From: Daan De Meyer Date: Sun, 10 Mar 2024 21:38:16 +0000 (+0100) Subject: Make sign_efi_binary work on same input/output X-Git-Tag: v22~20^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d65c574b7a263de44f4a8a41fde5abbd2dd1c629;p=thirdparty%2Fmkosi.git Make sign_efi_binary work on same input/output --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 3a481cafc..64d675da5 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -12,6 +12,7 @@ import os import resource import shlex import shutil +import stat import subprocess import sys import tempfile @@ -863,7 +864,8 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path: context.config.secure_boot_sign_tool == SecureBootSignTool.auto and find_binary("sbsign", root=context.config.tools()) is not None ): - with open(output, "wb") as f: + with tempfile.NamedTemporaryFile(dir=output.parent, prefix=output.name) as f: + os.chmod(f.name, stat.S_IMODE(input.stat().st_mode)) cmd: list[PathString] = [ "sbsign", "--key", context.config.secure_boot_key, @@ -887,13 +889,16 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path: devices=context.config.secure_boot_key_source.type != KeySource.Type.file, ) ) + output.unlink(missing_ok=True) + os.link(f.name, output) elif ( context.config.secure_boot_sign_tool == SecureBootSignTool.pesign or context.config.secure_boot_sign_tool == SecureBootSignTool.auto and find_binary("pesign", root=context.config.tools()) is not None ): pesign_prepare(context) - with open(output, "wb") as f: + with tempfile.NamedTemporaryFile(dir=output.parent, prefix=output.name) as f: + os.chmod(f.name, stat.S_IMODE(input.stat().st_mode)) run( [ "pesign", @@ -912,6 +917,8 @@ def sign_efi_binary(context: Context, input: Path, output: Path) -> Path: ] ), ) + output.unlink(missing_ok=True) + os.link(f.name, output) else: die("One of sbsign or pesign is required to use SecureBoot=")