mkarchiso: do not sign .sig files

Make sure existing sig files are deleted before creating new ones and make sure to not sign any sig files. This allows retrying failed mkarchiso runs without ending up with files such as vmlinuz.ipxe.sig.ipxe.sig. Fixes #198
2022-10-12 13:12:29 +03:00 · 2022-10-12 13:12:29 +03:00 · 11971619a6
commit 11971619a6
parent f4f0a3a5ec
2 changed files with 6 additions and 3 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -12,6 +12,8 @@ Changed
 -------

 - Do not explicitly enable ``qemu-guest-agent.service`` as it will be started by a udev rule.
+- Remove existing signature (``.sig``) files and do not sign them when signing netboot artifacts. This is mostly
+  applicable when re-running ``mkarchiso``  after a failure.

 Removed
 -------
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@ -254,7 +254,7 @@ _mk_pgp_signature() {
    local gpg_options=()
    local airootfs_image_filename="${1}"
    _msg_info "Signing rootfs image using GPG..."
-   
+
    rm -f -- "${airootfs_image_filename}.sig"
    # Add gpg sender option if the value is provided
    [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
@ -1054,7 +1054,7 @@ _cms_sign_artifact() {
    fi

    _msg_info "Signing ${artifact} image using openssl cms..."
-   
+
    rm -f -- "${artifact}.cms.sig"

    openssl cms "${openssl_flags[@]}"
@ -1073,7 +1073,8 @@ _sign_netboot_artifacts() {
            _files_to_sign+=("${_dir}${_file}")
        fi
    done
-    for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"* "${_dir}${arch}/initramfs-"*.img; do
+    for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"!(*.sig) "${_dir}${arch}/initramfs-"*.img; do
+        rm -f -- "${_file}".ipxe.sig
        openssl cms \
            -sign \
            -binary \