From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6654236089293733888 X-Received: by 2002:a50:ad61:: with SMTP id z30mr161881edc.0.1549310071952; Mon, 04 Feb 2019 11:54:31 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:6d4e:: with SMTP id a14-v6ls3486367ejt.8.gmail; Mon, 04 Feb 2019 11:54:31 -0800 (PST) X-Google-Smtp-Source: AHgI3IbQuAoG9ysDEbjHIggPA6nm+qupoCf1jH2jddo1AjbZXZAvbq58ZwJ/g7Q8lq6Dccu1u/Yv X-Received: by 2002:a17:906:8da:: with SMTP id o26mr135425eje.7.1549310071569; Mon, 04 Feb 2019 11:54:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549310071; cv=none; d=google.com; s=arc-20160816; b=ByQLJf0RwPKvUhZpQC8Z57eq6tKzbYuuGF38UTUbh2LbJdj7yuHMV9mu2EAbre+7/s 2pN5+yh0vEYgSBJp4AXAixJtaX5zXx7n/y/i5MFyCwAY5YpvKm96Pp9nikzyISYfdKWC FkYWePePUSHb+d+H85g+H1nkNDp4fLo7wLm8aCQYvYOGmk1IrD41k7E0OOHiO/A3l+p5 9EGSMjftHMXzEDDvmD7rWFs7m8SlraFWZiCHFu6zJvokD8nsTQMFclUQKEi6JGx91bGw AhCE1xhVXs5QkvAJY85qph6S5vxJcYGmpfWgRpavx/QnBluICLomsszJYteQ2hZrQ8Nq pRpQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:to:from; bh=/TInOcRJU0mR0HH9DcUllbpVqsdNoJ47gdcqhlhwdgQ=; b=NQInRcv/KiiV0MSH7SzNA9CJw3fr0+aorDWa5V2ldFuFsdkikd6uqxaRiBm3dqHTQ9 P3X/ChDp9DsmIKvM9TB0aO/9u6XHkGDS/W9xuABdZwbphwrVdM74Bq25sjNQxcDzxbgv t09OBhYps1MkTpI9VejVW+fAbf3RLOt3HTCCtnzJPpOyvRIqZqM/qwMvzPCqknOLCGoR hMK9B9sdU8T4k1GM6+kHm3tnXwgcr7RI15oyDfvyRKS/Lre9lvnGbcEuZk9VkZIN3Z3p yc0kyL4t3jXJEe2/HgAjUL+LmX79HoW7BAwrkl5WljZoaonx0H7AaLfKUC48XEhqdUb0 qhzw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de Return-Path: Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211]) by gmr-mx.google.com with ESMTPS id h28si844230edh.4.2019.02.04.11.54.31 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Feb 2019 11:54:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) client-ip=85.214.62.211; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de Received: from azat.m.ilbers.de (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id x14JsKau002778 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 4 Feb 2019 20:54:30 +0100 From: "Maxim Yu. Osipov" To: isar-users@googlegroups.com Subject: [PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo Date: Mon, 4 Feb 2019 19:54:19 +0000 Message-Id: <20190204195420.7972-3-mosipov@ilbers.de> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190204195420.7972-1-mosipov@ilbers.de> References: <20190204195420.7972-1-mosipov@ilbers.de> X-TUID: 2udgC0X0lvkz This patch adds the ability to sign local cached repository by setting BASE_REPO_KEY in local.conf to SRC_URI of your public key. For locally stored key the value has to be specified in the format 'file://'. Prerequsite: we suppose that gpg is installed on your host system and a default key pair is generated. Signed-off-by: Maxim Yu. Osipov --- meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 15 +++++++++++++-- meta/recipes-devtools/base-apt/base-apt.bb | 6 ++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index fbe312d..234d339 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -35,14 +35,23 @@ inherit base-apt-helper python () { from urllib.parse import urlparse distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False) + wd = d.getVar("WORKDIR", True) if distro_apt_keys: d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") - wd = d.getVar("WORKDIR", True) for key in distro_apt_keys.split(): url = urlparse(key) filename = ''.join([wd, url.path]) d.appendVar("SRC_URI", " %s" % key) d.appendVar("APTKEYFILES", " %s" % filename) + if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): + own_pub_key = d.getVar("BASE_REPO_KEY", False) + if own_pub_key: + d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") + for key in own_pub_key.split(): + url = urlparse(key) + filename = ''.join([wd, url.path]) + d.appendVar("SRC_URI", " %s" % key) + d.appendVar("APTKEYFILES", " %s" % filename) } def aggregate_files(d, file_list, file_out): @@ -200,7 +209,9 @@ isar_bootstrap() { done debootstrap_args="--verbose --variant=minbase --include='${DISTRO_BOOTSTRAP_BASE_PACKAGES}'" if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then - debootstrap_args="$debootstrap_args --no-check-gpg" + if [ -z "${BASE_REPO_KEY}" ] ; then + debootstrap_args="$debootstrap_args --no-check-gpg" + fi fi E="${@bb.utils.export_proxies(d)}" sudo -E flock "${ISAR_BOOTSTRAP_LOCK}" -c "\ diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb index d744ed6..1c0b4c6 100644 --- a/meta/recipes-devtools/base-apt/base-apt.bb +++ b/meta/recipes-devtools/base-apt/base-apt.bb @@ -5,6 +5,8 @@ SRC_URI = "file://distributions.in" inherit base-apt-helper +BASE_REPO_KEY ?= "" + CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf" do_cache_config[dirs] = "${CACHE_CONF_DIR}" do_cache_config[stamp-extra-info] = "${DISTRO}" @@ -16,6 +18,10 @@ do_cache_config() { if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions + if [ "${BASE_REPO_KEY}" ] ; then + # To generate Release.gpg + echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions + fi fi path_cache="${REPO_BASE_DIR}/${BASE_DISTRO}" -- 2.11.0