fix sig mismatch regressions vs master after upgrade

tlaurion · tlaurion · commit c55caaebd35f · 2026-03-10T21:47:27.000-04:00
Signed-off-by: Thierry Laurion &lt;insurgo@riseup.net&gt;
diff --git a/initrd/bin/gui-init b/initrd/bin/gui-init
@@ -364,7 +364,8 @@ EOF
 					debug_tpm_reset_required_state
 					whiptail_error --title 'ERROR: TPM Reset Required' \
 						--msgbox "Cannot generate a new TPM-backed TOTP/HOTP secret while TPM state is inconsistent.\n\nReset the TPM first (Options -> TPM/TOTP/HOTP Options -> Reset the TPM)." 0 80
-				elif gate_reseal_with_integrity_report && (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
+				return 1
+			elif gate_reseal_with_integrity_report && (whiptail_warning --title 'Generate new TOTP/HOTP secret' \
 					--yesno "This will erase your old secret and replace it with a new one!\n\nDo you want to proceed?" 0 80); then
 					if generate_totp_hotp && update_totp && BG_COLOR_MAIN_MENU="normal"; then
 						reseal_tpm_disk_decryption_key || prompt_missing_gpg_key_action
diff --git a/initrd/bin/kexec-sign-config b/initrd/bin/kexec-sign-config
@@ -152,10 +152,11 @@ for tries in 1 2 3; do
 	DEBUG "kexec-sign-config: using explicit signing key id ${SIGNING_KEY_ID}"
 
 	# Run the signing command without DO_WITH_DEBUG so that any gpg errors
-	# print directly to the console.  We still capture stderr to the debug log
-	# (via tee) for later analysis.
+	# print directly to the console.  Stdout (the signature) goes to kexec.sig;
+	# stderr (gpg status/error messages) goes to the log for later analysis.
+	# Keeping them separate prevents gpg status text from corrupting the sig file.
 	if sha256sum $param_files | \
-		gpg --disable-dirmngr --no-auto-key-retrieve --local-user "$SIGNING_KEY_ID" --detach-sign -a 2>&1 | tee /tmp/kexec-sign.log >$paramsdir/kexec.sig; then
+		gpg --disable-dirmngr --no-auto-key-retrieve --local-user "$SIGNING_KEY_ID" --detach-sign -a >"$paramsdir/kexec.sig" 2>/tmp/kexec-sign.log; then
 		# successful - update the validated params
 		check_config $paramsdir
 
diff --git a/initrd/etc/functions b/initrd/etc/functions
@@ -106,22 +106,27 @@ warn() {
 #
 # Console color: none (plain text only; targets developers reading raw output).
 # debug.log and /dev/kmsg receive plain text (no ANSI).
+# Console output goes to /dev/console directly (not stdout/stderr) to avoid
+# polluting callers that redirect stdout or stderr (e.g. print_tree, whiptail).
 #
 # Output modes:
 #   Quiet (CONFIG_QUIET_MODE=y):          debug.log only (no console)
 #   Info  (CONFIG_QUIET_MODE=n):          debug.log only (no console)
-#   Debug (CONFIG_DEBUG_OUTPUT=y):        console + debug.log
+#   Debug (CONFIG_DEBUG_OUTPUT=y):        /dev/console + debug.log
 #
 # See doc/logging.md.
 DEBUG() {
 	# Always write to debug.log - debug.log is a complete audit trail regardless of mode.
 	echo "DEBUG: $*" >> /tmp/debug.log
 	if [ "$CONFIG_DEBUG_OUTPUT" = "y" ]; then
-		# debug mode: also echo to console and kmsg for ordering with other output
+		# debug mode: also echo to console and kmsg for ordering with other output.
+		# Use /dev/console to avoid polluting both stdout and stderr of any caller
+		# that redirects them (e.g. print_tree >/boot/kexec_tree.txt or
+		# whiptail_error 2>/tmp/whiptail).
 		# fold -s -w 960 will wrap lines at 960 characters on the last space before the limit
 		echo "DEBUG: $*" | fold -s -w 960 | while IFS= read -r line; do
 			echo "$line" | tee -a /dev/kmsg >/dev/null
-			echo "$line"
+			echo "$line" >/dev/console
 		done
 	fi
 }
@@ -139,20 +144,25 @@ DEBUG() {
 #
 # Console color: none (plain text only; targets developers reading raw output).
 # debug.log and /dev/kmsg receive plain text (no ANSI).
+# Console output goes to /dev/console directly (not stdout/stderr) to avoid
+# polluting callers that redirect stdout or stderr (e.g. print_tree, whiptail).
 #
 # Output modes:
 #   Quiet (CONFIG_QUIET_MODE=y):                     debug.log only (no console)
 #   Info  (CONFIG_QUIET_MODE=n):                     debug.log only (no console)
-#   Debug (CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y): console + debug.log
+#   Debug (CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT=y): /dev/console + debug.log
 #
 # See doc/logging.md.
 TRACE() {
 	# Always write to debug.log - debug.log is a complete audit trail regardless of mode.
 	echo "TRACE: $*" >> /tmp/debug.log
 	if [ "$CONFIG_ENABLE_FUNCTION_TRACING_OUTPUT" = "y" ]; then
-		# tracing mode: also echo to console and kmsg
+		# tracing mode: also echo to console and kmsg.
+		# Use /dev/console to avoid polluting both stdout and stderr of any caller
+		# that redirects them (e.g. print_tree >/boot/kexec_tree.txt or
+		# whiptail_error 2>/tmp/whiptail).
 		echo "TRACE: $*" | tee -a /dev/kmsg >/dev/null
-		echo "TRACE: $*"
+		echo "TRACE: $*" >/dev/console
 	fi
 }
 
