From eba51a9dbdf00b8c9d7828b0de46cff21593d8a0 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 16 Feb 2025 00:24:52 +0100
Subject: [PATCH] repart: Delay private key and certificate check until actual
 use

For many reasons, we might not actually sign a verity signature
partition, even if ope is specified in the partition definition files.
It might already exist, it might be deferred, it might be excluded, ...

Since we cannot check if partition already exists when reading the
configuration, let's delay the check for whether a certificate and
key have been provided until we're actually about to sign a roothash.
---
 src/repart/repart.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/repart/repart.c b/src/repart/repart.c
index fe98893f397..f2bc5bc80ec 100644
--- a/src/repart/repart.c
+++ b/src/repart/repart.c
@@ -2487,14 +2487,6 @@ static int partition_read_definition(Partition *p, const char *path, const char
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "Encrypting verity hash/data partitions is not supported.");
 
-        if (p->verity == VERITY_SIG && !arg_private_key && !partition_type_defer(&p->type))
-                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
-                                  "Verity signature partition requested but no private key provided (--private-key=).");
-
-        if (p->verity == VERITY_SIG && !arg_certificate && !partition_type_defer(&p->type))
-                return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
-                                  "Verity signature partition requested but no PEM certificate provided (--certificate=).");
-
         if (p->verity == VERITY_SIG && (p->size_min != UINT64_MAX || p->size_max != UINT64_MAX))
                 return log_syntax(NULL, LOG_ERR, path, 1, SYNTHETIC_ERRNO(EINVAL),
                                   "SizeMinBytes=/SizeMaxBytes= cannot be used with Verity=%s.",
@@ -5062,6 +5054,14 @@ static int partition_format_verity_sig(Context *context, Partition *p) {
         if (PARTITION_EXISTS(p))
                 return 0;
 
+        if (!context->private_key)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Verity signature partition signing requested but no private key provided (--private-key=).");
+
+        if (!context->certificate)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+                                       "Verity signature partition signing requested but no PEM certificate provided (--certificate=).");
+
         (void) partition_hint(p, context->node, &hint);
 
         assert_se(hp = p->siblings[VERITY_HASH]);
-- 
2.47.3