16:03:39 +0000 (16:03 +0000)
committer	Daan De Meyer <daan.j.demeyer@gmail.com>
	Wed, 17 Dec 2025 16:18:27 +0000 (17:18 +0100)