On Mon, Apr 12, 2021 at 06:19:00PM +0200, Marc Kleine-Budde wrote:
> This patch changes cs_get_ca() to only output the CA if it actually
> exists. This makes it possible to use make's $(if ...) conditional.
>
> Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>
> ---
> scripts/lib/ptxd_lib_code_signing.sh | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh
> b/scripts/lib/ptxd_lib_code_signing.sh
> index ba38a8edd12d..ff0eca16859c 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -288,7 +288,11 @@ cs_get_ca() {
> local role="${1}"
> cs_init_variables
>
> - echo "${keydir}/${role}/ca.pem"
> + local ca="${keydir}/${role}/ca.pem"
> +
> + if [ -e "${ca}" ]; then
> + echo "${ca}"
> + fi
So, I know we talked about this, and I suggested this solution. But after
thinking about this a bit more, I think it's a bit fragile: It causes
silent problems if this is evaluated too early.
I don't quite remember the use-case, but maybe we can add the following
here:
if [ ! -d "${keydir}" ]; then
echo ERROR_CA_NOT_YET_SET
fi
Similar to what we do for URIs. So if it's evaluated in make with ':=' then
we always get this string. If some tool tries to use this as a filename it
should be clearer what's wrong here.
And with the '$(if ..)' case, you get false positives (and that will
probably fail later because there is no ca) and no false negatives that
may do the wrong thing silently.
Michael
> }
> export -f cs_get_ca
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to
> ptxdist-requ...@pengutronix.de
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to
ptxdist-requ...@pengutronix.de
