shared: detect when it's infeasible to sign a stub parameter

This is relevant for a remote signer who relies on the existence of store paths
remotely, for example.

rust/tool/shared/src/pe.rs

@@ -60,6 +60,12 @@ impl StubParameters {
         self.kernel_cmdline = cmdline.to_vec();
         self
     }
+
+    pub fn all_signables_in_store(&self) -> bool {
+        self.lanzaboote_store_path.starts_with("/nix/store")
+            && self.kernel_store_path.starts_with("/nix/store")
+            && self.initrd_store_path.starts_with("/nix/store")
+    }
 }
 
 /// Performs the evil operation

rust/tool/shared/src/signature/local.rs

@@ -30,6 +30,10 @@ impl LanzabooteSigner for LocalKeyPair {
         Ok(std::fs::read(&self.public_key)?)
     }
 
+    fn can_sign_stub(&self, _stub: &crate::pe::StubParameters) -> bool {
+        true
+    }
+
     fn sign_and_copy(&self, from: &Path, to: &Path) -> Result<()> {
         let args: Vec<OsString> = vec![
             OsString::from("--key"),

rust/tool/shared/src/signature/mod.rs

@@ -5,6 +5,7 @@ use crate::pe::StubParameters;
 
 pub trait LanzabooteSigner {
     fn sign_store_path(&self, store_path: &Path) -> Result<Vec<u8>>;
+    fn can_sign_stub(&self, stub: &StubParameters) -> bool;
     fn build_and_sign_stub(&self, stub: &StubParameters) -> Result<Vec<u8>>;
     fn get_public_key(&self) -> Result<Vec<u8>>;
 

rust/tool/shared/src/signature/remote.rs

@@ -3,7 +3,7 @@ use std::time::Duration;
 use crate::pe::StubParameters;
 
 use super::LanzabooteSigner;
-use anyhow::{Context, Result};
+use anyhow::{bail, Context, Result};
 use serde::{Deserialize, Serialize};
 use ureq::{Agent, AgentBuilder};
 use url::Url;
@@ -57,6 +57,10 @@ impl RemoteSigningServer {
     /// If the remote server agrees on providing that stub
     /// It will return it signed.
     fn request_signature(&self, stub_parameters: &StubParameters) -> Result<Vec<u8>> {
+        if !stub_parameters.all_signables_in_store() {
+            bail!("Signable stub parameters contains non-Nix store paths, the remote server cannot sign that!");
+        }
+
         let response = self
             .client
             .post(self.server_url.join("/sign-stub")?.as_str())
@@ -166,6 +170,10 @@ impl LanzabooteSigner for RemoteSigningServer {
         Ok(binary)
     }
 
+    fn can_sign_stub(&self, stub: &StubParameters) -> bool {
+        stub.all_signables_in_store()
+    }
+
     fn build_and_sign_stub(&self, stub: &StubParameters) -> Result<Vec<u8>> {
         self.request_signature(stub)
     }

rust/tool/systemd/src/install.rs

@@ -248,6 +248,12 @@ impl<S: LanzabooteSigner> Installer<S> {
         .with_cmdline(&kernel_cmdline)
         .with_os_release_contents(os_release_contents.as_bytes());
 
+        // TODO: how should we handle those cases?
+        if !self.signer.can_sign_stub(&parameters) {
+            log::warn!("Signer is not able to sign this stub, skipping...");
+            return Ok(());
+        }
+
         let lanzaboote_image = self
             .signer
             .build_and_sign_stub(&parameters)