diff options
| author |   Andrew Ammerlaan <andrewammerlaan@gentoo.org> | 2024-07-21 17:12:55 +0200 |
|---|---|---|
| committer | Andrew Ammerlaan <andrewammerlaan@gentoo.org> | 2024-07-21 17:14:15 +0200 |
| commit | 46f7840350a04cbe47a1e6902baca0d638f85e6d (patch) | |
| tree | 21957323373c2e4acc4e0a967bb273df082012ca /eclass | |
| parent | media-plugins/vdr-mlist: update EAPI 7 -> 8 (diff) | |
| download | gentoo-46f7840350a04cbe47a1e6902baca0d638f85e6d.tar.gz gentoo-46f7840350a04cbe47a1e6902baca0d638f85e6d.tar.bz2 gentoo-46f7840350a04cbe47a1e6902baca0d638f85e6d.zip | |
kernel-build.eclass: add missing modules-sign conditional to cert/key check
Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
Diffstat (limited to 'eclass')
| -rw-r--r-- | eclass/kernel-build.eclass | 46 |
1 files changed, 24 insertions, 22 deletions
diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index aca387bb5abd..cbc80bddf6f7 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -134,30 +134,32 @@ kernel-build_pkg_setup() { if [[ ${KERNEL_IUSE_MODULES_SIGN} && ${MERGE_TYPE} != binary ]]; then secureboot_pkg_setup - # Sanity check: fail early if key/cert in DER format or does not exist - local openssl_args=( - -noout -nocert - ) - if [[ -n ${MODULES_SIGN_CERT} ]]; then - openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" ) - else - # If no cert specified, we assume the pem key also contains the cert - openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" ) - fi - if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then - openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" ) - else - openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" ) - fi + if use modules-sign; then + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -noout -nocert + ) + if [[ -n ${MODULES_SIGN_CERT} ]]; then + openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" ) + else + # If no cert specified, we assume the pem key also contains the cert + openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" ) + fi + if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" ) + else + openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" ) + fi - openssl x509 "${openssl_args[@]}" || - die "Kernel module signing certificate or key not found or not PEM format." + openssl x509 "${openssl_args[@]}" || + die "Kernel module signing certificate or key not found or not PEM format." - if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then - if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then - MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" - else - MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + else + MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi fi fi fi |