sbkeysync: Don't ignore errors from insert_new_keys()

If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:

 ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose

But although this seemed to succeed on my system, looking at the logs shows
a different story:

Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin

Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index e51f177..7748990 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
 {
 	bool use_default_keystore_dirs;
 	struct sync_context *ctx;
+	int rc;
 
 	use_default_keystore_dirs = true;
 	ctx = talloc_zero(NULL, struct sync_context);
 	list_head_init(&ctx->new_keys);
+	rc = EXIT_SUCCESS;
 
 	for (;;) {
 		int idx, c;
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
 	if (ctx->verbose)
 		print_new_keys(ctx);
 
-	if (!ctx->dry_run)
-		insert_new_keys(ctx);
+	if (!ctx->dry_run && insert_new_keys(ctx))
+		rc = EXIT_FAILURE;
 
 	talloc_free(ctx);
 
-	return EXIT_SUCCESS;
+	return rc;
 }