From 5501cd0744b2274adbe1eda5cc354e9c09c0b05b Mon Sep 17 00:00:00 2001
From: Thierry Laurion <insurgo@riseup.net>
Date: Mon, 25 Nov 2024 10:56:32 -0500
Subject: [PATCH] oem-factory-reset: debug mode; hide passphrase output on
 screen/debug.log on gpg --detach-sign of /boot hash digest

Before:
[  155.845101] DEBUG: gpg --pinentry-mode loopback --passphrase Please Change Me --digest-algo SHA256 --detach-sign -a

After:
[  131.272954] DEBUG: gpg --pinentry-mode loopback --passphrase <hidden> --digest-algo SHA256 --detach-sign -a

Signed-off-by: Thierry Laurion <insurgo@riseup.net>
---
 initrd/bin/oem-factory-reset | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/initrd/bin/oem-factory-reset b/initrd/bin/oem-factory-reset
index ca000e50..8fa69ca9 100755
--- a/initrd/bin/oem-factory-reset
+++ b/initrd/bin/oem-factory-reset
@@ -680,7 +680,7 @@ generate_checksums() {
     fi
 
     DEBUG "Detach-signing boot files under kexec.sig: ${param_files}"
-    if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG gpg \
+    if sha256sum $param_files 2>/dev/null | DO_WITH_DEBUG --mask-position 4 gpg \
         --pinentry-mode loopback \
         --passphrase "${USER_PIN}" \
         --digest-algo SHA256 \