[PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: "Maxim Yu. Osipov" <mosipov@ilbers.de>
To: isar-users@googlegroups.com
Subject: [PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo
Date: Mon,  4 Feb 2019 19:54:19 +0000	[thread overview]
Message-ID: <20190204195420.7972-3-mosipov@ilbers.de> (raw)
In-Reply-To: <20190204195420.7972-1-mosipov@ilbers.de>

This patch adds the ability to sign local cached repository
by setting BASE_REPO_KEY in local.conf to SRC_URI of your
public key.

For locally stored key the value has to be specified in the
format 'file://<absolute_path_to_your_pub_key_file>'.

Prerequsite: we suppose that gpg is installed on your host system
and a default key pair is generated.

Signed-off-by: Maxim Yu. Osipov <mosipov@ilbers.de>
---
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 15 +++++++++++++--
 meta/recipes-devtools/base-apt/base-apt.bb          |  6 ++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index fbe312d..234d339 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -35,14 +35,23 @@ inherit base-apt-helper
 python () {
     from urllib.parse import urlparse
     distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
+    wd = d.getVar("WORKDIR", True)
     if distro_apt_keys:
         d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
-        wd = d.getVar("WORKDIR", True)
         for key in distro_apt_keys.split():
             url = urlparse(key)
             filename = ''.join([wd, url.path])
             d.appendVar("SRC_URI", " %s" % key)
             d.appendVar("APTKEYFILES", " %s" % filename)
+    if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
+        own_pub_key = d.getVar("BASE_REPO_KEY", False)
+        if own_pub_key:
+            d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
+            for key in own_pub_key.split():
+                url = urlparse(key)
+                filename = ''.join([wd, url.path])
+                d.appendVar("SRC_URI", " %s" % key)
+                d.appendVar("APTKEYFILES", " %s" % filename)
 }
 
 def aggregate_files(d, file_list, file_out):
@@ -200,7 +209,9 @@ isar_bootstrap() {
     done
     debootstrap_args="--verbose --variant=minbase --include='${DISTRO_BOOTSTRAP_BASE_PACKAGES}'"
     if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then
-        debootstrap_args="$debootstrap_args --no-check-gpg"
+        if [ -z "${BASE_REPO_KEY}" ] ; then
+            debootstrap_args="$debootstrap_args --no-check-gpg"
+        fi
     fi
     E="${@bb.utils.export_proxies(d)}"
     sudo -E flock "${ISAR_BOOTSTRAP_LOCK}" -c "\
diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
index d744ed6..1c0b4c6 100644
--- a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/base-apt/base-apt.bb
@@ -5,6 +5,8 @@ SRC_URI = "file://distributions.in"
 
 inherit base-apt-helper
 
+BASE_REPO_KEY ?= ""
+
 CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
 do_cache_config[dirs] = "${CACHE_CONF_DIR}"
 do_cache_config[stamp-extra-info] = "${DISTRO}"
@@ -16,6 +18,10 @@ do_cache_config() {
     if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
         sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
             ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
+        if [ "${BASE_REPO_KEY}" ] ; then
+            # To generate Release.gpg
+            echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
+        fi
     fi
 
     path_cache="${REPO_BASE_DIR}/${BASE_DISTRO}"
-- 
2.11.0

next prev parent reply	other threads:[~2019-02-04 19:54 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-04 19:54 [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 1/3] isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS Maxim Yu. Osipov
2019-02-04 19:54 ` Maxim Yu. Osipov [this message]
2019-02-04 19:54 ` [PATCH 3/3] doc/user_manual: Describe gpg signing of local repo Maxim Yu. Osipov
2019-02-08 14:32 ` [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190204195420.7972-3-mosipov@ilbers.de \
    --to=mosipov@ilbers.de \
    --cc=isar-users@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox