* [RFC v1 0/3] Fix additional apt repos with foreign keys
@ 2019-02-26 13:48 Andreas J. Reichel
2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw)
To: isar-users; +Cc: Andreas Reichel
From: Andreas Reichel <andreas.reichel.ext@siemens.com>
This patch series fixes problems when adding a additional repos
which need different gpg keys for authentication.
The patches are designed to make the existing 'API', i.e. bitbake
variables work, not to solve the remaining design problems.
On basis of this series, we should discuss how to further proceed
since there should be a destinction wether we change the bootstrapping
apt source or if we change the apt source for additional packages.
If we change the bootstrapping apt source, we already need keys
installed in the build environment to do the first debootstrap.
If we only want additional packages in the target rootfs, we only
need to add keys inside the target chroot.
Currently this is not possible and requires additional bitbake
variables, i.e. APT_KEYS_TARGET_PKGS, or APT_KEYS_TARGET_BOOTSTRAP.
Also the reason for the option I delete in patch 3 is unclear to me.
This way we could never add additional repositories.
Andreas Reichel (3):
Fix path to user gpg-keys
Refactor gpg code to use apt code
Use all source lists in target root apt
meta/classes/isar-bootstrap-helper.bbclass | 14 ++++++++----
.../isar-bootstrap/isar-bootstrap.inc | 22 +++++++++----------
2 files changed, 21 insertions(+), 15 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [RFC v1 1/3] Fix path to user gpg-keys
2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel
@ 2019-02-26 13:48 ` Andreas J. Reichel
2019-02-26 15:33 ` Henning Schild
2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw)
To: isar-users; +Cc: Andreas Reichel
From: Andreas Reichel <andreas.reichel.ext@siemens.com>
If the key is fetched from remote (currently http, https),
use the basename, otherwise, use the absolute path.
Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 234d339..25133be 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -40,7 +40,10 @@ python () {
d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
for key in distro_apt_keys.split():
url = urlparse(key)
- filename = ''.join([wd, url.path])
+ if "https://" in key or "http://" in key:
+ filename = os.path.basename(url.path)
+ else:
+ filename = ''.join([wd, url.path])
d.appendVar("SRC_URI", " %s" % key)
d.appendVar("APTKEYFILES", " %s" % filename)
if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
--
2.20.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [RFC v1 2/3] Refactor gpg code to use apt code
2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel
2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel
@ 2019-02-26 13:48 ` Andreas J. Reichel
2019-02-26 14:07 ` cedric_hombourger
2019-02-26 15:39 ` Henning Schild
2019-02-26 13:48 ` [RFC v1 3/3] Use all source lists in target root apt Andreas J. Reichel
2019-02-26 15:06 ` [RFC v1 0/3] Fix additional apt repos with foreign keys Henning Schild
3 siblings, 2 replies; 9+ messages in thread
From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw)
To: isar-users; +Cc: Andreas Reichel
From: Andreas Reichel <andreas.reichel.ext@siemens.com>
Don't manually move around keys and keyrings, use `apt-key` to do so
Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
meta/classes/isar-bootstrap-helper.bbclass | 9 +++++++++
.../isar-bootstrap/isar-bootstrap.inc | 17 +++++++----------
2 files changed, 16 insertions(+), 10 deletions(-)
diff --git a/meta/classes/isar-bootstrap-helper.bbclass b/meta/classes/isar-bootstrap-helper.bbclass
index d780b85..df6fbee 100644
--- a/meta/classes/isar-bootstrap-helper.bbclass
+++ b/meta/classes/isar-bootstrap-helper.bbclass
@@ -119,6 +119,14 @@ setup_root_file_system() {
export LANG=C
export LANGUAGE=C
export LC_ALL=C
+
+ if [ -d ${TMPDIR}/aptkeys ]; then
+ for keyfile in ${TMPDIR}/aptkeys/*
+ do
+ cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile)
+ sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename $keyfile)
+ done
+ fi
sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \
-o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \
-o Dir::Etc::sourceparts="-" \
@@ -128,6 +136,7 @@ setup_root_file_system() {
sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture ${DISTRO_ARCH}
sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update
fi
+ sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update
sudo -E chroot "$ROOTFSDIR" \
/usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \
${IMAGE_TRANSIENT_PACKAGES}
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 25133be..60bd061 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -23,10 +23,8 @@ APTSRCS = "${WORKDIR}/apt-sources"
APTSRCS_INIT = "${WORKDIR}/apt-sources-init"
BASEAPTSRCS = "${WORKDIR}/base-apt-sources"
APTKEYFILES = ""
-APTKEYRING = "${WORKDIR}/apt-keyring.gpg"
-DEBOOTSTRAP_KEYRING = ""
DEPLOY_ISAR_BOOTSTRAP ?= ""
-DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
+DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 apt-transport-https ca-certificates"
DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
@@ -37,7 +35,6 @@ python () {
distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
wd = d.getVar("WORKDIR", True)
if distro_apt_keys:
- d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
for key in distro_apt_keys.split():
url = urlparse(key)
if "https://" in key or "http://" in key:
@@ -49,7 +46,6 @@ python () {
if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
own_pub_key = d.getVar("BASE_REPO_KEY", False)
if own_pub_key:
- d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
for key in own_pub_key.split():
url = urlparse(key)
filename = ''.join([wd, url.path])
@@ -181,9 +177,12 @@ do_generate_keyring[dirs] = "${DL_DIR}"
do_generate_keyring[vardeps] += "DISTRO_APT_KEYS"
do_generate_keyring() {
if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then
+ APTKEYTMPDIR="${TMPDIR}"/aptkeys
+ [ -d "${APTKEYTMPDIR}" ] || { mkdir -p "${APTKEYTMPDIR}"; \
+ chmod 777 "${APTKEYTMPDIR}"; }
for keyfile in ${@d.getVar("APTKEYFILES", True)}; do
- gpg --no-default-keyring --keyring "${APTKEYRING}" \
- --no-tty --homedir "${DL_DIR}" --import "$keyfile"
+ cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")"
+ sudo apt-key add "$keyfile"
done
fi
}
@@ -225,7 +224,6 @@ isar_bootstrap() {
if [ ${IS_HOST} ]; then
${DEBOOTSTRAP} $debootstrap_args \
${@get_distro_components_argument(d, True)} \
- ${DEBOOTSTRAP_KEYRING} \
"${@get_distro_suite(d, True)}" \
"${ROOTFSDIR}" \
"${@get_distro_source(d, True)}"
@@ -234,7 +232,6 @@ isar_bootstrap() {
"${DEBOOTSTRAP}" $debootstrap_args \
--arch="${DISTRO_ARCH}" \
${@get_distro_components_argument(d, False)} \
- ${DEBOOTSTRAP_KEYRING} \
"${@get_distro_suite(d, False)}" \
"${ROOTFSDIR}" \
"${@get_distro_source(d, False)}"
@@ -248,7 +245,7 @@ isar_bootstrap() {
if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then
sed -e "s#{BASE_DISTRO}#"${BASE_DISTRO}"#g" \
-e "s#{BASE_DISTRO_CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
- -i ${BASEAPTSRCS}
+ -i ${BASEAPTSRCS}
mkdir -p ${ROOTFSDIR}/base-apt
sudo mount --bind ${REPO_BASE_DIR} ${ROOTFSDIR}/base-apt
install -v -m644 "${BASEAPTSRCS}" \
--
2.20.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [RFC v1 3/3] Use all source lists in target root apt
2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel
2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel
2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel
@ 2019-02-26 13:48 ` Andreas J. Reichel
2019-02-26 15:06 ` [RFC v1 0/3] Fix additional apt repos with foreign keys Henning Schild
3 siblings, 0 replies; 9+ messages in thread
From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw)
To: isar-users; +Cc: Andreas Reichel
From: Andreas Reichel <andreas.reichel.ext@siemens.com>
When we only use isar-apt.list, we cannot add additional repositories
since they are listed in the bootstrap list only.
Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
meta/classes/isar-bootstrap-helper.bbclass | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/meta/classes/isar-bootstrap-helper.bbclass b/meta/classes/isar-bootstrap-helper.bbclass
index df6fbee..4213112 100644
--- a/meta/classes/isar-bootstrap-helper.bbclass
+++ b/meta/classes/isar-bootstrap-helper.bbclass
@@ -127,10 +127,7 @@ setup_root_file_system() {
sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename $keyfile)
done
fi
- sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \
- -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \
- -o Dir::Etc::sourceparts="-" \
- -o APT::Get::List-Cleanup="0"
+ sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update
# Add multiarch for cross-target
if [ "${ROOTFS_ARCH}" != "${DISTRO_ARCH}" ]; then
sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture ${DISTRO_ARCH}
--
2.20.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 2/3] Refactor gpg code to use apt code
2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel
@ 2019-02-26 14:07 ` cedric_hombourger
2019-02-26 15:57 ` Henning Schild
2019-02-26 15:39 ` Henning Schild
1 sibling, 1 reply; 9+ messages in thread
From: cedric_hombourger @ 2019-02-26 14:07 UTC (permalink / raw)
To: isar-users
[-- Attachment #1.1: Type: text/plain, Size: 1030 bytes --]
>
> diff --git a/meta/classes/isar-bootstrap-helper.bbclass
> b/meta/classes/isar-bootstrap-helper.bbclass
> index d780b85..df6fbee 100644
> --- a/meta/classes/isar-bootstrap-helper.bbclass
> +++ b/meta/classes/isar-bootstrap-helper.bbclass
> @@ -119,6 +119,14 @@ setup_root_file_system() {
> export LANG=C
> export LANGUAGE=C
> export LC_ALL=C
> +
> + if [ -d ${TMPDIR}/aptkeys ]; then
> + for keyfile in ${TMPDIR}/aptkeys/*
> + do
> + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile)
>
I have seen repos name their key debian.gpg or some other generic name
I am concerned that we may get repositories using the same key names and
only the last key would be added
Should we do something like:
tmpkey=$(mktemp -p "$ROOTFSDIR"/tmp)
cp $keyfile $tmpkey
sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename $tmpkey)
rm -f $tmpkey
+ sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add
> /tmp/$(basename $keyfile)
> + done
> + fi
>
>
[-- Attachment #1.2: Type: text/html, Size: 1694 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 0/3] Fix additional apt repos with foreign keys
2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel
` (2 preceding siblings ...)
2019-02-26 13:48 ` [RFC v1 3/3] Use all source lists in target root apt Andreas J. Reichel
@ 2019-02-26 15:06 ` Henning Schild
3 siblings, 0 replies; 9+ messages in thread
From: Henning Schild @ 2019-02-26 15:06 UTC (permalink / raw)
To: [ext] Andreas J. Reichel; +Cc: isar-users
Am Tue, 26 Feb 2019 14:48:41 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
>
> This patch series fixes problems when adding a additional repos
> which need different gpg keys for authentication.
>
> The patches are designed to make the existing 'API', i.e. bitbake
> variables work, not to solve the remaining design problems.
>
> On basis of this series, we should discuss how to further proceed
> since there should be a destinction wether we change the bootstrapping
> apt source or if we change the apt source for additional packages.
>
> If we change the bootstrapping apt source, we already need keys
> installed in the build environment to do the first debootstrap.
>
> If we only want additional packages in the target rootfs, we only
> need to add keys inside the target chroot.
>
> Currently this is not possible and requires additional bitbake
> variables, i.e. APT_KEYS_TARGET_PKGS, or APT_KEYS_TARGET_BOOTSTRAP.
I think it is useful to establish the trust twice and forget about
extra variables. People might want to bootstrap from "new/unknown"
mirrors, like i.e. the cache.
So use the variables we know to establish trust on the guy running
debootstrap and inside the chroots. That is two "apt-key" like in
your current patches.
But i would argue that you should play with "apt-key --keyring <file>".
The goal would be to create a keyring just for that one debootstrap
call, which you will remove/distrust later. For people not using docker
that will prevent "messing with the host".
> Also the reason for the option I delete in patch 3 is unclear to me.
> This way we could never add additional repositories.
Good catch. That pattern is used in a few places, assuming that
isar-apt is the only repo that could have possibly changed. Maybe that
whole pattern should be revised and we go for plain "apt-get update"
Henning
> Andreas Reichel (3):
> Fix path to user gpg-keys
> Refactor gpg code to use apt code
> Use all source lists in target root apt
>
> meta/classes/isar-bootstrap-helper.bbclass | 14 ++++++++----
> .../isar-bootstrap/isar-bootstrap.inc | 22
> +++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-)
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 1/3] Fix path to user gpg-keys
2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel
@ 2019-02-26 15:33 ` Henning Schild
0 siblings, 0 replies; 9+ messages in thread
From: Henning Schild @ 2019-02-26 15:33 UTC (permalink / raw)
To: [ext] Andreas J. Reichel; +Cc: isar-users
Am Tue, 26 Feb 2019 14:48:42 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
>
> If the key is fetched from remote (currently http, https),
> use the basename, otherwise, use the absolute path.
>
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
> meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index
> 234d339..25133be 100644 ---
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -40,7 +40,10
> @@ python () { d.setVar("DEBOOTSTRAP_KEYRING", "--keyring
> ${APTKEYRING}") for key in distro_apt_keys.split():
> url = urlparse(key)
> - filename = ''.join([wd, url.path])
> + if "https://" in key or "http://" in key:
> + filename = os.path.basename(url.path)
> + else:
> + filename = ''.join([wd, url.path])
This is just weird. What happens with git, mercurial and bazaar fetches?
> d.appendVar("SRC_URI", " %s" % key)
> d.appendVar("APTKEYFILES", " %s" % filename)
In fact we assume that we can guess the filename from the URI to
construct APTKEYFILES. I think a better way to do that would be using
something like:
>> fetcher = bb.fetch2.Fetch(src_uri, d)
>> filename = fetcher.localpath()
... not tested just reading bitbake code ;)
Henning
> if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 2/3] Refactor gpg code to use apt code
2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel
2019-02-26 14:07 ` cedric_hombourger
@ 2019-02-26 15:39 ` Henning Schild
1 sibling, 0 replies; 9+ messages in thread
From: Henning Schild @ 2019-02-26 15:39 UTC (permalink / raw)
To: [ext] Andreas J. Reichel; +Cc: isar-users
Am Tue, 26 Feb 2019 14:48:43 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
>
> Don't manually move around keys and keyrings, use `apt-key` to do so
>
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
> meta/classes/isar-bootstrap-helper.bbclass | 9 +++++++++
> .../isar-bootstrap/isar-bootstrap.inc | 17
> +++++++---------- 2 files changed, 16 insertions(+), 10 deletions(-)
>
> diff --git a/meta/classes/isar-bootstrap-helper.bbclass
> b/meta/classes/isar-bootstrap-helper.bbclass index d780b85..df6fbee
> 100644 --- a/meta/classes/isar-bootstrap-helper.bbclass
> +++ b/meta/classes/isar-bootstrap-helper.bbclass
> @@ -119,6 +119,14 @@ setup_root_file_system() {
> export LANG=C
> export LANGUAGE=C
> export LC_ALL=C
> +
> + if [ -d ${TMPDIR}/aptkeys ]; then
> + for keyfile in ${TMPDIR}/aptkeys/*
> + do
> + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile)
> + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key
> add /tmp/$(basename $keyfile)
> + done
> + fi
> sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \
> -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \
> -o Dir::Etc::sourceparts="-" \
> @@ -128,6 +136,7 @@ setup_root_file_system() {
> sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture
> ${DISTRO_ARCH} sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update
> fi
> + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update
> sudo -E chroot "$ROOTFSDIR" \
> /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \
> ${IMAGE_TRANSIENT_PACKAGES}
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index
> 25133be..60bd061 100644 ---
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -23,10 +23,8
> @@ APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT =
> "${WORKDIR}/apt-sources-init" BASEAPTSRCS =
> "${WORKDIR}/base-apt-sources" APTKEYFILES = ""
> -APTKEYRING = "${WORKDIR}/apt-keyring.gpg"
> -DEBOOTSTRAP_KEYRING = ""
> DEPLOY_ISAR_BOOTSTRAP ?= ""
> -DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
> +DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 apt-transport-https
> ca-certificates"
> DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org
> file:///${REPO_BASE_DIR} \n" if
> bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
> @@ -37,7 +35,6 @@ python () { distro_apt_keys =
> d.getVar("DISTRO_APT_KEYS", False) wd = d.getVar("WORKDIR", True)
> if distro_apt_keys:
> - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
> for key in distro_apt_keys.split():
> url = urlparse(key)
> if "https://" in key or "http://" in key:
> @@ -49,7 +46,6 @@ python () {
> if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
> own_pub_key = d.getVar("BASE_REPO_KEY", False)
> if own_pub_key:
> - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring
> ${APTKEYRING}") for key in own_pub_key.split():
> url = urlparse(key)
> filename = ''.join([wd, url.path])
> @@ -181,9 +177,12 @@ do_generate_keyring[dirs] = "${DL_DIR}"
> do_generate_keyring[vardeps] += "DISTRO_APT_KEYS"
> do_generate_keyring() {
> if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then
> + APTKEYTMPDIR="${TMPDIR}"/aptkeys
> + [ -d "${APTKEYTMPDIR}" ] || { mkdir -p "${APTKEYTMPDIR}"; \
> + chmod 777 "${APTKEYTMPDIR}"; }
mkdir -p does not need test -d
in fact you probably want that dir as a cleandir instead of all that
> for keyfile in ${@d.getVar("APTKEYFILES", True)}; do
> - gpg --no-default-keyring --keyring "${APTKEYRING}" \
> - --no-tty --homedir "${DL_DIR}" --import "$keyfile"
> + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")"
> + sudo apt-key add "$keyfile"
As i said, would be nice to be able to undo that after the debootstrap.
Talking about undo, after the last apt-key operations that tmpdir can
be removed from the chroot.
> done
> fi
> }
> @@ -225,7 +224,6 @@ isar_bootstrap() {
> if [ ${IS_HOST} ]; then
> ${DEBOOTSTRAP} $debootstrap_args \
> ${@get_distro_components_argument(d,
> True)} \
> - ${DEBOOTSTRAP_KEYRING} \
> "${@get_distro_suite(d, True)}" \
> "${ROOTFSDIR}" \
> "${@get_distro_source(d, True)}"
> @@ -234,7 +232,6 @@ isar_bootstrap() {
> "${DEBOOTSTRAP}" $debootstrap_args \
> --arch="${DISTRO_ARCH}" \
> ${@get_distro_components_argument(d,
> False)} \
> - ${DEBOOTSTRAP_KEYRING} \
> "${@get_distro_suite(d, False)}" \
> "${ROOTFSDIR}" \
> "${@get_distro_source(d, False)}"
> @@ -248,7 +245,7 @@ isar_bootstrap() {
> if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then
> sed -e "s#{BASE_DISTRO}#"${BASE_DISTRO}"#g" \
> -e
> "s#{BASE_DISTRO_CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
> - -i ${BASEAPTSRCS}
> + -i ${BASEAPTSRCS}
remove that whitespace change.
Henning
> mkdir -p ${ROOTFSDIR}/base-apt
> sudo mount --bind ${REPO_BASE_DIR}
> ${ROOTFSDIR}/base-apt install -v -m644 "${BASEAPTSRCS}" \
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 2/3] Refactor gpg code to use apt code
2019-02-26 14:07 ` cedric_hombourger
@ 2019-02-26 15:57 ` Henning Schild
0 siblings, 0 replies; 9+ messages in thread
From: Henning Schild @ 2019-02-26 15:57 UTC (permalink / raw)
To: cedric_hombourger; +Cc: isar-users
Am Tue, 26 Feb 2019 06:07:38 -0800
schrieb <cedric_hombourger@mentor.com>:
> >
> > diff --git a/meta/classes/isar-bootstrap-helper.bbclass
> > b/meta/classes/isar-bootstrap-helper.bbclass
> > index d780b85..df6fbee 100644
> > --- a/meta/classes/isar-bootstrap-helper.bbclass
> > +++ b/meta/classes/isar-bootstrap-helper.bbclass
> > @@ -119,6 +119,14 @@ setup_root_file_system() {
> > export LANG=C
> > export LANGUAGE=C
> > export LC_ALL=C
> > +
> > + if [ -d ${TMPDIR}/aptkeys ]; then
> > + for keyfile in ${TMPDIR}/aptkeys/*
> > + do
> > + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile)
> >
>
> I have seen repos name their key debian.gpg or some other generic name
> I am concerned that we may get repositories using the same key names
> and only the last key would be added
> Should we do something like:
>
> tmpkey=$(mktemp -p "$ROOTFSDIR"/tmp)
> cp $keyfile $tmpkey
> sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename
> $tmpkey) rm -f $tmpkey
I think there is no point in doing that, they would already collide in
the DLDIR. You probably want to use ";name=foo" in the SRC_URI.
Henning
> + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add
> > /tmp/$(basename $keyfile)
> > + done
> > + fi
> >
>
>
> >
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-02-26 15:57 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel
2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel
2019-02-26 15:33 ` Henning Schild
2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel
2019-02-26 14:07 ` cedric_hombourger
2019-02-26 15:57 ` Henning Schild
2019-02-26 15:39 ` Henning Schild
2019-02-26 13:48 ` [RFC v1 3/3] Use all source lists in target root apt Andreas J. Reichel
2019-02-26 15:06 ` [RFC v1 0/3] Fix additional apt repos with foreign keys Henning Schild
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox