From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 6 Dec 2024 15:10:34 +0000 (+0100)
Subject: Only validate keys and certificates that are configured
X-Git-Tag: v25~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14fd85a65a70a94f24553e4eed4bf1ffe4de9204;p=thirdparty%2Fmkosi.git

Only validate keys and certificates that are configured

Otherwise we'll fail later on if they are not configured and are
required so let's only validate them if they actually are configured.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 83d1355de..4e4f3aff0 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -4253,7 +4253,7 @@ def validate_certificates_and_keys(config: Config) -> None:
     if not keyutil:
         return
 
-    if want_verity(config):
+    if config.verity != ConfigFeature.disabled and config.verity_certificate and config.verity_key:
         run_systemd_sign_tool(
             config,
             cmdline=[keyutil, "validate"],
@@ -4282,7 +4282,12 @@ def validate_certificates_and_keys(config: Config) -> None:
             stdout=subprocess.DEVNULL,
         )
 
-    if want_signed_pcrs(config):
+    if (
+        config.bootable != ConfigFeature.disabled
+        and config.sign_expected_pcr != ConfigFeature.disabled
+        and config.sign_expected_pcr_certificate
+        and config.sign_expected_pcr_key
+    ):
         run_systemd_sign_tool(
             config,
             cmdline=[keyutil, "validate"],