Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sbctl skips signing remaining items if one is not found #265

Closed
cvlc12 opened this issue Dec 7, 2023 · 1 comment · Fixed by #280
Closed

sbctl skips signing remaining items if one is not found #265

cvlc12 opened this issue Dec 7, 2023 · 1 comment · Fixed by #280
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@cvlc12
Copy link
Contributor

cvlc12 commented Dec 7, 2023

If sbctl fails to find a file on the list of files to sign, then it exits and does not try the remaining files.
I think it should proceed with attempting to sign the remaining files.

Otherwise the following happens during an update:

...
(15/17) Updating the desktop file MIME type cache...
(16/17) Signing EFI binaries...
Generating EFI bundles....
✓ Signed /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
failed signing /efi/EFI/Linux/982132008de649089768b8fa1887cbe1-6.1.65-1-lts.efi: /efi/EFI/Linux/982132008de649089768b8fa1887cbe1-6.1.65-1-lts.efi does not exist
erreur : la commande n’a pas pu être exécutée correctement
(17/17) Performing snapper post snapshots for the following configurations...
...

$ sudo sbctl verify
Verifying file database and EFI images in /efi...
✓ /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed is signed
‼ /efi/EFI/Linux/982132008de649089768b8fa1887cbe1-6.1.65-1-lts.efi does not exist
✗ /efi/EFI/Linux/arch-linux-lts-fallback.efi is not signed
✗ /efi/EFI/Linux/arch-linux.efi is not signed
✓ /efi/EFI/BOOT/BOOTX64.EFI is signed
✓ /efi/EFI/systemd/systemd-bootx64.efi is signed

In this example, the missing file was a test file which had been deleted. However the useful UKIs have not been signed after the update.
@Foxboron
Copy link
Owner

Foxboron commented Dec 7, 2023

This line can be changed to just emit a warning and not return.

sbctl/cmd/sbctl/sign-all.go

Line 41 in ff53691

return fmt.Errorf("failed signing %s: %w", entry.File, err)

@Foxboron Foxboron added bug Something isn't working good first issue Good for newcomers labels Dec 7, 2023
@jvllmr jvllmr mentioned this issue Jan 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sign-all don't stop signing if one file does not exist anymore jvllmr/sbctl
2 participants
@Foxboron @cvlc12