mkarchiso: do not sign .sig files

Make sure existing sig files are deleted before creating new ones and make sure to not sign any sig files.

This allows retrying failed mkarchiso runs without ending up with files such as vmlinuz.ipxe.sig.ipxe.sig.

Fixes #198

2 files changed, 6 insertions, 3 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 73fa2d9..4c18fd2 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -12,6 +12,8 @@ Changed
 -------
 
 - Do not explicitly enable ``qemu-guest-agent.service`` as it will be started by a udev rule.
+- Remove existing signature (``.sig``) files and do not sign them when signing netboot artifacts. This is mostly
+  applicable when re-running ``mkarchiso``  after a failure.
 
 Removed
 -------
diff --git a/archiso/mkarchiso b/archiso/mkarchiso
index 2fbbf66..caeb21e 100755
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@@ -254,7 +254,7 @@ _mk_pgp_signature() {
     local gpg_options=()
     local airootfs_image_filename="${1}"
     _msg_info "Signing rootfs image using GPG..."
-   
+
     rm -f -- "${airootfs_image_filename}.sig"
     # Add gpg sender option if the value is provided
     [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
@@ -1054,7 +1054,7 @@ _cms_sign_artifact() {
     fi
 
     _msg_info "Signing ${artifact} image using openssl cms..."
-   
+
     rm -f -- "${artifact}.cms.sig"
 
     openssl cms "${openssl_flags[@]}"
@@ -1073,7 +1073,8 @@ _sign_netboot_artifacts() {
             _files_to_sign+=("${_dir}${_file}")
         fi
     done
-    for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"* "${_dir}${arch}/initramfs-"*.img; do
+    for _file in "${_files_to_sign[@]}" "${_dir}${arch}/vmlinuz-"!(*.sig) "${_dir}${arch}/initramfs-"*.img; do
+        rm -f -- "${_file}".ipxe.sig
         openssl cms \
             -sign \
             -binary \