From 8577dfcff29b9eea18e76e86099bdbcf31c7c8d9 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 4 Feb 2025 10:57:04 +0100
Subject: [PATCH] Drop two unneeded calls to umask()

Both these commands write temporary files to the workspace which
are not written to the image, so no need to care about the umask.
---
 mkosi/bootloader.py | 66 ++++++++++++++++++++++-----------------------
 1 file changed, 32 insertions(+), 34 deletions(-)

diff --git a/mkosi/bootloader.py b/mkosi/bootloader.py
index b1b3d7949..bc0965672 100644
--- a/mkosi/bootloader.py
+++ b/mkosi/bootloader.py
@@ -711,41 +711,39 @@ def install_systemd_boot(context: Context) -> None:
                 keys.mkdir(parents=True, exist_ok=True)
 
             # sbsiglist expects a DER certificate.
-            with umask(~0o600):
-                run(
-                    [
-                        "openssl",
-                        "x509",
-                        "-outform", "DER",
-                        "-in", workdir(context.config.secure_boot_certificate),
-                        "-out", workdir(context.workspace / "mkosi.der"),
-                    ],
-                    sandbox=context.sandbox(
-                        options=[
-                            "--ro-bind",
-                            context.config.secure_boot_certificate,
-                            workdir(context.config.secure_boot_certificate),
-                            "--bind", context.workspace, workdir(context.workspace),
-                        ],
-                    ),
-                )  # fmt: skip
-
-            with umask(~0o600):
-                run(
-                    [
-                        "sbsiglist",
-                        "--owner", "00000000-0000-0000-0000-000000000000",
-                        "--type", "x509",
-                        "--output", workdir(context.workspace / "mkosi.esl"),
-                        workdir(context.workspace / "mkosi.der"),
+            run(
+                [
+                    "openssl",
+                    "x509",
+                    "-outform", "DER",
+                    "-in", workdir(context.config.secure_boot_certificate),
+                    "-out", workdir(context.workspace / "mkosi.der"),
+                ],
+                sandbox=context.sandbox(
+                    options=[
+                        "--ro-bind",
+                        context.config.secure_boot_certificate,
+                        workdir(context.config.secure_boot_certificate),
+                        "--bind", context.workspace, workdir(context.workspace),
                     ],
-                    sandbox=context.sandbox(
-                        options=[
-                            "--bind", context.workspace, workdir(context.workspace),
-                            "--ro-bind", context.workspace / "mkosi.der", workdir(context.workspace / "mkosi.der"),  # noqa: E501
-                        ]
-                    ),
-                )  # fmt: skip
+                ),
+            )  # fmt: skip
+
+            run(
+                [
+                    "sbsiglist",
+                    "--owner", "00000000-0000-0000-0000-000000000000",
+                    "--type", "x509",
+                    "--output", workdir(context.workspace / "mkosi.esl"),
+                    workdir(context.workspace / "mkosi.der"),
+                ],
+                sandbox=context.sandbox(
+                    options=[
+                        "--bind", context.workspace, workdir(context.workspace),
+                        "--ro-bind", context.workspace / "mkosi.der", workdir(context.workspace / "mkosi.der"),  # noqa: E501
+                    ]
+                ),
+            )  # fmt: skip
 
             # We reuse the key for all secure boot databases to keep things simple.
             for db in ["PK", "KEK", "db"]: