ukify: when decompressing kernel before signing, call verify on decompressed file

Otherwise it will fail as it's an archive, not a PE file:

Invalid DOS header magic
Can't open image /boot/vmlinuz.old
/boot/vmlinuz.old is compressed and cannot be loaded by UEFI, decompressing
+ sbverify --list /boot/vmlinuz.old
=========================== short test summary info ============================
FAILED ../src/ukify/test/test_ukify.py::test_efi_signing_sbsign[3650] - subprocess.CalledProcessError: Command '['sbverify', '--list', PosixPath('/boot/vmlinuz.old')]' returned non-zero exit status 1.
FAILED ../src/ukify/test/test_ukify.py::test_efi_signing_sbsign[None] - subprocess.CalledProcessError: Command '['sbverify', '--list', PosixPath('/boot/vmlinuz.old')]' returned non-zero exit status 1.
FAILED ../src/ukify/test/test_ukify.py::test_inspect - subprocess.CalledProcessError: Command '['sbverify', '--list', PosixPath('/boot/vmlinuz.old')]' returned non-zero exit status 1.

Follow-up for 0dd03215f1e402092f6c6da213708045e445a9ed

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index aad467adf9386e65e492c0bbc83c42f5ea69f893..ce4505c896062827b714d057936506bca2639bba 100755 (executable)
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -492,7 +492,7 @@ class SignTool:
         raise NotImplementedError
 
     @staticmethod
-    def verify(opts: UkifyConfig) -> bool:
+    def verify(input_f: Path, opts: UkifyConfig) -> bool:
         raise NotImplementedError
 
     @staticmethod
@@ -528,11 +528,11 @@ class PeSign(SignTool):
         subprocess.check_call(cmd)
 
     @staticmethod
-    def verify(opts: UkifyConfig) -> bool:
-        assert opts.linux is not None
+    def verify(input_f: Path, opts: UkifyConfig) -> bool:
+        assert input_f is not None
 
         tool = find_tool('pesign', opts=opts)
-        cmd = [tool, '-i', opts.linux, '-S']
+        cmd = [tool, '-i', input_f, '-S']
 
         print('+', shell_join(cmd), file=sys.stderr)
         info = subprocess.check_output(cmd, text=True)
@@ -560,11 +560,11 @@ class SbSign(SignTool):
         subprocess.check_call(cmd)
 
     @staticmethod
-    def verify(opts: UkifyConfig) -> bool:
-        assert opts.linux is not None
+    def verify(input_f: Path, opts: UkifyConfig) -> bool:
+        assert input_f is not None
 
         tool = find_tool('sbverify', opts=opts)
-        cmd = [tool, '--list', opts.linux]
+        cmd = [tool, '--list', input_f]
 
         print('+', shell_join(cmd), file=sys.stderr)
         info = subprocess.check_output(cmd, text=True)
@@ -612,7 +612,7 @@ class SystemdSbSign(SignTool):
         subprocess.check_call(cmd)
 
     @staticmethod
-    def verify(opts: UkifyConfig) -> bool:
+    def verify(input_f: Path, opts: UkifyConfig) -> bool:
         raise NotImplementedError('systemd-sbsign cannot yet verify if existing PE binaries are signed')
 
 
@@ -1317,7 +1317,7 @@ def make_uki(opts: UkifyConfig) -> None:
 
         if sign_kernel is None:
             # figure out if we should sign the kernel
-            sign_kernel = signtool.verify(opts)
+            sign_kernel = signtool.verify(linux, opts)
 
         if sign_kernel:
             linux_signed = tempfile.NamedTemporaryFile(prefix='linux-signed')