Image signature/verification fails if PK or KEK are missing

[imaspeer]

After updating to the latest version (0.15.4) and running sbctl setup --migrate as instructed, if the PK and/or KEK is not present, the list-files, sign, sign-all and verify operations fail with /var/lib/sbctl/keys/KEK/KEK.key: no such file or directory (and, in order, KEK/KEK.pem, PK/PK.key and PK/PK.pem if they are also missing).

There is no reason for the KEK, let alone the PK, to be present on the system during regular operation, or to even be in possession of a local administrator. Signing an image only requires the db key, and verifying the signatures only the public part of it.

In fact, the files only need to exist and be valid keys (empty files lead to a SEGV in backend.GetBackendType), not necessarily be the actual enrolled PK and KEK (e.g. copying the db key over in all three locations works), for sign / sign-all to succeed and produce good signatures ; demonstrating it does not actually need these keys.

These operations should therefore not require the PK and KEK to be present in the filesystem.