repart: Delay private key and certificate check until actual use

For many reasons, we might not actually sign a verity signature
partition, even if ope is specified in the partition definition files.
It might already exist, it might be deferred, it might be excluded, ...

Since we cannot check if partition already exists when reading the
configuration, let's delay the check for whether a certificate and
key have been provided until we're actually about to sign a roothash.

diff --git a/src/repart/repart.c b/src/repart/repart.c
index fe98893f39731cbf41d1d7771968ac2b3253147c..f2bc5bc80ec49e13ab6a371f0aac2e9ee5637509 100644 (file)
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@@ -2487,14 +2487,6 @@ static int partition_read_definition(Partition *p, const char *path, const char
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "Encrypting verity hash/data partitions is not supported.");
 
-        if (p->verity == VERITY_SIG && !arg_private_key && !partition_type_defer(&p->type))
-                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
-                                  "Verity signature partition requested but no private key provided (--private-key=).");
-
-        if (p->verity == VERITY_SIG && !arg_certificate && !partition_type_defer(&p->type))
-                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
-                                  "Verity signature partition requested but no PEM certificate provided (--certificate=).");
-
         if (p->verity == VERITY_SIG && (p->size_min != UINT64_MAX || p->size_max != UINT64_MAX))
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "SizeMinBytes=/SizeMaxBytes= cannot be used with Verity=%s.",
@@ -5062,6 +5054,14 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
         if (PARTITION_EXISTS(p))
                 return 0;
 
+        if (!context->private_key)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Verity signature partition signing requested but no private key provided (--private-key=).");
+
+        if (!context->certificate)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
+
         (void) partition_hint(p, context->node, &hint);
 
         assert_se(hp = p->siblings[VERITY_HASH]);