Compare commits

...

20 Commits

Author SHA1 Message Date
Daan De Meyer 0d1487596f
Merge 5f05ba1d24 into 73f4882ef3 2024-11-07 15:01:39 +00:00
Anselm Schueler 73f4882ef3 po: Translated using Weblate (German)
Currently translated at 89.8% (231 of 257 strings)

Co-authored-by: Anselm Schueler <mail@anselmschueler.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/
Translation: systemd/main
2024-11-07 15:48:31 +01:00
Zbigniew Jędrzejewski-Szmek 9a10d7eae5 github: adjust version number in templates
Most people are probably on stable releases, but we don't want to update the
minor version all the time, so just specify 256.x as a hint to fill in the
full version.
2024-11-07 15:39:30 +01:00
Daan De Meyer 5f05ba1d24 ukify: Introduce --certificate-provider= option
This translates to --certificate-source=provider:<provider> for
signing tools invoked by ukify.
2024-11-07 15:17:09 +01:00
Daan De Meyer 3fcb78a819 measure: Add pcrpkey verb
This verb writes a public key to stdout extracted from either a public key
path, from a certificate (path or provider) or from a private key (path,
engine, provider). We'll use this in ukify to get rid of the use of the
python cryptography module to convert a private key or certificate to a
public key.
2024-11-07 14:48:57 +01:00
Luca Boccassi bb5936f7f3 man: fix typos flagged by Lintian 2024-11-07 18:51:21 +09:00
Yu Watanabe 869fe6c9e4
Translations update from Fedora Weblate (#35060) 2024-11-07 18:50:23 +09:00
Luca Boccassi 9a032ec55a test: fix assertion on build system
/* test_path_is_network_fs_harder */
src/test/test-mount-util.c:541: Assertion failed: expected "path_is_network_fs_harder("/")" to succeed but got the following error: Invalid argument

https://buildd.debian.org/status/fetch.php?pkg=systemd&arch=all&ver=257%7Erc1-1&stamp=1730945197&raw=0

Follow-up for d49d95df0a
2024-11-07 18:48:44 +09:00
Oğuz Ersen 100ceecc6c po: Translated using Weblate (Turkish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Oğuz Ersen <oguz@ersen.moe>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/tr/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Luna Jernberg af76e987e8 po: Translated using Weblate (Swedish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Luna Jernberg <bittin@reimu.nl>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sv/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Sergey A d73735fbe1 po: Translated using Weblate (Russian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Sergey A <Ser82-png@yandex.ru>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ru/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Piotr Drąg 01aafdf637 po: Translated using Weblate (Polish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Piotr Drąg <piotrdrag@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pl/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Andika Triwidada 67c1f6bf04 po: Translated using Weblate (Indonesian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Andika Triwidada <andika@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/id/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Léane GRASSER b0cb4c70a9 po: Translated using Weblate (French)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Temuri Doghonadze e75d25ac1e po: Translated using Weblate (Georgian)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Temuri Doghonadze <temuri.doghonadze@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ka/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
김인수 d9b96bf093 po: Translated using Weblate (Korean)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: 김인수 <simmon@nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ko/
Translation: systemd/main
2024-11-07 10:48:25 +01:00
Antonio Alvarez Feijoo 215292d09e sbsign: remove unimplemented options 2024-11-07 09:47:50 +00:00
Daan De Meyer c59ed3b80d tree-wide: Introduce --certificate-source= option
This allows loading the X.509 certificate from an OpenSSL provider
instead of a file system path. This allows loading certficates directly
from hardware tokens instead of having to export them to a file on
disk first.
2024-11-06 18:08:26 +01:00
Daan De Meyer 44f354aa9b openssl-util: Set expected object type to private keys
Configures the store to only try to fetch private keys and nothing
else.
2024-11-06 18:07:11 +01:00
Daan De Meyer 583c305d15 bootctl: Validate private key path 2024-11-06 18:05:54 +01:00
29 changed files with 560 additions and 190 deletions

View File

@ -18,7 +18,7 @@ body:
If a distro build is used, please just paste the package version, e.g. `systemd-254.7-1.fc39.x86_64`.
See https://github.com/systemd/systemd-stable/tags for the list of most recent releases.
For older version please use distribution trackers (see https://systemd.io/CONTRIBUTING#filing-issues).
placeholder: '255'
placeholder: '256.x'
validations:
required: true

View File

@ -121,6 +121,6 @@ body:
attributes:
label: The systemd version you checked that didn't have the feature you are asking for
description: If this is not the most recently released upstream version, then please check first if it has that feature already.
placeholder: '255'
placeholder: '256.x'
validations:
required: false

View File

@ -529,8 +529,9 @@
<varlistentry>
<term><option>--secure-boot-auto-enroll=yes|no</option></term>
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
<term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the
<command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this
@ -542,9 +543,12 @@
<para>When specifying this option, a certificate and private key have to be provided as well using
the <option>--certificate=</option> and <option>--private-key=</option> options. The
<option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate. The
<option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
engine or provider, as specified by <option>--private-key-source=</option> as a
<option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI
that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which
takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
The <option>--private-key=</option> option can take a path or a URI that will be passed to the
OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
signing engine or provider will be used to sign the EFI signature lists.</para>

View File

@ -191,7 +191,7 @@
<literal>+drivers:</literal> followed by its driver subsystem and sysfs name separated with a colon.
Example: <literal>+drivers:pci:iwlwifi</literal> for a driver device record whose driver subsystem is
<literal>pci</literal> and sysfs name is <literal>iwlwifi</literal>,
When an other type of device is specified, this function returns <literal>+</literal> followed by its
When another type of device is specified, this function returns <literal>+</literal> followed by its
subsystem and sysfs name separated with a colon. Example: <literal>+acpi:ACPI0003:00</literal>,
<literal>+input:input16</literal>, or <literal>+pci:0000:00:1f.6</literal>.</para>
</refsect1>

View File

@ -241,7 +241,7 @@
<listitem><para>Controls whether to query the system-wide or the per-user password agents. By default
if invoked privileged the system-wide agents are queried, otherwise the per-user ones. These options
allow to override this automatic behaviour.</para>
allow one to override this automatic behaviour.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>

View File

@ -104,6 +104,16 @@
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
<varlistentry>
<term><command>pcrpkey</command></term>
<listitem><para>This commands writes the public key to stdout extracted from either the public key
given with <option>--public-key=</option>, the certificate given with <option>--certificate=</option>
or the private key given with <option>--private-key=</option>.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
@ -188,8 +198,9 @@
<varlistentry>
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
<term><option>--private-key-source=<replaceable>TYPE[:NAME]</replaceable></option></term>
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<term><option>--certificate=<replaceable>PATH/URI</replaceable></option></term>
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<listitem><para>As an alternative to <option>--public-key=</option> for the
<command>sign</command> command, these switches can be used to sign with an hardware token. The
@ -197,6 +208,11 @@
provider, as specified by <option>--private-key-source=</option> as a type:name tuple, such as
engine:pkcs11. The specified OpenSSL signing engine or provider will be used to sign.</para>
<para>The <option>--certificate=</option> option also takes a path or a URI that will be passed to
the OpenSSL provider, as specified by <option>--certificate-source=</option> as a
<literal>type:name</literal> tuple, such as <literal>provider:pkcs11</literal>. Note that unlike
<option>--private-key-source=</option> this option only supports providers and not engines.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

View File

@ -348,9 +348,9 @@
<varlistentry>
<term><option>--private-key=</option></term>
<listitem><para>Takes a file system path. Configures the signing key to use when creating verity
signature partitions with the <varname>Verity=signature</varname> setting in partition files.
</para>
<listitem><para>Takes a file system path or an engine or provider specific designation. Configures
the signing key to use when creating verity signature partitions with the
<varname>Verity=signature</varname> setting in partition files.</para>
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
@ -361,7 +361,7 @@
<listitem><para>Takes one of <literal>file</literal>, <literal>engine</literal> or
<literal>provider</literal>. In the latter two cases, it is followed by the name of a provider or
engine, separated by colon, that will be passed to OpenSSL's "engine" or "provider" logic.
Configures the signing mechanism to use when creating verity signature partitions with the
Configures how to load the private key to use when creating verity signature partitions with the
<varname>Verity=signature</varname> setting in partition files.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
@ -370,13 +370,24 @@
<varlistentry>
<term><option>--certificate=</option></term>
<listitem><para>Takes a file system path. Configures the PEM encoded X.509 certificate to use when
creating verity signature partitions with the <varname>Verity=signature</varname> setting in
partition files.</para>
<listitem><para>Takes a file system path or a provider specific designation. Configures the PEM
encoded X.509 certificate to use when creating verity signature partitions with the
<varname>Verity=signature</varname> setting in partition files.</para>
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--certificate-source=</option></term>
<listitem><para>Takes one of <literal>file</literal>, or <literal>provider</literal>. In the latter
case, it is followed by the name of a provider, separated by colon, that will be passed to OpenSSL's
"provider" logic. Configures how to load the X.509 certificate to use when creating verity signature
partitions with the <varname>Verity=signature</varname> setting in partition files.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--tpm2-device=</option></term>
<term><option>--tpm2-pcrs=</option></term>

View File

@ -85,11 +85,16 @@
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
<listitem><para>Set the Secure Boot private key and certificate for use with the
<command>sign</command>. The <option>--certificate=</option> option takes a path to a PEM encoded
X.509 certificate. The <option>--private-key=</option> option can take a path or a URI that will be
passed to the OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
X.509 certificate or a URI that's passed to the OpenSSL provider configured with
<option>--certificate-source</option>. The <option>--certificate-source</option> takes one of
<literal>file</literal> or <literal>provider</literal>, with the latter being followed by a specific
provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>. The
<option>--private-key=</option> option can take a path or a URI that will be passed to the OpenSSL
engine or provider, as specified by <option>--private-key-source=</option> as a
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
signing engine or provider will be used to sign the PE binary.</para>

View File

@ -527,6 +527,17 @@
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>CertificateProvider=<replaceable>PROVIDER</replaceable></varname></term>
<term><option>--certificate-provider=<replaceable>PROVIDER</replaceable></option></term>
<listitem><para>An OpenSSL provider to be used for loading the certificate used to sign the
resulting binary and PCR measurements. This option can only be used when using
<command>systemd-sbsign</command> as the signing tool.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>SignKernel=<replaceable>BOOL</replaceable></varname></term>
<term><option>--sign-kernel</option></term>

View File

@ -10,13 +10,13 @@
# Christian Kirbach <christian.kirbach@gmail.com>, 2023.
# Jarne Förster <fedora@mymailclient.de>, 2024.
# Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org>, 2024.
# Anselm Schueler <mail@anselmschueler.com>, 2024.
msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-11-05 13:46+0000\n"
"Last-Translator: Weblate Translation Memory <noreply-mt-weblate-translation-"
"memory@weblate.org>\n"
"PO-Revision-Date: 2024-11-07 13:26+0000\n"
"Last-Translator: Anselm Schueler <mail@anselmschueler.com>\n"
"Language-Team: German <https://translate.fedoraproject.org/projects/systemd/"
"main/de/>\n"
"Language: de\n"
@ -131,9 +131,8 @@ msgstr ""
"Benutzers notwendig."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Einen persönlichen Bereich aktualisieren"
msgstr "Deinen persönlichen Bereich aktualisieren"
# https://www.freedesktop.org/software/systemd/man/sd-login.html
#: src/home/org.freedesktop.home1.policy:54

View File

@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-11-06 12:46+0000\n"
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
"Last-Translator: Léane GRASSER <leane.grasser@proton.me>\n"
"Language-Team: French <https://translate.fedoraproject.org/projects/systemd/"
"main/fr/>\n"
@ -128,16 +128,13 @@ msgstr ""
"utilisateur."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Mettre à jour un espace personnel"
msgstr "Mettre à jour votre espace personnel"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr ""
"Une authentification est requise pour mettre à jour l'espace personnel d'un "
"utilisateur."
"Une authentification est requise pour mettre à jour votre espace personnel."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1261,14 +1258,12 @@ msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "Gérer les fonctionnalités en option"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr ""
"Une authentification est requise pour gérer les sessions actives, les "
"utilisateurs et les postes (seats)."
"Une authentification est requise pour gérer les fonctionnalités en option."
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -6,7 +6,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-10-27 05:38+0000\n"
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
"Last-Translator: Andika Triwidada <andika@gmail.com>\n"
"Language-Team: Indonesian <https://translate.fedoraproject.org/projects/"
"systemd/main/id/>\n"
@ -15,7 +15,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Weblate 5.7.2\n"
"X-Generator: Weblate 5.8.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -112,14 +112,12 @@ msgid "Authentication is required to update a user's home area."
msgstr "Otentikasi diperlukan untuk memperbarui suatu area rumah pengguna."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Memperbarui suatu area rumah"
msgstr "Memperbarui area rumah Anda"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr "Otentikasi diperlukan untuk memperbarui suatu area rumah pengguna."
msgstr "Otentikasi diperlukan untuk memperbarui area rumah Anda."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1166,12 +1164,11 @@ msgstr "Otentikasi diperlukan untuk membersihkan pembaruan sistem lama."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "Kelola fitur opsional"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr "Otentikasi diperlukan untuk mengelola seat, pengguna, dan sesi aktif."
msgstr "Otentikasi diperlukan untuk mengelola fitur opsional"
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -5,7 +5,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-08-24 10:36+0000\n"
"PO-Revision-Date: 2024-11-07 02:35+0000\n"
"Last-Translator: Temuri Doghonadze <temuri.doghonadze@gmail.com>\n"
"Language-Team: Georgian <https://translate.fedoraproject.org/projects/"
"systemd/main/ka/>\n"
@ -14,7 +14,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 5.7\n"
"X-Generator: Weblate 5.8.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -108,14 +108,12 @@ msgid "Authentication is required to update a user's home area."
msgstr "სახლის ტერიტორიის განახლებისთვის საჭიროა ავთენტიკაცია."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "სახლის ტერიტორიის განახლება"
msgstr "თქვენი სახლის ტერიტორიის განახლება"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr "სახლის ტერიტორიის განახლებისთვის საჭიროა ავთენტიკაცია."
msgstr "თქვენი სახლის ტერიტორიის განახლებისთვის საჭიროა ავთენტიკაცია."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1164,14 +1162,11 @@ msgstr "ძველი სისტემური განახლებე
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "არასავალდებულო ფუნქციების მართვა"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr ""
"აქტიური სესიების, მომხმარებლებისა და სამუშაო მაგიდების მართვას ავთენტიკაცია "
"სჭირდება."
msgstr "არასავალდებულო ფუნქციების მართვას ავთენტიკაცია სჭირდება"
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-08-24 10:36+0000\n"
"PO-Revision-Date: 2024-11-07 02:35+0000\n"
"Last-Translator: 김인수 <simmon@nplob.com>\n"
"Language-Team: Korean <https://translate.fedoraproject.org/projects/systemd/"
"main/ko/>\n"
@ -18,7 +18,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Weblate 5.7\n"
"X-Generator: Weblate 5.8.2\n"
"X-Poedit-SourceCharset: UTF-8\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
@ -109,12 +109,10 @@ msgid "Authentication is required to update a user's home area."
msgstr "사용자 홈 영역을 최신화 하려면 인증이 필요합니다."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "홈 영역 최신화"
msgstr "자신의 홈 영역 최신화"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr "사용자 홈 영역을 최신화 하려면 인증이 필요합니다."
@ -1117,12 +1115,11 @@ msgstr "오래된 시스템 최신화를 정리하려면 인증이 필요합니
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "추가 사양을 관리합니다"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr "활성 세션, 사용자 시트를 관리하려면 인증이 필요합니다."
msgstr "추가 사양을 관리하려면 인증이 필요합니다"
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -7,7 +7,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-08-24 10:36+0000\n"
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
"Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
"Language-Team: Polish <https://translate.fedoraproject.org/projects/systemd/"
"main/pl/>\n"
@ -17,7 +17,7 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
"|| n%100>=20) ? 1 : 2;\n"
"X-Generator: Weblate 5.7\n"
"X-Generator: Weblate 5.8.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -122,15 +122,13 @@ msgstr ""
"użytkownika."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Aktualizacja przestrzeni domowej"
msgstr "Aktualizacja przestrzeni domowej tego użytkownika"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr ""
"Wymagane jest uwierzytelnienie, aby zaktualizować przestrzeń domową "
"Wymagane jest uwierzytelnienie, aby zaktualizować przestrzeń domową tego "
"użytkownika."
#: src/home/org.freedesktop.home1.policy:63
@ -1212,14 +1210,11 @@ msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "Zarządzanie funkcjami opcjonalnymi"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr ""
"Wymagane jest uwierzytelnienie, aby zarządzać aktywnymi sesjami, "
"użytkownikami i stanowiskami."
msgstr "Wymagane jest uwierzytelnienie, aby zarządzać funkcjami opcjonalnymi."
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-08-25 11:38+0000\n"
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
"Last-Translator: \"Sergey A.\" <Ser82-png@yandex.ru>\n"
"Language-Team: Russian <https://translate.fedoraproject.org/projects/systemd/"
"main/ru/>\n"
@ -24,7 +24,7 @@ msgstr ""
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=n%10==1 && n%100!=11 ? 0 : n%10>=2 && "
"n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;\n"
"X-Generator: Weblate 5.7\n"
"X-Generator: Weblate 5.8.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -130,16 +130,13 @@ msgstr ""
"аутентификацию."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Обновить домашнее пространство"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr ""
"Чтобы обновить домашнее пространство пользователя, необходимо пройти "
"аутентификацию."
"Чтобы обновить ваше домашнее пространство, необходимо пройти аутентификацию."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1278,14 +1275,12 @@ msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "Управление дополнительными функциями"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr ""
"Для управления текущими сеансами, пользователями и рабочими местами, "
"необходимо пройти аутентификацию."
"Для управления дополнительными функциями необходимо пройти аутентификацию."
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -12,8 +12,8 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-10-24 00:56+0000\n"
"Last-Translator: Anders Jonsson <anders.jonsson@norsjovallen.se>\n"
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
"Last-Translator: Luna Jernberg <bittin@reimu.nl>\n"
"Language-Team: Swedish <https://translate.fedoraproject.org/projects/systemd/"
"main/sv/>\n"
"Language: sv\n"
@ -21,7 +21,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 5.7.2\n"
"X-Generator: Weblate 5.8.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -117,14 +117,12 @@ msgid "Authentication is required to update a user's home area."
msgstr "Autentisering krävs för att uppdatera en användares hemarea."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Uppdatera en hemarea"
msgstr "Uppdatera din hemarea"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr "Autentisering krävs för att uppdatera en användares hemarea."
msgstr "Autentisering krävs för att uppdatera din hemarea."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1172,13 +1170,11 @@ msgstr "Autentisering krävs för att rensa gamla systemuppdateringar."
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "Hantera valfria funktioner"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr ""
"Autentisering krävs för att hantera aktiva sessioner, användare och platser."
msgstr "Autentisering krävs för att hantera valfria funktioner"
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-06 14:42+0000\n"
"PO-Revision-Date: 2024-08-25 11:38+0000\n"
"PO-Revision-Date: 2024-11-07 09:30+0000\n"
"Last-Translator: Oğuz Ersen <oguz@ersen.moe>\n"
"Language-Team: Turkish <https://translate.fedoraproject.org/projects/systemd/"
"main/tr/>\n"
@ -19,7 +19,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Weblate 5.7\n"
"X-Generator: Weblate 5.8.2\n"
#: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system"
@ -117,14 +117,12 @@ msgid "Authentication is required to update a user's home area."
msgstr "Bir kullanıcının ev alanını güncellemek kimlik doğrulaması gerektirir."
#: src/home/org.freedesktop.home1.policy:53
#, fuzzy
msgid "Update your home area"
msgstr "Ev alanını güncelle"
msgstr "Ev alanınızı güncelleyin"
#: src/home/org.freedesktop.home1.policy:54
#, fuzzy
msgid "Authentication is required to update your home area."
msgstr "Bir kullanıcının ev alanını güncellemek kimlik doğrulaması gerektirir."
msgstr "Ev alanınızı güncellemek kimlik doğrulaması gerektirir."
#: src/home/org.freedesktop.home1.policy:63
msgid "Resize a home area"
@ -1221,14 +1219,11 @@ msgstr ""
#: src/sysupdate/org.freedesktop.sysupdate1.policy:75
msgid "Manage optional features"
msgstr ""
msgstr "İsteğe bağlı özellikleri yönet"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features"
msgstr ""
"Aktif oturumları, kullanıcıları ve yuvaları yönetmek için kimlik doğrulaması "
"gereklidir."
msgstr "İsteğe bağlı özellikleri yönetmek için kimlik doğrulaması gereklidir"
#: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time"

View File

@ -956,10 +956,26 @@ int verb_install(int argc, char *argv[], void *userdata) {
graceful = !install && arg_graceful; /* support graceful mode for updates */
if (arg_secure_boot_auto_enroll) {
r = openssl_load_x509_certificate(arg_certificate, &certificate);
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
if (r < 0)
return log_error_errno(r, "Failed to parse private key path %s: %m", arg_private_key);
}
r = openssl_load_private_key(
arg_private_key_source_type,
arg_private_key_source,

View File

@ -64,6 +64,8 @@ ImagePolicy *arg_image_policy = NULL;
bool arg_varlink = false;
bool arg_secure_boot_auto_enroll = false;
char *arg_certificate = NULL;
CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
char *arg_certificate_source = NULL;
char *arg_private_key = NULL;
KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
char *arg_private_key_source = NULL;
@ -77,6 +79,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
STATIC_DESTRUCTOR_REGISTER(arg_efi_boot_option_description, freep);
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
@ -295,9 +298,14 @@ static int help(int argc, char *argv[], void *userdata) {
" Specify how to use KEY for --private-key=. Allows\n"
" an OpenSSL engine/provider to be used when setting\n"
" up secure boot auto-enrollment\n"
" --certificate=PATH\n"
" PEM certificate to use when setting up secure boot\n"
" auto-enrollment\n"
" --certificate=PATH|URI\n"
" PEM certificate to use when setting up Secure Boot\n"
" auto-enrollment, or a provider specific designation\n"
" if --certificate-source= is used\n"
" --certificate-source=file|provider:PROVIDER\n"
" Specify how to interpret the certificate from\n"
" --certificate=. Allows the certificate to be loaded\n"
" from an OpenSSL provider\n"
"\nSee the %2$s for details.\n",
program_invocation_short_name,
link,
@ -332,6 +340,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_PRINT_STUB_PATH,
ARG_SECURE_BOOT_AUTO_ENROLL,
ARG_CERTIFICATE,
ARG_CERTIFICATE_SOURCE,
ARG_PRIVATE_KEY,
ARG_PRIVATE_KEY_SOURCE,
};
@ -366,6 +375,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "dry-run", no_argument, NULL, ARG_DRY_RUN },
{ "secure-boot-auto-enroll", required_argument, NULL, ARG_SECURE_BOOT_AUTO_ENROLL },
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
{}
@ -526,12 +536,20 @@ static int parse_argv(int argc, char *argv[]) {
return r;
break;
case ARG_CERTIFICATE: {
r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_certificate);
case ARG_CERTIFICATE:
r = free_and_strdup_warn(&arg_certificate, optarg);
if (r < 0)
return r;
break;
case ARG_CERTIFICATE_SOURCE:
r = parse_openssl_certificate_source_argument(
optarg,
&arg_certificate_source,
&arg_certificate_source_type);
if (r < 0)
return r;
break;
}
case ARG_PRIVATE_KEY: {
r = free_and_strdup_warn(&arg_private_key, optarg);

View File

@ -41,6 +41,8 @@ extern ImagePolicy *arg_image_policy;
extern bool arg_varlink;
extern bool arg_secure_boot_auto_enroll;
extern char *arg_certificate;
extern CertificateSourceType arg_certificate_source_type;
extern char *arg_certificate_source;
extern char *arg_private_key;
extern KeySourceType arg_private_key_source_type;
extern char *arg_private_key_source;

View File

@ -38,6 +38,8 @@ static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
static char *arg_private_key_source = NULL;
static char *arg_public_key = NULL;
static char *arg_certificate = NULL;
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
static char *arg_certificate_source = NULL;
static sd_json_format_flags_t arg_json_format_flags = SD_JSON_FORMAT_PRETTY_AUTO|SD_JSON_FORMAT_COLOR_AUTO|SD_JSON_FORMAT_OFF;
static PagerFlags arg_pager_flags = 0;
static bool arg_current = false;
@ -50,6 +52,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
STATIC_DESTRUCTOR_REGISTER(arg_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
STATIC_DESTRUCTOR_REGISTER(arg_phase, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_append, freep);
@ -74,6 +77,7 @@ static int help(int argc, char *argv[], void *userdata) {
" status Show current PCR values\n"
" calculate Calculate expected PCR values\n"
" sign Calculate and sign expected PCR values\n"
" pcrpkey Calculate the PCR public key\n"
"\n%3$sOptions:%4$s\n"
" -h --help Show this help\n"
" --version Print version\n"
@ -87,7 +91,13 @@ static int help(int argc, char *argv[], void *userdata) {
" Specify how to use KEY for --private-key=. Allows\n"
" an OpenSSL engine/provider to be used for signing\n"
" --public-key=KEY Public key (PEM) to validate against\n"
" --certificate=PATH PEM certificate to use when signing with a URI\n"
" --certificate=PATH|URI\n"
" PEM certificate to use for signing, or a provider\n"
" specific designation if --certificate-source= is used\n"
" --certificate-source=file|provider:PROVIDER\n"
" Specify how to interpret the certificate from\n"
" --certificate=. Allows the certificate to be loaded\n"
" from an OpenSSL provider\n"
" --json=MODE Output as JSON\n"
" -j Same as --json=pretty on tty, --json=short otherwise\n"
" --append=PATH Load specified JSON signature, and append new signature to it\n"
@ -156,6 +166,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_PRIVATE_KEY_SOURCE,
ARG_PUBLIC_KEY,
ARG_CERTIFICATE,
ARG_CERTIFICATE_SOURCE,
ARG_TPM2_DEVICE,
ARG_JSON,
ARG_PHASE,
@ -186,6 +197,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
{ "public-key", required_argument, NULL, ARG_PUBLIC_KEY },
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
{ "json", required_argument, NULL, ARG_JSON },
{ "phase", required_argument, NULL, ARG_PHASE },
{ "append", required_argument, NULL, ARG_APPEND },
@ -265,10 +277,18 @@ static int parse_argv(int argc, char *argv[]) {
break;
case ARG_CERTIFICATE:
r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_certificate);
r = free_and_strdup_warn(&arg_certificate, optarg);
if (r < 0)
return r;
break;
case ARG_CERTIFICATE_SOURCE:
r = parse_openssl_certificate_source_argument(
optarg,
&arg_certificate_source,
&arg_certificate_source_type);
if (r < 0)
return r;
break;
case ARG_TPM2_DEVICE: {
@ -841,7 +861,17 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
/* This must be done before openssl_load_private_key() otherwise it will get stuck */
if (arg_certificate) {
r = openssl_load_x509_certificate(arg_certificate, &certificate);
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
}
@ -1144,12 +1174,100 @@ static int verb_status(int argc, char *argv[], void *userdata) {
return 0;
}
static int verb_pcrpkey(int argc, char *argv[], void *userdata) {
_cleanup_(EVP_PKEY_freep) EVP_PKEY *public_key = NULL;
int r;
if (arg_public_key) {
_cleanup_fclose_ FILE *public_keyf = NULL;
public_keyf = fopen(arg_public_key, "re");
if (!public_keyf)
return log_error_errno(errno, "Failed to open public key file '%s': %m", arg_public_key);
public_key = PEM_read_PUBKEY(public_keyf, NULL, NULL, NULL);
if (!public_key)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to parse public key '%s'.", arg_public_key);
} else if (arg_certificate) {
_cleanup_(X509_freep) X509 *certificate = NULL;
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
public_key = X509_get_pubkey(certificate);
if (!public_key)
return log_error_errno(
SYNTHETIC_ERRNO(EIO),
"Failed to extract public key from certificate %s.",
arg_certificate);
} else if (arg_private_key) {
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
if (r < 0)
return log_error_errno(r, "Failed to parse private key path %s: %m", arg_private_key);
}
r = openssl_load_private_key(
arg_private_key_source_type,
arg_private_key_source,
arg_private_key,
&(AskPasswordRequest) {
.id = "measure-private-key-pin",
.keyring = arg_private_key,
.credential = "measure.private-key-pin",
},
&private_key,
&ui);
if (r < 0)
return log_error_errno(r, "Failed to load private key from %s: %m", arg_private_key);
_cleanup_(memstream_done) MemStream m = {};
FILE *tf = memstream_init(&m);
if (!tf)
return log_oom();
if (i2d_PUBKEY_fp(tf, private_key) != 1)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to extract public key from private key file '%s'.", arg_private_key);
fflush(tf);
rewind(tf);
if (!d2i_PUBKEY_fp(tf, &public_key))
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to parse extracted public key of private key file '%s'.", arg_private_key);
} else
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "One of --public-key=, --certificate= or --private-key= must be specified");
if (PEM_write_PUBKEY(stdout, public_key) == 0)
return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to write public key to stdout");
return 0;
}
static int measure_main(int argc, char *argv[]) {
static const Verb verbs[] = {
{ "help", VERB_ANY, VERB_ANY, 0, help },
{ "status", VERB_ANY, 1, VERB_DEFAULT, verb_status },
{ "calculate", VERB_ANY, 1, 0, verb_calculate },
{ "sign", VERB_ANY, 1, 0, verb_sign },
{ "pcrpkey", VERB_ANY, 1, 0, verb_pcrpkey },
{}
};

View File

@ -21,12 +21,15 @@
static PagerFlags arg_pager_flags = 0;
static char *arg_output = NULL;
static char *arg_certificate = NULL;
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
static char *arg_certificate_source = NULL;
static char *arg_private_key = NULL;
static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
static char *arg_private_key_source = NULL;
STATIC_DESTRUCTOR_REGISTER(arg_output, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
@ -42,13 +45,19 @@ static int help(int argc, char *argv[], void *userdata) {
"\n%5$sSign binaries for EFI Secure Boot%6$s\n"
"\n%3$sCommands:%4$s\n"
" sign EXEFILE Sign the given binary for EFI Secure Boot\n"
" validate-key Load and validate the given private key\n"
" validate-key Load and validate the given certificate and private key\n"
"\n%3$sOptions:%4$s\n"
" -h --help Show this help\n"
" --version Print version\n"
" --no-pager Do not pipe output into a pager\n"
" --output Where to write the signed PE binary\n"
" --certificate=PATH PEM certificate to use when signing with a URI\n"
" --certificate=PATH|URI\n"
" PEM certificate to use for signing, or a provider\n"
" specific designation if --certificate-source= is used\n"
" --certificate-source=file|provider:PROVIDER\n"
" Specify how to interpret the certificate from\n"
" --certificate=. Allows the certificate to be loaded\n"
" from an OpenSSL provider\n"
" --private-key=KEY Private key (PEM) to sign with\n"
" --private-key-source=file|provider:PROVIDER|engine:ENGINE\n"
" Specify how to use KEY for --private-key=. Allows\n"
@ -70,6 +79,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_NO_PAGER,
ARG_OUTPUT,
ARG_CERTIFICATE,
ARG_CERTIFICATE_SOURCE,
ARG_PRIVATE_KEY,
ARG_PRIVATE_KEY_SOURCE,
};
@ -80,6 +90,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "version", no_argument, NULL, ARG_VERSION },
{ "output", required_argument, NULL, ARG_OUTPUT },
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
{}
@ -90,7 +101,7 @@ static int parse_argv(int argc, char *argv[]) {
assert(argc >= 0);
assert(argv);
while ((c = getopt_long(argc, argv, "hjc", options, NULL)) >= 0)
while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
switch (c) {
case 'h':
@ -112,10 +123,18 @@ static int parse_argv(int argc, char *argv[]) {
break;
case ARG_CERTIFICATE:
r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_certificate);
r = free_and_strdup_warn(&arg_certificate, optarg);
if (r < 0)
return r;
break;
case ARG_CERTIFICATE_SOURCE:
r = parse_openssl_certificate_source_argument(
optarg,
&arg_certificate_source,
&arg_certificate_source_type);
if (r < 0)
return r;
break;
case ARG_PRIVATE_KEY:
@ -168,7 +187,17 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
if (!arg_output)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No output specified, use --output=");
r = openssl_load_x509_certificate(arg_certificate, &certificate);
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
@ -470,14 +499,33 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
}
static int verb_validate_key(int argc, char *argv[], void *userdata) {
_cleanup_(X509_freep) X509 *certificate = NULL;
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
_cleanup_(EVP_PKEY_freep) EVP_PKEY *private_key = NULL;
int r;
if (!arg_certificate)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"No certificate specified, use --certificate=");
if (!arg_private_key)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"No private key specified, use --private-key=.");
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
if (arg_private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
r = parse_path_argument(arg_private_key, /* suppress_root= */ false, &arg_private_key);
if (r < 0)

View File

@ -154,6 +154,8 @@ static char *arg_private_key = NULL;
static KeySourceType arg_private_key_source_type = OPENSSL_KEY_SOURCE_FILE;
static char *arg_private_key_source = NULL;
static char *arg_certificate = NULL;
static CertificateSourceType arg_certificate_source_type = OPENSSL_CERTIFICATE_SOURCE_FILE;
static char *arg_certificate_source = NULL;
static char *arg_tpm2_device = NULL;
static uint32_t arg_tpm2_seal_key_handle = 0;
static char *arg_tpm2_device_key = NULL;
@ -186,6 +188,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_key, erase_and_freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_private_key_source, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate, freep);
STATIC_DESTRUCTOR_REGISTER(arg_certificate_source, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_device_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
@ -7808,8 +7811,14 @@ static int help(void) {
" Specify how to use KEY for --private-key=. Allows\n"
" an OpenSSL engine/provider to be used when generating\n"
" verity roothash signatures\n"
" --certificate=PATH PEM certificate to use when generating verity\n"
" roothash signatures\n"
" --certificate=PATH|URI\n"
" PEM certificate to use when generating verity roothash\n"
" signatures, or a provider specific designation if\n"
" --certificate-source= is used\n"
" --certificate-source=file|provider:PROVIDER\n"
" Specify how to interpret the certificate from\n"
" --certificate=. Allows the certificate to be loaded\n"
" from an OpenSSL provider\n"
"\n%3$sEncryption:%4$s\n"
" --key-file=PATH Key to use when encrypting partitions\n"
" --tpm2-device=PATH Path to TPM2 device node to use\n"
@ -7878,6 +7887,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
ARG_PRIVATE_KEY,
ARG_PRIVATE_KEY_SOURCE,
ARG_CERTIFICATE,
ARG_CERTIFICATE_SOURCE,
ARG_TPM2_DEVICE,
ARG_TPM2_DEVICE_KEY,
ARG_TPM2_SEAL_KEY_HANDLE,
@ -7922,6 +7932,7 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
{ "private-key", required_argument, NULL, ARG_PRIVATE_KEY },
{ "private-key-source", required_argument, NULL, ARG_PRIVATE_KEY_SOURCE },
{ "certificate", required_argument, NULL, ARG_CERTIFICATE },
{ "certificate-source", required_argument, NULL, ARG_CERTIFICATE_SOURCE },
{ "tpm2-device", required_argument, NULL, ARG_TPM2_DEVICE },
{ "tpm2-device-key", required_argument, NULL, ARG_TPM2_DEVICE_KEY },
{ "tpm2-seal-key-handle", required_argument, NULL, ARG_TPM2_SEAL_KEY_HANDLE },
@ -8130,12 +8141,20 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
return r;
break;
case ARG_CERTIFICATE: {
r = parse_path_argument(optarg, /*suppress_root=*/ false, &arg_certificate);
case ARG_CERTIFICATE:
r = free_and_strdup_warn(&arg_certificate, optarg);
if (r < 0)
return r;
break;
case ARG_CERTIFICATE_SOURCE:
r = parse_openssl_certificate_source_argument(
optarg,
&arg_certificate_source,
&arg_certificate_source_type);
if (r < 0)
return r;
break;
}
case ARG_TPM2_DEVICE: {
_cleanup_free_ char *device = NULL;
@ -8468,7 +8487,17 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
}
if (arg_certificate) {
r = openssl_load_x509_certificate(arg_certificate, &certificate);
if (arg_certificate_source_type == OPENSSL_CERTIFICATE_SOURCE_FILE) {
r = parse_path_argument(arg_certificate, /*suppress_root=*/ false, &arg_certificate);
if (r < 0)
return r;
}
r = openssl_load_x509_certificate(
arg_certificate_source_type,
arg_certificate_source,
arg_certificate,
&certificate);
if (r < 0)
return log_error_errno(r, "Failed to load X.509 certificate from %s: %m", arg_certificate);
}

View File

@ -1340,6 +1340,9 @@ static int load_key_from_provider(
if (!store)
return log_openssl_errors("Failed to open OpenSSL store via '%s'", private_key_uri);
if (OSSL_STORE_expect(store, OSSL_STORE_INFO_PKEY) == 0)
return log_openssl_errors("Failed to filter store by private keys");
_cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
if (!info)
return log_openssl_errors("Failed to load OpenSSL store via '%s'", private_key_uri);
@ -1479,6 +1482,80 @@ static int openssl_ask_password_ui_new(const AskPasswordRequest *request, OpenSS
*ret = TAKE_PTR(ui);
return 0;
}
static int load_x509_certificate_from_file(const char *path, X509 **ret) {
_cleanup_free_ char *rawcert = NULL;
_cleanup_(X509_freep) X509 *cert = NULL;
_cleanup_(BIO_freep) BIO *cb = NULL;
size_t rawcertsz;
int r;
assert(path);
assert(ret);
r = read_full_file_full(
AT_FDCWD, path, UINT64_MAX, SIZE_MAX,
READ_FULL_FILE_CONNECT_SOCKET,
NULL,
&rawcert, &rawcertsz);
if (r < 0)
return log_debug_errno(r, "Failed to read certificate file '%s': %m", path);
cb = BIO_new_mem_buf(rawcert, rawcertsz);
if (!cb)
return log_oom_debug();
cert = PEM_read_bio_X509(cb, NULL, NULL, NULL);
if (!cert)
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate: %s",
ERR_error_string(ERR_get_error(), NULL));
if (ret)
*ret = TAKE_PTR(cert);
return 0;
}
static int load_x509_certificate_from_provider(const char *provider, const char *certificate_uri, X509 **ret) {
assert(provider);
assert(certificate_uri);
assert(ret);
#if OPENSSL_VERSION_MAJOR >= 3
/* Load the provider so that this can work without any custom written configuration in /etc/.
* Also load the 'default' as that seems to be the recommendation. */
if (!OSSL_PROVIDER_try_load(/* ctx= */ NULL, provider, /* retain_fallbacks= */ true))
return log_openssl_errors("Failed to load OpenSSL provider '%s'", provider);
if (!OSSL_PROVIDER_try_load(/* ctx= */ NULL, "default", /* retain_fallbacks= */ true))
return log_openssl_errors("Failed to load OpenSSL provider 'default'");
_cleanup_(OSSL_STORE_closep) OSSL_STORE_CTX *store = OSSL_STORE_open(
certificate_uri,
/*ui_method=*/ NULL,
/*ui_method=*/ NULL,
/* post_process= */ NULL,
/* post_process_data= */ NULL);
if (!store)
return log_openssl_errors("Failed to open OpenSSL store via '%s'", certificate_uri);
if (OSSL_STORE_expect(store, OSSL_STORE_INFO_CERT) == 0)
return log_openssl_errors("Failed to filter store by X.509 certificates");
_cleanup_(OSSL_STORE_INFO_freep) OSSL_STORE_INFO *info = OSSL_STORE_load(store);
if (!info)
return log_openssl_errors("Failed to load OpenSSL store via '%s'", certificate_uri);
_cleanup_(X509_freep) X509 *cert = OSSL_STORE_INFO_get1_CERT(info);
if (!cert)
return log_openssl_errors("Failed to load certificate via '%s'", certificate_uri);
*ret = TAKE_PTR(cert);
return 0;
#else
return -EOPNOTSUPP;
#endif
}
#endif
OpenSSLAskPasswordUI* openssl_ask_password_ui_free(OpenSSLAskPasswordUI *ui) {
@ -1514,36 +1591,33 @@ int x509_fingerprint(X509 *cert, uint8_t buffer[static SHA256_DIGEST_SIZE]) {
#endif
}
int openssl_load_x509_certificate(const char *path, X509 **ret) {
int openssl_load_x509_certificate(
CertificateSourceType certificate_source_type,
const char *certificate_source,
const char *certificate,
X509 **ret) {
#if HAVE_OPENSSL
_cleanup_free_ char *rawcert = NULL;
_cleanup_(X509_freep) X509 *cert = NULL;
_cleanup_(BIO_freep) BIO *cb = NULL;
size_t rawcertsz;
int r;
assert(path);
assert(ret);
assert(certificate);
r = read_full_file_full(
AT_FDCWD, path, UINT64_MAX, SIZE_MAX,
READ_FULL_FILE_CONNECT_SOCKET,
NULL,
&rawcert, &rawcertsz);
switch (certificate_source_type) {
case OPENSSL_CERTIFICATE_SOURCE_FILE:
r = load_x509_certificate_from_file(certificate, ret);
break;
case OPENSSL_CERTIFICATE_SOURCE_PROVIDER:
r = load_x509_certificate_from_provider(certificate_source, certificate, ret);
break;
default:
assert_not_reached();
}
if (r < 0)
return log_debug_errno(r, "Failed to read certificate file '%s': %m", path);
cb = BIO_new_mem_buf(rawcert, rawcertsz);
if (!cb)
return log_oom_debug();
cert = PEM_read_bio_X509(cb, NULL, NULL, NULL);
if (!cert)
return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Failed to parse X.509 certificate: %s",
ERR_error_string(ERR_get_error(), NULL));
if (ret)
*ret = TAKE_PTR(cert);
return log_debug_errno(
r,
"Failed to load certificate '%s' from OpenSSL certificate source %s: %m",
certificate,
certificate_source);
return 0;
#else
@ -1603,6 +1677,35 @@ int openssl_load_private_key(
#endif
}
int parse_openssl_certificate_source_argument(
const char *argument,
char **certificate_source,
CertificateSourceType *certificate_source_type) {
CertificateSourceType type;
const char *e = NULL;
int r;
assert(argument);
assert(certificate_source);
assert(certificate_source_type);
if (streq(argument, "file"))
type = OPENSSL_CERTIFICATE_SOURCE_FILE;
else if ((e = startswith(argument, "provider:")))
type = OPENSSL_CERTIFICATE_SOURCE_PROVIDER;
else
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid certificate source '%s'", argument);
r = free_and_strdup_warn(certificate_source, e);
if (r < 0)
return r;
*certificate_source_type = type;
return 0;
}
int parse_openssl_key_source_argument(
const char *argument,
char **private_key_source,

View File

@ -6,6 +6,13 @@
#include "macro.h"
#include "sha256.h"
typedef enum CertificateSourceType {
OPENSSL_CERTIFICATE_SOURCE_FILE,
OPENSSL_CERTIFICATE_SOURCE_PROVIDER,
_OPENSSL_CERTIFICATE_SOURCE_MAX,
_OPENSSL_CERTIFICATE_SOURCE_INVALID = -EINVAL,
} CertificateSourceType;
typedef enum KeySourceType {
OPENSSL_KEY_SOURCE_FILE,
OPENSSL_KEY_SOURCE_ENGINE,
@ -16,6 +23,8 @@ typedef enum KeySourceType {
typedef struct OpenSSLAskPasswordUI OpenSSLAskPasswordUI;
int parse_openssl_certificate_source_argument(const char *argument, char **certificate_source, CertificateSourceType *certificate_source_type);
int parse_openssl_key_source_argument(const char *argument, char **private_key_source, KeySourceType *private_key_source_type);
#define X509_FINGERPRINT_SIZE SHA256_DIGEST_SIZE
@ -182,7 +191,11 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(OpenSSLAskPasswordUI*, openssl_ask_password_ui_
int x509_fingerprint(X509 *cert, uint8_t buffer[static X509_FINGERPRINT_SIZE]);
int openssl_load_x509_certificate(const char *path, X509 **ret);
int openssl_load_x509_certificate(
CertificateSourceType certificate_source_type,
const char *certificate_source,
const char *certificate,
X509 **ret);
int openssl_load_private_key(
KeySourceType private_key_source_type,

View File

@ -538,7 +538,6 @@ TEST(bind_mount_submounts) {
}
TEST(path_is_network_fs_harder) {
ASSERT_OK(path_is_network_fs_harder("/"));
ASSERT_OK_ZERO(path_is_network_fs_harder("/dev"));
ASSERT_OK_ZERO(path_is_network_fs_harder("/sys"));
ASSERT_OK_ZERO(path_is_network_fs_harder("/run"));

View File

@ -207,11 +207,11 @@ def test_parse_args_many_deprecated():
assert opts.uname == '1.2.3'
assert opts.stub == pathlib.Path('STUBPATH')
assert opts.pcr_private_keys == ['PKEY1']
assert opts.pcr_public_keys == [pathlib.Path('PKEY2')]
assert opts.pcr_public_keys == ['PKEY2']
assert opts.pcr_banks == ['SHA1', 'SHA256']
assert opts.signing_engine == 'ENGINE'
assert opts.sb_key == 'SBKEY'
assert opts.sb_cert == 'SBCERT'
assert opts.sb_cert == Path('SBCERT')
assert opts.sign_kernel is False
assert opts.tools == [pathlib.Path('TOOLZ/')]
assert opts.output == pathlib.Path('OUTPUT')
@ -253,7 +253,7 @@ def test_parse_args_many():
assert opts.uname == '1.2.3'
assert opts.stub == pathlib.Path('STUBPATH')
assert opts.pcr_private_keys == ['PKEY1']
assert opts.pcr_public_keys == [pathlib.Path('PKEY2')]
assert opts.pcr_public_keys == ['PKEY2']
assert opts.pcr_banks == ['SHA1', 'SHA256']
assert opts.signing_engine == 'ENGINE'
assert opts.sb_key == 'SBKEY'
@ -360,8 +360,7 @@ def test_config_priority(tmp_path):
assert opts.uname == '1.2.3'
assert opts.stub == pathlib.Path('STUBPATH')
assert opts.pcr_private_keys == ['PKEY1', 'some/path7']
assert opts.pcr_public_keys == [pathlib.Path('PKEY2'),
pathlib.Path('some/path8')]
assert opts.pcr_public_keys == ['PKEY2', 'some/path8']
assert opts.pcr_banks == ['SHA1', 'SHA256']
assert opts.signing_engine == 'ENGINE'
assert opts.signtool == ukify.SbSign # from args

View File

@ -249,7 +249,7 @@ class UkifyConfig:
output: Optional[str]
pcr_banks: list[str]
pcr_private_keys: list[str]
pcr_public_keys: list[Path]
pcr_public_keys: list[str]
pcrpkey: Optional[Path]
phase_path_groups: Optional[list[str]]
profile: Union[str, Path, None]
@ -264,6 +264,7 @@ class UkifyConfig:
sign_kernel: bool
signing_engine: Optional[str]
signing_provider: Optional[str]
certificate_provider: Optional[str]
signtool: Optional[type['SignTool']]
splash: Optional[Path]
stub: Path
@ -554,6 +555,11 @@ class SystemdSbSign(SignTool):
if opts.signing_provider is not None
else []
),
*(
['--certificate-source', f'provider:{opts.certificate_provider}']
if opts.certificate_provider is not None
else []
),
input_f,
'--output', output_f,
] # fmt: skip
@ -666,7 +672,7 @@ def combine_signatures(pcrsigs: list[dict[str, str]]) -> str:
return json.dumps(combined)
def key_path_groups(opts: UkifyConfig) -> Iterator[tuple[str, Optional[Path], Optional[str]]]:
def key_path_groups(opts: UkifyConfig) -> Iterator[tuple[str, Optional[str], Optional[str]]]:
if not opts.pcr_private_keys:
return
@ -757,6 +763,10 @@ def call_systemd_measure(uki: UKI, opts: UkifyConfig, profile_start: int = 0) ->
extra += [f'--certificate={pub_key}']
elif pub_key:
extra += [f'--public-key={pub_key}']
if opts.certificate_provider is not None:
extra += [f'--certificate-source=provider:{opts.certificate_provider}']
extra += [f'--phase={phase_path}' for phase_path in group or ()]
print('+', shell_join(cmd + extra)) # type: ignore
@ -1007,34 +1017,30 @@ def make_uki(opts: UkifyConfig) -> None:
pcrpkey: Union[bytes, Path, None] = opts.pcrpkey
if pcrpkey is None:
measure_tool = find_tool('systemd-measure', '/usr/lib/systemd/systemd-measure')
cmd = [measure_tool, "pcrpkey"]
if opts.pcr_public_keys and len(opts.pcr_public_keys) == 1:
pcrpkey = opts.pcr_public_keys[0]
# If we are getting a certificate when using an engine or provider, we need to convert it to
# public key format.
if (opts.signing_engine or opts.signing_provider) and Path(pcrpkey).exists():
from cryptography.hazmat.primitives import serialization
from cryptography.x509 import load_pem_x509_certificate
try:
cert = load_pem_x509_certificate(Path(pcrpkey).read_bytes())
except ValueError:
raise ValueError(f'{pcrpkey} must be an X.509 certificate when signing with an engine')
# If we're using an engine or provider, the public key will be an X.509 certificate.
if (opts.signing_engine or opts.signing_provider):
cmd += ["--certificate", opts.pcr_public_keys[0]]
if opts.certificate_provider:
cmd += ["--certificate-source", f"provider:{opts.certificate_provider}"]
else:
pcrpkey = cert.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
from cryptography.hazmat.primitives import serialization
cmd += ["--public-key", opts.pcr_public_keys[0]]
privkey = serialization.load_pem_private_key(
Path(opts.pcr_private_keys[0]).read_bytes(),
password=None,
)
pcrpkey = privkey.public_key().public_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PublicFormat.SubjectPublicKeyInfo,
)
print('+', shell_join(cmd))
pcrpkey = subprocess.check_output(cmd)
elif opts.pcr_private_keys and len(opts.pcr_private_keys) == 1:
cmd += ["--private-key", Path(opts.pcr_private_keys[0])]
if opts.signing_engine:
cmd += ["--private-key-source", f"engine:{opts.signing_engine}"]
if opts.signing_provider:
cmd += ["--private-key-source", f"provider:{opts.signing_provider}"]
print('+', shell_join(cmd))
pcrpkey = subprocess.check_output(cmd)
sections = [
# name, content, measure?
@ -1674,6 +1680,12 @@ CONFIG_ITEMS = [
help='OpenSSL provider to use for signing',
config_key='UKI/SigningProvider',
),
ConfigItem(
'--certificate-provider',
metavar='PROVIDER',
help='OpenSSL provider to load certificate from',
config_key='UKI/CertificateProvider',
),
ConfigItem(
'--signtool',
choices=('sbsign', 'pesign', 'systemd-sbsign'),
@ -1746,7 +1758,6 @@ CONFIG_ITEMS = [
'--pcr-public-key',
dest='pcr_public_keys',
metavar='PATH',
type=Path,
action='append',
help='public part of the keypair or engine/provider designation for signing PCR signatures',
config_key='PCRSignature:/PCRPublicKey',
@ -1982,10 +1993,10 @@ def finalize_options(opts: argparse.Namespace) -> None:
if opts.signing_engine and opts.signing_provider:
raise ValueError('Only one of --signing-engine= and --signing-provider= may be specified')
if opts.signing_engine is None and opts.signing_provider is None:
if opts.sb_key:
if opts.signing_engine is None and opts.signing_provider is None and opts.sb_key:
opts.sb_key = Path(opts.sb_key)
if opts.sb_cert:
if opts.certificate_provider is None and opts.sb_cert:
opts.sb_cert = Path(opts.sb_cert)
if bool(opts.sb_key) ^ bool(opts.sb_cert):
@ -2012,6 +2023,9 @@ def finalize_options(opts: argparse.Namespace) -> None:
if opts.signing_provider and opts.signtool != SystemdSbSign:
raise ValueError('--signing-provider= can only be used with--signtool=systemd-sbsign')
if opts.certificate_provider and opts.signtool != SystemdSbSign:
raise ValueError('--certificate-provider= can only be used with--signtool=systemd-sbsign')
if opts.sign_kernel and not opts.sb_key and not opts.sb_cert_name:
raise ValueError(
'--sign-kernel requires either --secureboot-private-key= and --secureboot-certificate= (for sbsign) or --secureboot-certificate-name= (for pesign) to be specified' # noqa: E501