[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    [gentoo-dev] [PATCH 1/1] secureboot.eclass: error out early if signing key/cert not readable
From:       Andrew Ammerlaan <andrewammerlaan () gentoo ! org>
Date:       2023-08-21 9:55:00
Message-ID: dbf201ac-7fcc-47d2-b743-70c64c270012 () gentoo ! org
[Download RAW message or body]

Hi all,

This patch is similar to the one I sent earlier for kernel-build.eclass. 
Instead of checking if the signing key/cert exists we now also check if 
we can actually read it. Also removed an extra "#" that prevents the 
documentation from rendering as intended.

Best regards,
Andrew

diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index 477722a83bb3..f95b7295dd06 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -52,7 +52,7 @@ BDEPEND="secureboot? ( app-crypt/sbsigntools )"
  # @DESCRIPTION:
  # Used with USE=secureboot.  Should be set to the path of the private
  # key in PEM format to use, or a PKCS#11 URI.
-#
+
  # @ECLASS_VARIABLE: SECUREBOOT_SIGN_CERT
  # @USER_VARIABLE
  # @DEFAULT_UNSET
@@ -75,11 +75,11 @@ _secureboot_die_if_unset() {
  	if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then
  		die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or 
SECUREBOOT_SIGN_CERT not set."
  	fi
-	if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -f 
${SECUREBOOT_SIGN_KEY} ]]; then
-		die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found"
+	if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r 
${SECUREBOOT_SIGN_KEY} ]]; then
+		die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or not 
readable"
  	fi
-	if [[ ! -f ${SECUREBOOT_SIGN_CERT} ]];then
-		die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found"
+	if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]];then
+		die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or not 
readable"
  	fi
  }


[prev in list] [next in list] [prev in thread] [next in thread]