From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 15 Dec 2023 09:54:42 +0000 (+0100)
Subject: Mark private keys as secrets
X-Git-Tag: v20~57^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc13bd934178a671ce0e19ed48c28212d10577b4;p=thirdparty%2Fmkosi.git

Mark private keys as secrets

Let's ensure that these have a strict access mode.
---

diff --git a/mkosi/config.py b/mkosi/config.py
index 320f770b5..073aa74a1 100644
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -1923,7 +1923,7 @@ SETTINGS = (
         dest="secure_boot_key",
         metavar="PATH",
         section="Validation",
-        parse=config_make_path_parser(),
+        parse=config_make_path_parser(secret=True),
         paths=("mkosi.key",),
         help="UEFI SecureBoot private key in PEM format",
     ),
@@ -1948,7 +1948,7 @@ SETTINGS = (
         dest="verity_key",
         metavar="PATH",
         section="Validation",
-        parse=config_make_path_parser(),
+        parse=config_make_path_parser(secret=True),
         paths=("mkosi.key",),
         help="Private key for signing verity signature in PEM format",
     ),
@@ -1971,7 +1971,7 @@ SETTINGS = (
         dest="passphrase",
         metavar="PATH",
         section="Validation",
-        parse=config_make_path_parser(required=False),
+        parse=config_make_path_parser(required=False, secret=True),
         paths=("mkosi.passphrase",),
         help="Path to a file containing the passphrase to use when LUKS encryption is selected",
     ),