From 126a07ebc30bbd203b6966465b058da741b2654b Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Tue, 19 Mar 2024 20:15:46 +0000
Subject: [PATCH] Validate that a supplied vendor cert is not in PEM format

If we see "BEGIN", it's likely a PEM certificate and won't work. Fail
the build early and say so.

Fixes #645

Signed-off-by: Steve McIntyre <steve@einval.com>
---
 Makefile | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 8283d56f3..1698186d7 100644
--- a/Makefile
+++ b/Makefile
@@ -69,13 +69,21 @@ ifneq ($(origin FALLBACK_VERBOSE_WAIT), undefined)
 	CFLAGS += -DFALLBACK_VERBOSE_WAIT=$(FALLBACK_VERBOSE_WAIT)
 endif
 
-all: confcheck $(TARGETS)
+all: confcheck certcheck $(TARGETS)
 
 confcheck:
 ifneq ($(origin EFI_PATH),undefined)
 	$(error EFI_PATH is no longer supported, you must build using the supplied copy of gnu-efi)
 endif
 
+certcheck:
+ifneq ($(origin VENDOR_CERT_FILE), undefined)
+	@if grep -q "BEGIN" $(VENDOR_CERT_FILE); then \
+		echo "$(VENDOR_CERT_FILE) is PEM-format, convert to DER!"; \
+		exit 1; \
+	fi
+endif
+
 compile_commands.json : Makefile Make.rules Make.defaults 
 	make clean
 	bear -- make COMPILER=clang test all