From: Luca Boccassi Date: Sat, 29 Nov 2025 01:10:01 +0000 (+0000) Subject: verity: copy signing certificate to /usr/lib/verity.d/ X-Git-Tag: v26~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4bdb47b6dafec4f258a2dca446d67ee662dbedd4;p=thirdparty%2Fmkosi.git verity: copy signing certificate to /usr/lib/verity.d/ If a signing certificate for verity is specified copy it in the image to /usr/lib/verity.d/ so that it can be used for userspace verification when not using secure boot --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index d2dc1c0fe..b694e971b 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -511,6 +511,25 @@ def configure_autologin(context: Context) -> None: ) +def configure_verity_certificate(context: Context) -> None: + if not context.config.verity_certificate: + return + + # TODO: support providers after https://github.com/systemd/systemd/pull/39962 is merged + if context.config.verity_certificate_source.type != CertificateSourceType.file: + return + + veritydir = context.root / "usr/lib/verity.d" + with umask(~0o755): + veritydir.mkdir(parents=True, exist_ok=True) + + # dissect wants .crt and will ignore anything else + dest = veritydir / context.config.verity_certificate.with_suffix(".crt").name + + with umask(~0o644): + shutil.copy(context.config.verity_certificate, dest) + + @contextlib.contextmanager def setup_build_overlay(context: Context, volatile: bool = False) -> Iterator[None]: d = context.workspace / "build-overlay" @@ -3931,6 +3950,7 @@ def build_image(context: Context) -> None: configure_initrd(context) configure_ssh(context) configure_clock(context) + configure_verity_certificate(context) if manifest: manifest.record_extension_release()