Drop two unneeded calls to umask()

Both these commands write temporary files to the workspace which are not written to the image, so no need to care about the umask.
systemd · Feb 4, 2025 · 8577dfc · 8577dfc
1 parent c29462c
commit 8577dfc
Showing 1 changed file with 32 additions and 34 deletions.
diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
@@ -711,41 +711,39 @@ def install_systemd_boot(context: Context) -> None:
                 keys.mkdir(parents=True, exist_ok=True)
 
             # sbsiglist expects a DER certificate.
-            with umask(~0o600):
-                run(
-                    [
-                        "openssl",
-                        "x509",
-                        "-outform", "DER",
-                        "-in", workdir(context.config.secure_boot_certificate),
-                        "-out", workdir(context.workspace / "mkosi.der"),
-                    ],
-                    sandbox=context.sandbox(
-                        options=[
-                            "--ro-bind",
-                            context.config.secure_boot_certificate,
-                            workdir(context.config.secure_boot_certificate),
-                            "--bind", context.workspace, workdir(context.workspace),
-                        ],
-                    ),
-                )  # fmt: skip
-
-            with umask(~0o600):
-                run(
-                    [
-                        "sbsiglist",
-                        "--owner", "00000000-0000-0000-0000-000000000000",
-                        "--type", "x509",
-                        "--output", workdir(context.workspace / "mkosi.esl"),
-                        workdir(context.workspace / "mkosi.der"),
+            run(
+                [
+                    "openssl",
+                    "x509",
+                    "-outform", "DER",
+                    "-in", workdir(context.config.secure_boot_certificate),
+                    "-out", workdir(context.workspace / "mkosi.der"),
+                ],
+                sandbox=context.sandbox(
+                    options=[
+                        "--ro-bind",
+                        context.config.secure_boot_certificate,
+                        workdir(context.config.secure_boot_certificate),
+                        "--bind", context.workspace, workdir(context.workspace),
                     ],
-                    sandbox=context.sandbox(
-                        options=[
-                            "--bind", context.workspace, workdir(context.workspace),
-                            "--ro-bind", context.workspace / "mkosi.der", workdir(context.workspace / "mkosi.der"),  # noqa: E501
-                        ]
-                    ),
-                )  # fmt: skip
+                ),
+            )  # fmt: skip
+
+            run(
+                [
+                    "sbsiglist",
+                    "--owner", "00000000-0000-0000-0000-000000000000",
+                    "--type", "x509",
+                    "--output", workdir(context.workspace / "mkosi.esl"),
+                    workdir(context.workspace / "mkosi.der"),
+                ],
+                sandbox=context.sandbox(
+                    options=[
+                        "--bind", context.workspace, workdir(context.workspace),
+                        "--ro-bind", context.workspace / "mkosi.der", workdir(context.workspace / "mkosi.der"),  # noqa: E501
+                    ]
+                ),
+            )  # fmt: skip
 
             # We reuse the key for all secure boot databases to keep things simple.
             for db in ["PK", "KEK", "db"]: