1
0
mirror of https://github.com/systemd/systemd.git synced 2025-03-06 00:58:29 +03:00

ukify: Fix regression in --no-sign-kernel flag

The man page says that --sign-kernel and --no-sign-kernel "override the
detection of whether to sign the Linux binary", so we should only
autodetect if neither are specified. But as of commit 02eabaffe98c
("ukify: Add a unified interface for signing tools"), we autodetect even
when --no-sign-kernel is passed, which makes the flag useless.

The sign_kernel option is parsed using argparse.BooleanOptionalAction,
which sets it to either True, False, or None. commit 02eabaffe98c
replaced `sign_kernel is None` with `not sign_kernel`. These are not the
same in Python, as the latter accepts False as well as None.

Restore the original check and fix type annotations accordingly.

Fixes: 02eabaffe98c ("ukify: Add a unified interface for signing tools")
This commit is contained in:
Thomas Hebb 2024-12-18 11:08:17 -05:00 committed by Yu Watanabe
parent 0d1ebcf67d
commit 32c3e1379d

@ -264,7 +264,7 @@ class UkifyConfig:
sbat: Optional[list[str]]
sections: list['Section']
sections_by_name: dict[str, 'Section']
sign_kernel: bool
sign_kernel: Optional[bool]
signing_engine: Optional[str]
signing_provider: Optional[str]
certificate_provider: Optional[str]
@ -1108,7 +1108,7 @@ def make_uki(opts: UkifyConfig) -> None:
assert opts.signtool is not None
signtool = SignTool.from_string(opts.signtool)
if not sign_kernel:
if sign_kernel is None:
# figure out if we should sign the kernel
sign_kernel = signtool.verify(opts)