Overview
The scriptlets don't take package upgrades/downgrades into account. Those would delete all certificates instead, because %postun of the old package is run last: https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#ordering
I have built two version of RPMs for testing upgrades/downgrades by 'rpm -Uvh ' and 'rpm -Uvh --oldpackage'. I didn't see problem.
The %postun will remove xxx-kmp.crt.del file if the corresponding xxx-kmp.crt is still exists after uninstallation. So it only removes remaining *-kmp.crt.del certificate by mokutils.
Ok. My main confusion with the scripts is that they try to work with multiple files inside the directory, even though there's not actually more than one file in this package and not more than one package planned right now.
AFAICT it's possible to just call mokutil from %preun on the final uninstallation, if the scriptlet knows about the fingerprint, but that would need extra logic to deal with detection of fingerprint changes. I don't really have a better idea for this particular case. The cleanest way would be a package with trigger scripts which can tell whether a certificate is about to be removed, replaced or added, but that's just overengineering.
Is it necessary to postpone the call to mokutil --delete to %postun or can it be done in %preun instead? Then it wouldn't be needed to do "backups" ($cert.del)
if [[ "command -v mokutil >/dev/null" && -d "%{_sysconfdir}/uefi/certs/" ]]; then
That does not actually run command -v, it checks whether the constant string is non-empty. Also, this uses a bashism, so try this instead:
if command -v mokutil >/dev/null && [ -d "%{_sysconfdir}/uefi/certs/" ]; then
Is it necessary to check for the existance of %{_sysconfdir}/uefi/certs/? It's owned by the package, so except for the final uninstallation it'll always be present.
I will try to remove it. As I remember that I add the check because I got warning messages in OBS log. I will remove the check to see if there have any warning.
Thanks!
I have tested after removed the check for the existance of %{_sysconfdir}/uefi/certs/. Looks no problem. I will remove in next version.
@WernerFink, @a_jaeger, @dirkmueller, @dmolkentin, @msmeissn, @oertel, @seife, @trenn: review reminder
LGTM