From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Fri, 13 Feb 2026 00:21:06 +0000 (+0000)
Subject: repart: set r/o GPT flag on verity sig partition too
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=421821d1e30ab476645f40b5eb3c44f239c0d9b3;p=thirdparty%2Fsystemd.git

repart: set r/o GPT flag on verity sig partition too

The default image policy for the verity sig partition expects
the r/o flag to be set, but repart so far did not add it by
default if unset, like it does for the verity partition
---

diff --git a/src/repart/repart.c b/src/repart/repart.c
index c91f21ae75d..ac6cccbcba2 100644
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@@ -3007,7 +3007,9 @@ static int partition_read_definition(
         }
 
         /* Verity partitions are read only, let's imply the RO flag hence, unless explicitly configured otherwise. */
-        if ((partition_designator_is_verity_hash(p->type.designator) || p->verity == VERITY_DATA) && p->read_only < 0)
+        if ((partition_designator_is_verity_hash(p->type.designator) ||
+             partition_designator_is_verity_sig(p->type.designator) ||
+             IN_SET(p->verity, VERITY_DATA, VERITY_SIG)) && p->read_only < 0)
                 p->read_only = true;
 
         /* Default to "growfs" on, unless read-only */
diff --git a/src/shared/gpt.c b/src/shared/gpt.c
index b9b967e806f..9308159ebe9 100644
--- a/src/shared/gpt.c
+++ b/src/shared/gpt.c
@@ -325,6 +325,8 @@ bool gpt_partition_type_knows_read_only(GptPartitionType type) {
                       /* pretty much implied, but let's set the bit to make things really clear */
                       PARTITION_ROOT_VERITY,
                       PARTITION_USR_VERITY,
+                      PARTITION_ROOT_VERITY_SIG,
+                      PARTITION_USR_VERITY_SIG,
                       PARTITION_HOME,
                       PARTITION_SRV,
                       PARTITION_VAR,