From: Jacob Emmert-Aronson Date: Mon, 15 Aug 2022 06:08:26 +0000 (-0700) Subject: Don't load passwords unless a build is needed X-Git-Tag: v14~52 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7cfe85a262ceeacbf77772e00050abd39a4bbad;p=thirdparty%2Fmkosi.git Don't load passwords unless a build is needed This change allows setting password files to be readable only by root for added security. Additionally, if encryption is requested and no passphrase file exists, the user will not be prompted to enter a passphrase unless the mkosi invocation results in an image build. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 62757b7d3..8d9229ee3 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -6201,7 +6201,7 @@ def require_private_file(name: str, description: str) -> None: def find_passphrase(args: argparse.Namespace) -> None: - if args.encrypt is None: + if not needs_build(args) or args.encrypt is None: args.passphrase = None return @@ -6222,7 +6222,7 @@ def find_passphrase(args: argparse.Namespace) -> None: def find_password(args: argparse.Namespace) -> None: - if args.password is not None: + if not needs_build(args) or args.password is not None: return try: @@ -6338,8 +6338,6 @@ def load_args(args: argparse.Namespace) -> MkosiArgs: find_extra(args) find_skeleton(args) - find_password(args) - find_passphrase(args) find_secure_boot(args) find_image_version(args) @@ -6611,6 +6609,10 @@ def load_args(args: argparse.Namespace) -> MkosiArgs: "UEFI SecureBoot or signed Verity enabled, but couldn't find certificate. (Consider placing it in mkosi.secure-boot.crt?)" ) # NOQA: E501 + # Resolve passwords late so we can accurately determine whether a build is needed + find_password(args) + find_passphrase(args) + if args.verb in (Verb.shell, Verb.boot): opname = "acquire shell" if args.verb == Verb.shell else "boot" if args.output_format in (OutputFormat.tar, OutputFormat.cpio):