From: Emanuele Giuseppe Esposito Date: Thu, 11 May 2023 07:10:46 +0000 (-0400) Subject: ukify: refactor signing code X-Git-Tag: v255-rc1~914^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b708789dc4ec43e6ef61c387d0a4625a36df0593;p=thirdparty%2Fsystemd.git ukify: refactor signing code When ukify is not signing, it should not check if sbsign/pesign are installed, nor print if they are missing or not. --- diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py index 9ee591d5931..3c0cc04d5f8 100755 --- a/src/ukify/ukify.py +++ b/src/ukify/ukify.py @@ -696,31 +696,32 @@ def make_uki(opts): # kernel payload signing sign_tool = None - if opts.signtool == 'sbsign': - sign_tool = find_sbsign(opts=opts) - sign = sbsign_sign - verify_tool = SBVERIFY - else: - sign_tool = find_pesign(opts=opts) - sign = pesign_sign - verify_tool = PESIGCHECK - sign_args_present = opts.sb_key or opts.sb_cert_name + sign_kernel = opts.sign_kernel + sign = None + linux = opts.linux + + if sign_args_present: + if opts.signtool == 'sbsign': + sign_tool = find_sbsign(opts=opts) + sign = sbsign_sign + verify_tool = SBVERIFY + else: + sign_tool = find_pesign(opts=opts) + sign = pesign_sign + verify_tool = PESIGCHECK - if sign_tool is None and sign_args_present: - raise ValueError(f'{opts.signtool}, required for signing, is not installed') + if sign_tool is None: + raise ValueError(f'{opts.signtool}, required for signing, is not installed') - sign_kernel = opts.sign_kernel - if sign_kernel is None and opts.linux is not None and sign_args_present: - # figure out if we should sign the kernel - sign_kernel = verify(verify_tool, opts) - - if sign_kernel: - linux_signed = tempfile.NamedTemporaryFile(prefix='linux-signed') - linux = pathlib.Path(linux_signed.name) - sign(sign_tool, opts.linux, linux, opts=opts) - else: - linux = opts.linux + if sign_kernel is None and opts.linux is not None: + # figure out if we should sign the kernel + sign_kernel = verify(verify_tool, opts) + + if sign_kernel: + linux_signed = tempfile.NamedTemporaryFile(prefix='linux-signed') + linux = pathlib.Path(linux_signed.name) + sign(sign_tool, opts.linux, linux, opts=opts) if opts.uname is None and opts.linux is not None: print('Kernel version not specified, starting autodetection 😖.') @@ -776,16 +777,17 @@ uki,1,UKI,uki,1,https://www.freedesktop.org/software/systemd/man/systemd-stub.ht if sign_args_present: unsigned = tempfile.NamedTemporaryFile(prefix='uki') - output = unsigned.name + unsigned_output = unsigned.name else: - output = opts.output + unsigned_output = opts.output - pe_add_sections(uki, output) + pe_add_sections(uki, unsigned_output) # UKI signing if sign_args_present: - sign(sign_tool, unsigned.name, opts.output, opts=opts) + assert sign + sign(sign_tool, unsigned_output, opts.output, opts=opts) # We end up with no executable bits, let's reapply them os.umask(umask := os.umask(0)) @@ -1433,7 +1435,7 @@ def finalize_options(opts): raise ValueError('--secureboot-private-key= and --secureboot-certificate= must be specified together when using --signtool=sbsign') else: if not bool(opts.sb_cert_name): - raise ValueError('--certificate-name must be specified when using --signtool=pesign') + raise ValueError('--secureboot-certificate-name must be specified when using --signtool=pesign') if opts.sign_kernel and not opts.sb_key and not opts.sb_cert_name: raise ValueError('--sign-kernel requires either --secureboot-private-key= and --secureboot-certificate= (for sbsign) or --secureboot-certificate-name= (for pesign) to be specified')