* [PATCH 0/3] Signing local cache repo
@ 2019-02-04 19:54 Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 1/3] isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS Maxim Yu. Osipov
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Maxim Yu. Osipov @ 2019-02-04 19:54 UTC (permalink / raw)
To: isar-users
Hello everybody,
By default the local caching repo is not gpg signed.
This series adds the ability to sign it.
Prerequsite: we suppose that gpg is installed on your host system
and a default key pair is generated.
- set `BASE_REPO_KEY` in `conf/local.conf` to `SRC_URI` of your public key,
f.e. BASE_REPO_KEY = "file:///home/user/my_pub.key" and
follow usual procedure of creation of local apt repo caching:
- bitbake -c cache_base_repo multiconfig:qemuamd64-stretch:isar-image-base
- Set `ISAR_USE_CACHED_BASE_REPO` in `conf/local.conf`:
```
# Uncomment this to enable use of cached base repository
#ISAR_USE_CACHED_BASE_REPO ?= "1"
```
- Remove build artifacts to use only local base-apt:
```
sudo rm -rf tmp
```
- Trigger again generation of image (now using local caching repo):
```
bitbake multiconfig:qemuamd64-stretch:isar-image-base
```
Note: Depending on your gpg configuration you may be asked to provide a passphrase
(if it is non empty).
Kind regards,
Maxim.
Maxim Yu. Osipov (3):
isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS
base-apt: Introduce BASE_REPO_KEY to sign local repo
doc/user_manual: Describe gpg signing of local repo
doc/user_manual.md | 10 ++++++----
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 16 ++++++++++++++--
meta/recipes-devtools/base-apt/base-apt.bb | 6 ++++++
3 files changed, 26 insertions(+), 6 deletions(-)
--
2.11.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS
2019-02-04 19:54 [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
@ 2019-02-04 19:54 ` Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo Maxim Yu. Osipov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Maxim Yu. Osipov @ 2019-02-04 19:54 UTC (permalink / raw)
To: isar-users
One may specify the absolute path to locally stored keys in
DISTRO_APT_KEYS as file://<absolute_path_to_key_file>
Local fetcher module puts the file under
${WORKDIR}/<absolute_path_to_key_file>, so
gpg in do_generate_keyring() task can't find it.
This patch fixes the problem.
Signed-off-by: Maxim Yu. Osipov <mosipov@ilbers.de>
---
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 323f7cf..fbe312d 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -37,9 +37,10 @@ python () {
distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
if distro_apt_keys:
d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
+ wd = d.getVar("WORKDIR", True)
for key in distro_apt_keys.split():
url = urlparse(key)
- filename = os.path.basename(url.path)
+ filename = ''.join([wd, url.path])
d.appendVar("SRC_URI", " %s" % key)
d.appendVar("APTKEYFILES", " %s" % filename)
}
--
2.11.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo
2019-02-04 19:54 [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 1/3] isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS Maxim Yu. Osipov
@ 2019-02-04 19:54 ` Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 3/3] doc/user_manual: Describe gpg signing of " Maxim Yu. Osipov
2019-02-08 14:32 ` [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
3 siblings, 0 replies; 5+ messages in thread
From: Maxim Yu. Osipov @ 2019-02-04 19:54 UTC (permalink / raw)
To: isar-users
This patch adds the ability to sign local cached repository
by setting BASE_REPO_KEY in local.conf to SRC_URI of your
public key.
For locally stored key the value has to be specified in the
format 'file://<absolute_path_to_your_pub_key_file>'.
Prerequsite: we suppose that gpg is installed on your host system
and a default key pair is generated.
Signed-off-by: Maxim Yu. Osipov <mosipov@ilbers.de>
---
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 15 +++++++++++++--
meta/recipes-devtools/base-apt/base-apt.bb | 6 ++++++
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index fbe312d..234d339 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -35,14 +35,23 @@ inherit base-apt-helper
python () {
from urllib.parse import urlparse
distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
+ wd = d.getVar("WORKDIR", True)
if distro_apt_keys:
d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
- wd = d.getVar("WORKDIR", True)
for key in distro_apt_keys.split():
url = urlparse(key)
filename = ''.join([wd, url.path])
d.appendVar("SRC_URI", " %s" % key)
d.appendVar("APTKEYFILES", " %s" % filename)
+ if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
+ own_pub_key = d.getVar("BASE_REPO_KEY", False)
+ if own_pub_key:
+ d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
+ for key in own_pub_key.split():
+ url = urlparse(key)
+ filename = ''.join([wd, url.path])
+ d.appendVar("SRC_URI", " %s" % key)
+ d.appendVar("APTKEYFILES", " %s" % filename)
}
def aggregate_files(d, file_list, file_out):
@@ -200,7 +209,9 @@ isar_bootstrap() {
done
debootstrap_args="--verbose --variant=minbase --include='${DISTRO_BOOTSTRAP_BASE_PACKAGES}'"
if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then
- debootstrap_args="$debootstrap_args --no-check-gpg"
+ if [ -z "${BASE_REPO_KEY}" ] ; then
+ debootstrap_args="$debootstrap_args --no-check-gpg"
+ fi
fi
E="${@bb.utils.export_proxies(d)}"
sudo -E flock "${ISAR_BOOTSTRAP_LOCK}" -c "\
diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
index d744ed6..1c0b4c6 100644
--- a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/base-apt/base-apt.bb
@@ -5,6 +5,8 @@ SRC_URI = "file://distributions.in"
inherit base-apt-helper
+BASE_REPO_KEY ?= ""
+
CACHE_CONF_DIR = "${REPO_BASE_DIR}/${BASE_DISTRO}/conf"
do_cache_config[dirs] = "${CACHE_CONF_DIR}"
do_cache_config[stamp-extra-info] = "${DISTRO}"
@@ -16,6 +18,10 @@ do_cache_config() {
if [ ! -e "${CACHE_CONF_DIR}/distributions" ]; then
sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
+ if [ "${BASE_REPO_KEY}" ] ; then
+ # To generate Release.gpg
+ echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
+ fi
fi
path_cache="${REPO_BASE_DIR}/${BASE_DISTRO}"
--
2.11.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 3/3] doc/user_manual: Describe gpg signing of local repo
2019-02-04 19:54 [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 1/3] isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo Maxim Yu. Osipov
@ 2019-02-04 19:54 ` Maxim Yu. Osipov
2019-02-08 14:32 ` [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
3 siblings, 0 replies; 5+ messages in thread
From: Maxim Yu. Osipov @ 2019-02-04 19:54 UTC (permalink / raw)
To: isar-users
Signed-off-by: Maxim Yu. Osipov <mosipov@ilbers.de>
---
doc/user_manual.md | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/doc/user_manual.md b/doc/user_manual.md
index eebcaa9..c9c40ae 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -727,6 +727,12 @@ Cache upstream debian packages to reduce time for further downloads and to be ab
- Trigger creation of local apt caching Debian packages during image generation.
+Note: By default the local caching repo is not gpg signed.
+If you want to sign it, `gpg` has to be installed in your host system and
+a default key pair is generated,
+set `BASE_REPO_KEY` in `conf/local.conf` to `SRC_URI` of your public key,
+f.e. 'BASE_REPO_KEY = "file://<absolute_path_to_your_pub_key_file>"'.
+
```
bitbake -c cache_base_repo multiconfig:qemuarm-stretch:isar-image-base
```
@@ -749,7 +755,3 @@ sudo rm -rf tmp
```
bitbake multiconfig:qemuarm-stretch:isar-image-base
```
-
-### Limitation
-
-So far the local base-apt repo is not gpg signed.
--
2.11.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] Signing local cache repo
2019-02-04 19:54 [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
` (2 preceding siblings ...)
2019-02-04 19:54 ` [PATCH 3/3] doc/user_manual: Describe gpg signing of " Maxim Yu. Osipov
@ 2019-02-08 14:32 ` Maxim Yu. Osipov
3 siblings, 0 replies; 5+ messages in thread
From: Maxim Yu. Osipov @ 2019-02-08 14:32 UTC (permalink / raw)
To: isar-users
On 2/4/19 8:54 PM, Maxim Yu. Osipov wrote:
> Hello everybody,
>
> By default the local caching repo is not gpg signed.
> This series adds the ability to sign it.
>
> Prerequsite: we suppose that gpg is installed on your host system
> and a default key pair is generated.
>
> - set `BASE_REPO_KEY` in `conf/local.conf` to `SRC_URI` of your public key,
> f.e. BASE_REPO_KEY = "file:///home/user/my_pub.key" and
> follow usual procedure of creation of local apt repo caching:
>
> - bitbake -c cache_base_repo multiconfig:qemuamd64-stretch:isar-image-base
>
> - Set `ISAR_USE_CACHED_BASE_REPO` in `conf/local.conf`:
>
> ```
> # Uncomment this to enable use of cached base repository
> #ISAR_USE_CACHED_BASE_REPO ?= "1"
> ```
> - Remove build artifacts to use only local base-apt:
>
> ```
> sudo rm -rf tmp
>
> ```
> - Trigger again generation of image (now using local caching repo):
>
> ```
> bitbake multiconfig:qemuamd64-stretch:isar-image-base
> ```
>
> Note: Depending on your gpg configuration you may be asked to provide a passphrase
> (if it is non empty).
>
> Kind regards,
> Maxim.
Applied to the 'next' (v2 of patch #3 was applied)
Maxim.
> Maxim Yu. Osipov (3):
> isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS
> base-apt: Introduce BASE_REPO_KEY to sign local repo
> doc/user_manual: Describe gpg signing of local repo
>
> doc/user_manual.md | 10 ++++++----
> meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 16 ++++++++++++++--
> meta/recipes-devtools/base-apt/base-apt.bb | 6 ++++++
> 3 files changed, 26 insertions(+), 6 deletions(-)
>
--
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-02-08 14:32 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-04 19:54 [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 1/3] isar-bootstrap: Allow to set local keys in DISTRO_APT_KEYS Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 2/3] base-apt: Introduce BASE_REPO_KEY to sign local repo Maxim Yu. Osipov
2019-02-04 19:54 ` [PATCH 3/3] doc/user_manual: Describe gpg signing of " Maxim Yu. Osipov
2019-02-08 14:32 ` [PATCH 0/3] Signing local cache repo Maxim Yu. Osipov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox