From: Henning Schild <henning.schild@siemens.com>
To: "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>
Cc: <isar-users@googlegroups.com>
Subject: Re: [PATCH v2 1/3] Fix and simplify apt keyring generation
Date: Wed, 27 Feb 2019 17:12:42 +0100 [thread overview]
Message-ID: <20190227171242.5c2c73b4@md1za8fc.ad001.siemens.net> (raw)
In-Reply-To: <20190227151856.11594-2-andreas.reichel.ext@siemens.com>
Am Wed, 27 Feb 2019 16:18:54 +0100
schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
>
> Different fetcher stored keys in different sub dirs, and we can never
> be sure about where downloaded files go.
> To avoid this without making any assumptions, we ask the fetcher where
> the file will be after it is downloaded. This way we also don't need
> to parse the URL manually.
>
> The code is simplified by removing duplicate code and using apt-key
> instead of manually calling gpg.
>
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
> meta/classes/isar-bootstrap-helper.bbclass | 11 ++++++
> .../isar-bootstrap/isar-bootstrap.inc | 39
> +++++++++---------- 2 files changed, 29 insertions(+), 21 deletions(-)
>
> diff --git a/meta/classes/isar-bootstrap-helper.bbclass
> b/meta/classes/isar-bootstrap-helper.bbclass index d780b85..b8c41f9
> 100644 --- a/meta/classes/isar-bootstrap-helper.bbclass
> +++ b/meta/classes/isar-bootstrap-helper.bbclass
> @@ -119,6 +119,16 @@ setup_root_file_system() {
> export LANG=C
> export LANGUAGE=C
> export LC_ALL=C
> +
> + if [ -d ${TMPDIR}/aptkeys ]; then
> + for keyfile in ${TMPDIR}/aptkeys/*
> + do
> + kfn="tmp/$(basename $keyfile)"
> + cp $keyfile "$ROOTFSDIR/$kfn"
> + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add "/$kfn"
Would probably be a good idea to work in /tmp/ as well and in a subdir.
Try naming your key "root" or "usr" ...
> + rm "$ROOTFSDIR/$kfn"
> + done
> + fi
> sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \
> -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \
> -o Dir::Etc::sourceparts="-" \
> @@ -128,6 +138,7 @@ setup_root_file_system() {
> sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture
> ${DISTRO_ARCH} sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update
> fi
> + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update
> sudo -E chroot "$ROOTFSDIR" \
> /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \
> ${IMAGE_TRANSIENT_PACKAGES}
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index
> 234d339..2ef3b1e 100644 ---
> a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++
> b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -23,35
> +23,30 @@ APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT =
> "${WORKDIR}/apt-sources-init" BASEAPTSRCS =
> "${WORKDIR}/base-apt-sources" APTKEYFILES = ""
> -APTKEYRING = "${WORKDIR}/apt-keyring.gpg"
> -DEBOOTSTRAP_KEYRING = ""
> DEPLOY_ISAR_BOOTSTRAP ?= ""
> -DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
> +DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 apt-transport-https
> ca-certificates"
That looks more like leftovers from an experiment. Are you sure that is
needed?
In general i think that patch should be splittet into two or
even more patches. Because it solves at least two problems.
Henning
> DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org
> file:///${REPO_BASE_DIR} \n" if
> bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
> inherit base-apt-helper
> python () {
> - from urllib.parse import urlparse
> distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
> - wd = d.getVar("WORKDIR", True)
> + aptkeys = []
> +
> if distro_apt_keys:
> - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
> - for key in distro_apt_keys.split():
> - url = urlparse(key)
> - filename = ''.join([wd, url.path])
> - d.appendVar("SRC_URI", " %s" % key)
> - d.appendVar("APTKEYFILES", " %s" % filename)
> + aptkeys += distro_apt_keys.split()
> +
> if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
> own_pub_key = d.getVar("BASE_REPO_KEY", False)
> if own_pub_key:
> - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring
> ${APTKEYRING}")
> - for key in own_pub_key.split():
> - url = urlparse(key)
> - filename = ''.join([wd, url.path])
> - d.appendVar("SRC_URI", " %s" % key)
> - d.appendVar("APTKEYFILES", " %s" % filename)
> + aptkeys += own_pub_keys.split()
> +
> + for key in aptkeys:
> + d.appendVar("SRC_URI", " %s" % key)
> + fetcher = bb.fetch2.Fetch([key], d)
> + filename = fetcher.localpath(key)
> + d.appendVar("APTKEYFILES", " %s" % filename)
> }
>
> def aggregate_files(d, file_list, file_out):
> @@ -174,13 +169,17 @@ def get_distro_components_argument(d, is_host):
> else:
> return ""
>
> +APTKEYTMPDIR := "${TMPDIR}/aptkeys"
> +
> +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}"
> do_generate_keyring[dirs] = "${DL_DIR}"
> do_generate_keyring[vardeps] += "DISTRO_APT_KEYS"
> do_generate_keyring() {
> if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then
> + chmod 777 "${APTKEYTMPDIR}"
> for keyfile in ${@d.getVar("APTKEYFILES", True)}; do
> - gpg --no-default-keyring --keyring "${APTKEYRING}" \
> - --no-tty --homedir "${DL_DIR}" --import "$keyfile"
> + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")"
> + sudo apt-key add "$keyfile"
> done
> fi
> }
> @@ -222,7 +221,6 @@ isar_bootstrap() {
> if [ ${IS_HOST} ]; then
> ${DEBOOTSTRAP} $debootstrap_args \
> ${@get_distro_components_argument(d,
> True)} \
> - ${DEBOOTSTRAP_KEYRING} \
> "${@get_distro_suite(d, True)}" \
> "${ROOTFSDIR}" \
> "${@get_distro_source(d, True)}"
> @@ -231,7 +229,6 @@ isar_bootstrap() {
> "${DEBOOTSTRAP}" $debootstrap_args \
> --arch="${DISTRO_ARCH}" \
> ${@get_distro_components_argument(d,
> False)} \
> - ${DEBOOTSTRAP_KEYRING} \
> "${@get_distro_suite(d, False)}" \
> "${ROOTFSDIR}" \
> "${@get_distro_source(d, False)}"
next prev parent reply other threads:[~2019-02-27 16:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-27 15:18 [PATCH v2 0/3] Fixes usage of additional apt keys Andreas J. Reichel
2019-02-27 15:18 ` [PATCH v2 1/3] Fix and simplify apt keyring generation Andreas J. Reichel
2019-02-27 16:12 ` Henning Schild [this message]
2019-03-01 9:09 ` Andreas Reichel
2019-03-01 10:18 ` Henning Schild
2019-03-06 16:29 ` Andreas Reichel
2019-03-01 9:16 ` Andreas Reichel
2019-03-01 10:11 ` Henning Schild
2019-03-01 10:22 ` Henning Schild
2019-03-06 16:29 ` Andreas Reichel
2019-02-27 15:18 ` [PATCH v2 2/3] Use all source lists in target root apt Andreas J. Reichel
2019-02-27 15:18 ` [PATCH v2 3/3] Separate apt-key entries from default keyring Andreas J. Reichel
2019-02-27 16:14 ` Henning Schild
2019-03-01 9:08 ` Andreas Reichel
2019-02-27 16:15 ` [PATCH v2 0/3] Fixes usage of additional apt keys Henning Schild
2019-03-01 9:17 ` Andreas Reichel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190227171242.5c2c73b4@md1za8fc.ad001.siemens.net \
--to=henning.schild@siemens.com \
--cc=andreas.reichel.ext@siemens.com \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox