ukify: Fix regression in --no-sign-kernel flag

The man page says that --sign-kernel and --no-sign-kernel "override the
detection of whether to sign the Linux binary", so we should only
autodetect if neither are specified. But as of commit 02eabaffe98c
("ukify: Add a unified interface for signing tools"), we autodetect even
when --no-sign-kernel is passed, which makes the flag useless.

The sign_kernel option is parsed using argparse.BooleanOptionalAction,
which sets it to either True, False, or None. commit 02eabaffe98c
replaced `sign_kernel is None` with `not sign_kernel`. These are not the
same in Python, as the latter accepts False as well as None.

Restore the original check and fix type annotations accordingly.

Fixes: 02eabaffe98c ("ukify: Add a unified interface for signing tools")

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index e661dfe5485d5fc9b961143eee3ba684f8b0cab9..3f36aa7af6b084010d960816c11886e313bcd771 100755 (executable)
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -264,7 +264,7 @@ class UkifyConfig:
     sbat: Optional[list[str]]
     sections: list['Section']
     sections_by_name: dict[str, 'Section']
-    sign_kernel: bool
+    sign_kernel: Optional[bool]
     signing_engine: Optional[str]
     signing_provider: Optional[str]
     certificate_provider: Optional[str]
@@ -1108,7 +1108,7 @@ def make_uki(opts: UkifyConfig) -> None:
         assert opts.signtool is not None
         signtool = SignTool.from_string(opts.signtool)
 
-        if not sign_kernel:
+        if sign_kernel is None:
             # figure out if we should sign the kernel
             sign_kernel = signtool.verify(opts)