Address part of comments.

liulanze · liulanze · commit 642b69d20e1b · 2025-06-16T12:16:42.000-07:00
diff --git a/toolkit/tools/imagecustomizerapi/config.go b/toolkit/tools/imagecustomizerapi/config.go
@@ -101,9 +101,12 @@ func (c *Config) IsValid() (err error) {
 		}
 	}
 
-	if slices.ContainsFunc(c.Storage.Verity, func(v Verity) bool {
+	// Check if any verity entry has a non-empty hash signature path.
+	hasVerityHashSignature := slices.ContainsFunc(c.Storage.Verity, func(v Verity) bool {
 		return v.HashSignaturePath != ""
-	}) {
+	})
+
+	if hasVerityHashSignature {
 		if !sliceutils.ContainsValue(c.PreviewFeatures, PreviewFeatureOutputArtifacts) {
 			return fmt.Errorf("the 'output-artifacts' preview feature must be enabled to use 'verity.hashSignaturePath'")
 		}
diff --git a/toolkit/tools/imagecustomizerapi/storage.go b/toolkit/tools/imagecustomizerapi/storage.go
@@ -5,7 +5,6 @@ package imagecustomizerapi
 
 import (
 	"fmt"
-	"path/filepath"
 	"strings"
 
 	"github.com/microsoft/azurelinux/toolkit/tools/internal/logger"
@@ -224,8 +223,6 @@ func (s *Storage) IsValid() error {
 }
 
 func ValidateVerityMounts(verityDevices []Verity, verityDeviceMountPoint map[*Verity]*MountPoint) error {
-	const bootMountPoint = "/boot"
-
 	for i := range verityDevices {
 		verity := &verityDevices[i]
 
@@ -248,17 +245,6 @@ func ValidateVerityMounts(verityDevices []Verity, verityDeviceMountPoint map[*Ve
 		if !sliceutils.ContainsValue(mountOptions, "ro") {
 			return fmt.Errorf("verity device's (%s) mount must include the 'ro' mount option", verity.Id)
 		}
-
-		if verity.HashSignaturePath != "" {
-			sigPath := filepath.Clean(verity.HashSignaturePath)
-
-			if !strings.HasPrefix(sigPath, bootMountPoint+"/") {
-				return fmt.Errorf(
-					"verity.hashSignaturePath (%s) must be located under ESP mount point (%s)",
-					sigPath, bootMountPoint,
-				)
-			}
-		}
 	}
 
 	return nil
diff --git a/toolkit/tools/imagecustomizerapi/verity.go b/toolkit/tools/imagecustomizerapi/verity.go
@@ -5,11 +5,14 @@ package imagecustomizerapi
 
 import (
 	"fmt"
+	"path/filepath"
 	"regexp"
+	"strings"
 )
 
 const (
 	DeviceMapperPath = "/dev/mapper"
+	bootMountPoint   = "/boot"
 
 	VerityRootDeviceName = "root"
 	VerityUsrDeviceName  = "usr"
@@ -96,6 +99,14 @@ func (v *Verity) IsValid() error {
 		if err := validatePath(v.HashSignaturePath); err != nil {
 			return fmt.Errorf("invalid hashSignaturePath:\n%w", err)
 		}
+
+		sigPath := filepath.Clean(v.HashSignaturePath)
+		if !strings.HasPrefix(sigPath, bootMountPoint+"/") {
+			return fmt.Errorf(
+				"verity.hashSignaturePath (%s) must be located under /boot mount point (%s)",
+				sigPath, bootMountPoint,
+			)
+		}
 	}
 
 	return nil

Original file line number	Diff line number	Diff line change
`@@ -101,9 +101,12 @@ func (c *Config) IsValid() (err error) {`
`101`	`101`	`}`
`102`	`102`	`}`
`103`	`103`
`104`		`- if slices.ContainsFunc(c.Storage.Verity, func(v Verity) bool {`
	`104`	`+ // Check if any verity entry has a non-empty hash signature path.`
	`105`	`+ hasVerityHashSignature := slices.ContainsFunc(c.Storage.Verity, func(v Verity) bool {`
`105`	`106`	`return v.HashSignaturePath != ""`
`106`		`- }) {`
	`107`	`+ })`
	`108`	`+`
	`109`	`+ if hasVerityHashSignature {`
`107`	`110`	`if !sliceutils.ContainsValue(c.PreviewFeatures, PreviewFeatureOutputArtifacts) {`
`108`	`111`	`return fmt.Errorf("the 'output-artifacts' preview feature must be enabled to use 'verity.hashSignaturePath'")`
`109`	`112`	`}`