From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 16 Nov 2024 14:50:06 +0000 (+0100)
Subject: Only allow certificate files when not using systemd-sbsign
X-Git-Tag: v25~167^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44ec4299d1562c8c19b39d8fcb7e56b2caa3b1ee;p=thirdparty%2Fmkosi.git

Only allow certificate files when not using systemd-sbsign
---

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index 76dc6ecc2..f244c11db 100644
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -595,6 +595,9 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         or context.config.secure_boot_sign_tool == SecureBootSignTool.auto
         and context.config.find_binary("sbsign") is not None
     ):
+        if context.config.secure_boot_certificate_source.type != CertificateSourceType.file:
+            die("Secure boot certificate source must be 'file' when using sbsign as the signing tool")
+
         cmd = [
             "sbsign",
             "--cert", workdir(context.config.secure_boot_certificate),
@@ -633,6 +636,9 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path:
         or context.config.secure_boot_sign_tool == SecureBootSignTool.auto
         and context.config.find_binary("pesign") is not None
     ):
+        if context.config.secure_boot_certificate_source.type != CertificateSourceType.file:
+            die("Secure boot certificate source must be 'file' when using pesign as the signing tool")
+
         pesign_prepare(context)
         run(
             [