commit: 46f7840350a04cbe47a1e6902baca0d638f85e6d Author: Andrew Ammerlaan <andrewammerlaan <AT> gentoo <DOT> org> AuthorDate: Sun Jul 21 15:12:55 2024 +0000 Commit: Andrew Ammerlaan <andrewammerlaan <AT> gentoo <DOT> org> CommitDate: Sun Jul 21 15:14:15 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46f78403
kernel-build.eclass: add missing modules-sign conditional to cert/key check Bug: https://bugs.gentoo.org/936402 Signed-off-by: Andrew Ammerlaan <andrewammerlaan <AT> gentoo.org> eclass/kernel-build.eclass | 46 ++++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 22 deletions(-) diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass index aca387bb5abd..cbc80bddf6f7 100644 --- a/eclass/kernel-build.eclass +++ b/eclass/kernel-build.eclass @@ -134,30 +134,32 @@ kernel-build_pkg_setup() { if [[ ${KERNEL_IUSE_MODULES_SIGN} && ${MERGE_TYPE} != binary ]]; then secureboot_pkg_setup - # Sanity check: fail early if key/cert in DER format or does not exist - local openssl_args=( - -noout -nocert - ) - if [[ -n ${MODULES_SIGN_CERT} ]]; then - openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" ) - else - # If no cert specified, we assume the pem key also contains the cert - openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" ) - fi - if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then - openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" ) - else - openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" ) - fi + if use modules-sign; then + # Sanity check: fail early if key/cert in DER format or does not exist + local openssl_args=( + -noout -nocert + ) + if [[ -n ${MODULES_SIGN_CERT} ]]; then + openssl_args+=( -inform PEM -in "${MODULES_SIGN_CERT}" ) + else + # If no cert specified, we assume the pem key also contains the cert + openssl_args+=( -inform PEM -in "${MODULES_SIGN_KEY}" ) + fi + if [[ ${MODULES_SIGN_KEY} == pkcs11:* ]]; then + openssl_args+=( -engine pkcs11 -keyform ENGINE -key "${MODULES_SIGN_KEY}" ) + else + openssl_args+=( -keyform PEM -key "${MODULES_SIGN_KEY}" ) + fi - openssl x509 "${openssl_args[@]}" || - die "Kernel module signing certificate or key not found or not PEM format." + openssl x509 "${openssl_args[@]}" || + die "Kernel module signing certificate or key not found or not PEM format." - if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then - if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then - MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" - else - MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + if [[ ${MODULES_SIGN_KEY} != pkcs11:* ]]; then + if [[ ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then + MODULES_SIGN_KEY_CONTENTS="$(cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" || die)" + else + MODULES_SIGN_KEY_CONTENTS="$(< "${MODULES_SIGN_KEY}")" + fi fi fi fi
