kernel-build.eclass: copy module signing key to tempdir in pkg_setup

Previously, it was being copied in src_prepare, and thus would fail if
the signing key was not readable by portage:portage. This commit makes
kernel-build.eclass instead copy the signing key in pkg_setup, and then
correct the permissions.

Signed-off-by: Violet Purcell <vimproved@inventati.org>
Closes: https://github.com/gentoo/gentoo/pull/33850
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

1 files changed, 10 insertions, 7 deletions

diff --git a/eclass/kernel-build.eclass b/eclass/kernel-build.eclass
index 4f7e4d047739..6f18bc1dc969 100644
--- a/eclass/kernel-build.eclass
+++ b/eclass/kernel-build.eclass
@@ -114,6 +114,16 @@ kernel-build_pkg_setup() {
 	python-any-r1_pkg_setup
 	if [[ ${KERNEL_IUSE_MODULES_SIGN} ]]; then
 		secureboot_pkg_setup
+		if [[ -e ${MODULES_SIGN_KEY} && ${MODULES_SIGN_KEY} != pkcs11:* ]]; then
+			if [[ -e ${MODULES_SIGN_CERT} && ${MODULES_SIGN_CERT} != ${MODULES_SIGN_KEY} ]]; then
+				cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
+			else
+				cp "${MODULES_SIGN_KEY}" "${T}/kernel_key.pem" || die
+			fi
+			chown portage:portage "${T}/kernel_key.pem" || die
+			chmod 0400 "${T}/kernel_key.pem" || die
+			export MODULES_SIGN_KEY="${T}/kernel_key.pem"
+		fi
 	fi
 }
 
@@ -427,13 +437,6 @@ kernel-build_merge_configs() {
 				CONFIG_MODULE_SIG_FORCE=y
 				CONFIG_MODULE_SIG_${MODULES_SIGN_HASH^^}=y
 			EOF
-			if [[ -e ${MODULES_SIGN_KEY} && -e ${MODULES_SIGN_CERT} &&
-				${MODULES_SIGN_KEY} != ${MODULES_SIGN_CERT} &&
-				${MODULES_SIGN_KEY} != pkcs11:* ]]
-			then
-				cat "${MODULES_SIGN_CERT}" "${MODULES_SIGN_KEY}" > "${T}/kernel_key.pem" || die
-				MODULES_SIGN_KEY="${T}/kernel_key.pem"
-			fi
 			if [[ ${MODULES_SIGN_KEY} == pkcs11:* || -r ${MODULES_SIGN_KEY} ]]; then
 				echo "CONFIG_MODULE_SIG_KEY=\"${MODULES_SIGN_KEY}\"" \
 					>> "${WORKDIR}/modules-sign.config"