From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sat, 16 Nov 2024 14:49:03 +0000 (+0100)
Subject: Don't require sbsigntools for secure boot auto enroll unless required
X-Git-Tag: v25~167^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d9d98f65840a044324877a04304becf3e276a4f;p=thirdparty%2Fmkosi.git

Don't require sbsigntools for secure boot auto enroll unless required

If bootctl 257 or newer is installed, we don't use sbsigntools anymore
so don't require it in that case.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 928a973db..fec4cf2dc 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2631,7 +2631,15 @@ def check_tools(config: Config, verb: Verb) -> None:
                 reason="sign verity roothash signature with OpenSSL engine",
             )
 
-        if want_efi(config) and config.secure_boot and config.secure_boot_auto_enroll:
+        if (
+            want_efi(config)
+            and config.secure_boot
+            and config.secure_boot_auto_enroll
+            and (
+                not config.find_binary("bootctl")
+                or systemd_tool_version("bootctl", sandbox=config.sandbox) < "257~devel"
+            )
+        ):
             check_tool(config, "sbsiglist", reason="set up systemd-boot secure boot auto-enrollment")
             check_tool(config, "sbvarsign", reason="set up systemd-boot secure boot auto-enrollment")