Bug: https://bugs.gentoo.org/936402
Signed-off-by: Andrew Ammerlaan <andrewammerl...@gentoo.org>
---
eclass/secureboot.eclass | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/eclass/secureboot.eclass b/eclass/secureboot.eclass
index a9ba514cb7a0..4459b0341845 100644
--- a/eclass/secureboot.eclass
+++ b/eclass/secureboot.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: secureboot.eclass
@@ -44,7 +44,12 @@ case ${EAPI} in
esac
IUSE="secureboot"
-BDEPEND="secureboot? ( app-crypt/sbsigntools )"
+BDEPEND="
+ secureboot? (
+ app-crypt/sbsigntools
+ dev-libs/openssl
+ )
+"
# @ECLASS_VARIABLE: SECUREBOOT_SIGN_KEY
# @USER_VARIABLE
@@ -75,12 +80,19 @@ _secureboot_die_if_unset() {
if [[ -z ${SECUREBOOT_SIGN_KEY} || -z ${SECUREBOOT_SIGN_CERT} ]]; then
die "USE=secureboot enabled but SECUREBOOT_SIGN_KEY and/or
SECUREBOOT_SIGN_CERT not set."
fi
- if [[ ! ${SECUREBOOT_SIGN_KEY} == pkcs11:* && ! -r
${SECUREBOOT_SIGN_KEY} ]]; then
- die "SECUREBOOT_SIGN_KEY=${SECUREBOOT_SIGN_KEY} not found or
not readable!"
- fi
- if [[ ! -r ${SECUREBOOT_SIGN_CERT} ]]; then
- die "SECUREBOOT_SIGN_CERT=${SECUREBOOT_SIGN_CERT} not found or
not readable!"
+
+ # Sanity check: fail early if key/cert in DER format or does not exist
+ local openssl_args=(
+ -inform PEM -in "${SECUREBOOT_SIGN_CERT}"
+ -noout -nocert
+ )
+ if [[ ${SECUREBOOT_SIGN_KEY} == pkcs11:* ]]; then
+ openssl_args+=( -engine pkcs11 -keyform ENGINE -key
"${SECUREBOOT_SIGN_KEY}" )
+ else
+ openssl_args+=( -keyform PEM -key "${SECUREBOOT_SIGN_KEY}" )
fi
+ openssl x509 "${openssl_args[@]}" ||
+ die "Secure Boot signing certificate or key not found or not
PEM format."
}
# @FUNCTION: secureboot_pkg_setup
--
2.45.2
