Fix error on non-UEFI systems

fixes: post name: kernel-default version: 5.3.18 release: 21.1.gafe7c6c kernelrelease: 5.3.18-21.gafe7c6c flavor: default variant: usrmerged: 0 image: vmlinuz certs: 1245A689 -- 2 Triggering purge-kernels wm2 --add-kernel 5.3.18-21.gafe7c6c-default cert post ca-check: 1 certs: 1245A689 -- 2 EFI variables are not supported on this system mokutil --import /etc/uefi/certs/1245A689.crt --root-pw EFI variables are not supported on this system Failed to import /etc/uefi/certs/1245A689.crt warning: %post(kernel-default-5.3.18-21.1.gafe7c6c.x86_64) scriptlet failed, exit status 1
openSUSE · Oct 4, 2021 · 605073f · 605073f
1 parent ef105f3
commit 605073f
Showing 1 changed file with 39 additions and 41 deletions.
diff --git a/kernel-scriptlets/cert-script b/kernel-scriptlets/cert-script
@@ -29,58 +29,56 @@ run_mokutil () {
 [ -z "$KERNEL_PACKAGE_SCRIPT_DEBUG" ] || echo "cert $op" ca-check: "$ca_check" certs: "$certs" -- "$@" >&2
 
 script_rc=0
+if ! command -v mokutil >/dev/null || ! mokutil --sb-state 2>/dev/null; then
+    # not an UEFI system
+    exit 0
+fi
 
 case $op in
     pre)
 	;;
     post)
-	if command -v mokutil >/dev/null; then
-	    # Only apply CA check on the kernel package certs (bsc#1173115)
-	    if [ -n "$ca_check" ] && mokutil -h | grep -q "ca-check"; then
-		MOK_ARG="--ca-check"
-	    else
-		MOK_ARG=""
-	    fi
-	    # XXX: Only call mokutil if UEFI and shim are used
-	    for cert in $certs; do
-		cert="/etc/uefi/certs/${cert}.crt"
-		run_mokutil --import "$cert" --root-pw ${MOK_ARG}
-		rc=$?
-		if [ $rc != 0 ] ; then
-		    script_rc=$rc
-		    echo "Failed to import $cert" >&2
-		fi
-	    done
+	# Only apply CA check on the kernel package certs (bsc#1173115)
+	if [ -n "$ca_check" ] && mokutil -h | grep -q "ca-check"; then
+	    MOK_ARG="--ca-check"
+	else
+	    MOK_ARG=""
 	fi
+	# XXX: Only call mokutil if UEFI and shim are used
+	for cert in $certs; do
+	    cert="/etc/uefi/certs/${cert}.crt"
+	    run_mokutil --import "$cert" --root-pw ${MOK_ARG}
+	    rc=$?
+	    if [ $rc != 0 ] ; then
+		script_rc=$rc
+		echo "Failed to import $cert" >&2
+	    fi
+	done
 	;;
     preun)
-	if command -v mokutil >/dev/null; then
-	    for cert in $certs; do
-		cert="/etc/uefi/certs/${cert}.crt"
-		# Here we queue the certificate for de-enrollment. If by postun
-		# the certificate does not exist last kernel using it was
-		# removed and we can queue it for de-enrollment with mokutil.
-		ln "$cert" "$cert.delete" || script_rc=$?
-	    done
-	fi
+	for cert in $certs; do
+	    cert="/etc/uefi/certs/${cert}.crt"
+	    # Here we queue the certificate for de-enrollment. If by postun
+	    # the certificate does not exist last kernel using it was
+	    # removed and we can queue it for de-enrollment with mokutil.
+	    ln "$cert" "$cert.delete" || script_rc=$?
+	done
 	;;
     postun)
-	if command -v mokutil >/dev/null; then
-	    for cert in $certs; do
-		cert="/etc/uefi/certs/${cert}.crt"
-		# If the certificate is now gone there are no users left
-		# queue -> de-enrollment
-		if ! test -e "$cert"; then
-		    run_mokutil --delete "$cert.delete" --root-pw
-		    rc=$?
-		    if [ $rc != 0 ] ; then
-			script_rc=$rc
-			echo "Failed to delete $cert" >&2
-		    fi
+	for cert in $certs; do
+	    cert="/etc/uefi/certs/${cert}.crt"
+	    # If the certificate is now gone there are no users left
+	    # queue -> de-enrollment
+	    if ! test -e "$cert"; then
+		run_mokutil --delete "$cert.delete" --root-pw
+		rc=$?
+		if [ $rc != 0 ] ; then
+		    script_rc=$rc
+		    echo "Failed to delete $cert" >&2
 		fi
-		rm "$cert.delete" || script_rc=$?
-	    done
-	fi
+	    fi
+	    rm "$cert.delete" || script_rc=$?
+	done
 	;;
     posttrans)
 	;;