[gentoo-commits] repo/gentoo:master commit in: eclass/

Andrew Ammerlaan Sun, 26 Nov 2023 00:06:51 -0800

commit:     d03c14cd4be8665830082f424e4443906b005c7e
Author:     Violet Purcell <vimproved <AT> inventati <DOT> org>
AuthorDate: Thu Nov 16 17:23:16 2023 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan <AT> gentoo <DOT> org>
CommitDate: Sun Nov 26 08:06:24 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d03c14cd


kernel-build.eclass: copy module signing key to tempdir in pkg_setup

Previously, it was being copied in src_prepare, and thus would fail if
the signing key was not readable by portage:portage. This commit makes
kernel-build.eclass instead copy the signing key in pkg_setup, and then
correct the permissions.

Signed-off-by: Violet Purcell <vimproved <AT> inventati.org>
Closes: https://github.com/gentoo/gentoo/pull/33850
Signed-off-by: Andrew Ammerlaan <andrewammerlaan <AT> gentoo.org>

 eclass/kernel-build.eclass | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d047739..6f18bc1dc969 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,16 @@ kernel-build_pkg_setup() {
        python-any-r1_pkg_setup
        if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
                secureboot_pkg_setup
+               if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* 
]]; then
+                       if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} 
!= ${MODULES_SIGN_KEY} ]]; then
+                               cat "${MODULES_SIGN_CERT}" 
"${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
+                       else
+                               cp "${MODULES_SIGN_KEY}" "${T}/kernel_key.pem" 
|| die
+                       fi
+                       chown portage:portage "${T}/kernel_key.pem" || die
+                       chmod 0400 "${T}/kernel_key.pem" || die
+                       export MODULES_SIGN_KEY="${T}/kernel_key.pem"
+               fi
        fi
 }
 
@@ -427,13 +437,6 @@ kernel-build_merge_configs() {
                                CONFIG_MODULE_SIG_FORCE=y
                                CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
                        EOF
-                       if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} 
&&
-                               ${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
-                               ${MODULES_SIGN_KEY} != pkcs11:* ]]
-                       then
-                               cat "${MODULES_SIGN_CERT}" 
"${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
-                               MODULES_SIGN_KEY="${T}/kernel_key.pem"
-                       fi
                        if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r 
${MODULES_SIGN_KEY} ]]; then
                                echo 
"CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
                                        >> "${WORKDIR}/modules-sign.config"

[gentoo-commits] repo/gentoo:master commit in: eclass/

Reply via email to