From 565089cfa6fe3b102d63d17ec1ad488be223326e Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Thu, 31 Jul 2025 09:13:27 -0600
Subject: sys/boot/tpm: fix unbound variable in shell script

---
 sys/boot/tpm.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/boot/tpm.nix b/sys/boot/tpm.nix
index 196c406..0e29066 100644
--- a/sys/boot/tpm.nix
+++ b/sys/boot/tpm.nix
@@ -31,7 +31,7 @@ with lib; let
     ];
 
     text = ''
-      if [ -z "$YES_I_DO_WANT_TO_SIGN_WITH_SECURE_BOOT_DISABLED" ] && [ "$(sbctl status --json | jq .secure_boot)" != "truee" ]; then
+      if [ -z "''${YES_I_DO_WANT_TO_SIGN_WITH_SECURE_BOOT_DISABLED:=}" ] && [ "$(sbctl status --json | jq .secure_boot)" != "truee" ]; then
         echo "$0: bad Secure Boot state, check the output of \`sbctl status\`" >&2
         echo "$0: signing a TPM PCR policy with Secure Boot disabled is dangerous" >&2
         echo "$0: set 'YES_I_DO_WANT_TO_SIGN_WITH_SECURE_BOOT_DISABLED' to skip this check" >&2
-- 
cgit v1.2.3