Validate that a supplied vendor cert is not in PEM format

If we see "BEGIN CERTIFICATE", it's a PEM certificate and won't work. Fail the build early and say so. Fixes #645 Signed-off-by: Steve McIntyre <steve@einval.com>
rhboot · Mar 19, 2024 · 6ffcb42 · 6ffcb42
1 parent 5914984
commit 6ffcb42
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -69,13 +69,21 @@ ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
 	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
 endif
 
-all: confcheck $(TARGETS)
+all: confcheck certcheck $(TARGETS)
 
 confcheck:
 ifneq ($(origin EFI_PATH),undefined)
 	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
 endif
 
+certcheck:
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+	@if grep -q "BEGIN CERTIFICATE" $(VENDOR_CERT_FILE); then \
+		echo "$(VENDOR_CERT_FILE) is PEM-format, convert to DER!"; \
+		exit 1; \
+	fi
+endif
+
 compile_commands.json : Makefile Make.rules Make.defaults 
 	make clean
 	bear -- make COMPILER=clang test all