From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 8 Dec 2021 11:23:12 +0000 (+0100)
Subject: typing: Fix typing error when calling add_signer()
X-Git-Tag: v13~102^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F869%2Fhead;p=thirdparty%2Fmkosi.git

typing: Fix typing error when calling add_signer()

The add_signer() method of PKCS7SignatureBuilder only supports a
subset of the key types returned by load_pem_private_key() so let's
make sure the loaded key is of one of the supported types to fix
the error.
---

diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index 51226df92..f95696bb8 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -3950,6 +3950,7 @@ def make_verity_sig(
 
     from cryptography import x509
     from cryptography.hazmat.primitives import hashes, serialization
+    from cryptography.hazmat.primitives.asymmetric import ec, rsa
     from cryptography.hazmat.primitives.serialization import pkcs7
 
     with complete_step("Signing verity root hash…"):
@@ -3957,6 +3958,9 @@ def make_verity_sig(
         key = serialization.load_pem_private_key(args.secure_boot_key.read_bytes(), password=None)
         certificate = x509.load_pem_x509_certificate(args.secure_boot_certificate.read_bytes())
 
+        if not isinstance(key, (ec.EllipticCurvePrivateKey, rsa.RSAPrivateKey)):
+            die(f"Secure boot key has unsupported type {type(key)}")
+
         fingerprint = certificate.fingerprint(hashes.SHA256()).hex()
 
         sigbytes = pkcs7.PKCS7SignatureBuilder().add_signer(