From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6662700470316826624 X-Received: by 2002:a2e:909a:: with SMTP id l26mr227500ljg.1.1551435530643; Fri, 01 Mar 2019 02:18:50 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:5b42:: with SMTP id p63ls1049030ljb.0.gmail; Fri, 01 Mar 2019 02:18:50 -0800 (PST) X-Google-Smtp-Source: APXvYqxAp/QHQgFQs7SUkGjGE4C2AnzhB9BzILxOKMAV5OMckwIdb0IyiicUy6hMlhD++Z4p7+YL X-Received: by 2002:a2e:5c88:: with SMTP id q130mr217732ljb.2.1551435529994; Fri, 01 Mar 2019 02:18:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551435529; cv=none; d=google.com; s=arc-20160816; b=aL/kHLklZpo5ALZBwm2bDEe5/51LWKMhE2xVEOxUsim2hJ6OYAtJ7CPhbwnsOGAvMV +kGNs0QMeOKs+uLs6xYlqFtGx1BJ/RL5td2tymDJqKhiVzLdQ8podhM3Hvq9WuwafznZ NK2XftFM813GGeQMYnF50n+V/3KuhIN/DcE7v/WaDoESBfkhxyVhslUG6pUg7BWD1eB8 BWFW/klHf3IekCnAF2hLRlc6NbC425hA+H5fmPr5S/t8ATmFRrRyS+3+aXXJG/fXdBVt RqU9EbvNoB+/kM6ICUWanX804pTOd9ZR+ZAKBdzu86wzBXAFLZ9Xv8v6s6FfCG9yh+G+ TE2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=fZV4Fu4pN16lUos+SRl7Pd5suVz8QMf4kieL0X+ftqQ=; b=Qsxv3UZAsu4ztjFQcZFVPdeAvCMeccRYzmzVl9CXFK/4BUTi6I3hnAF/Jy6sHHkYdm qCUayJ5QOs5qgCVGXNp90/lwtK2PvVowRpxy6+O1T/074n9Q1LhOHpyfWBHE5/FNje6f KAcdCMmVvhRX+0KB7ntX1lTJCpaJScUhJMNwpYHZysqnMzUwmPsPZBP3Sjq+3DxOsZq4 0aRXkxHAgshy+Sjf2/LC3vpgHWa4fkJnUCM+BQ0i1Wcx1vJ5DaX9CzNtlPpXaaxnxXnp W4m4budZG1bDz7q3vlA13An+w7ynLSrYHMu7uh9RWXRPNNX1HUX95G9SYaYMoX97LBOM nrlQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id h25si458766lja.3.2019.03.01.02.18.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Mar 2019 02:18:49 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x21AIng3028160 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 1 Mar 2019 11:18:49 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.211]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x21AInJ1030182; Fri, 1 Mar 2019 11:18:49 +0100 Date: Fri, 1 Mar 2019 11:18:48 +0100 From: Henning Schild To: Andreas Reichel Cc: Subject: Re: [PATCH v2 1/3] Fix and simplify apt keyring generation Message-ID: <20190301111848.25e60eee@md1za8fc.ad001.siemens.net> In-Reply-To: <20190301090949.GB10350@iiotirae> References: <20190227151856.11594-1-andreas.reichel.ext@siemens.com> <20190227151856.11594-2-andreas.reichel.ext@siemens.com> <20190227171242.5c2c73b4@md1za8fc.ad001.siemens.net> <20190301090949.GB10350@iiotirae> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: rNgggZaqlAdJ Am Fri, 1 Mar 2019 10:09:49 +0100 schrieb Andreas Reichel : > On Wed, Feb 27, 2019 at 05:12:42PM +0100, Henning Schild wrote: > > Am Wed, 27 Feb 2019 16:18:54 +0100 > > schrieb "[ext] Andreas J. Reichel" > > : > > > From: Andreas Reichel > > > > > > Different fetcher stored keys in different sub dirs, and we can > > > never be sure about where downloaded files go. > > > To avoid this without making any assumptions, we ask the fetcher > > > where the file will be after it is downloaded. This way we also > > > don't need to parse the URL manually. > > > > > > The code is simplified by removing duplicate code and using > > > apt-key instead of manually calling gpg. > > > > > > Signed-off-by: Andreas Reichel > > > --- > > > meta/classes/isar-bootstrap-helper.bbclass | 11 ++++++ > > > .../isar-bootstrap/isar-bootstrap.inc | 39 > > > +++++++++---------- 2 files changed, 29 insertions(+), 21 > > > deletions(-) > > > > > > diff --git a/meta/classes/isar-bootstrap-helper.bbclass > > > b/meta/classes/isar-bootstrap-helper.bbclass index > > > d780b85..b8c41f9 100644 --- > > > a/meta/classes/isar-bootstrap-helper.bbclass +++ > > > b/meta/classes/isar-bootstrap-helper.bbclass @@ -119,6 +119,16 @@ > > > setup_root_file_system() { export LANG=C > > > export LANGUAGE=C > > > export LC_ALL=C > > > + > > > + if [ -d ${TMPDIR}/aptkeys ]; then > > > + for keyfile in ${TMPDIR}/aptkeys/* > > > + do > > > + kfn="tmp/$(basename $keyfile)" > > > + cp $keyfile "$ROOTFSDIR/$kfn" > > > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add > > > "/$kfn" > > > > Would probably be a good idea to work in /tmp/ as well and in a > > subdir. Try naming your key "root" or "usr" ... > > > > > + rm "$ROOTFSDIR/$kfn" > > > + done > > > + fi > > > sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \ > > > -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \ > > > -o Dir::Etc::sourceparts="-" \ > > > @@ -128,6 +138,7 @@ setup_root_file_system() { > > > sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg > > > --add-architecture ${DISTRO_ARCH} sudo -E chroot > > > "$ROOTFSDIR" /usr/bin/apt-get update fi > > > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update > > > sudo -E chroot "$ROOTFSDIR" \ > > > /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \ > > > ${IMAGE_TRANSIENT_PACKAGES} > > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index > > > 234d339..2ef3b1e 100644 --- > > > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ > > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -23,35 > > > +23,30 @@ APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT = > > > "${WORKDIR}/apt-sources-init" BASEAPTSRCS = > > > "${WORKDIR}/base-apt-sources" APTKEYFILES = "" > > > -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" > > > -DEBOOTSTRAP_KEYRING = "" > > > DEPLOY_ISAR_BOOTSTRAP ?= "" > > > -DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > > > +DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 > > > apt-transport-https ca-certificates" > > > > That looks more like leftovers from an experiment. Are you sure > > that is needed? > > This is needed because debootstrap can switch to https by itself if it > is unsure about the sources (apt-transport-https, ca-certificates), > gnupg2 we need for apt-key. Adding the packages should probably depend on whether DISTRO_APT_KEYS is non-empty. And adding the ones that the https-detector adds should be tested, not that dual mention makes debootstrap crap out. I guess the OVERRIDES method from 9196b820636a9 should be used for gpg support as well. Henning > > > > > > In general i think that patch should be splittet into two or > > even more patches. Because it solves at least two problems. > > > > Henning > > > > > DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org > > > file:///${REPO_BASE_DIR} \n" if > > > bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else > > > "" }" inherit base-apt-helper > > > python () { > > > - from urllib.parse import urlparse > > > distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False) > > > - wd = d.getVar("WORKDIR", True) > > > + aptkeys = [] > > > + > > > if distro_apt_keys: > > > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring > > > ${APTKEYRING}") > > > - for key in distro_apt_keys.split(): > > > - url = urlparse(key) > > > - filename = ''.join([wd, url.path]) > > > - d.appendVar("SRC_URI", " %s" % key) > > > - d.appendVar("APTKEYFILES", " %s" % filename) > > > + aptkeys += distro_apt_keys.split() > > > + > > > if > > > bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): > > > own_pub_key = d.getVar("BASE_REPO_KEY", False) if own_pub_key: > > > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring > > > ${APTKEYRING}") > > > - for key in own_pub_key.split(): > > > - url = urlparse(key) > > > - filename = ''.join([wd, url.path]) > > > - d.appendVar("SRC_URI", " %s" % key) > > > - d.appendVar("APTKEYFILES", " %s" % filename) > > > + aptkeys += own_pub_keys.split() > > > + > > > + for key in aptkeys: > > > + d.appendVar("SRC_URI", " %s" % key) > > > + fetcher = bb.fetch2.Fetch([key], d) > > > + filename = fetcher.localpath(key) > > > + d.appendVar("APTKEYFILES", " %s" % filename) > > > } > > > > > > def aggregate_files(d, file_list, file_out): > > > @@ -174,13 +169,17 @@ def get_distro_components_argument(d, > > > is_host): else: > > > return "" > > > > > > +APTKEYTMPDIR := "${TMPDIR}/aptkeys" > > > + > > > +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}" > > > do_generate_keyring[dirs] = "${DL_DIR}" > > > do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" > > > do_generate_keyring() { > > > if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then > > > + chmod 777 "${APTKEYTMPDIR}" > > > for keyfile in ${@d.getVar("APTKEYFILES", True)}; do > > > - gpg --no-default-keyring --keyring "${APTKEYRING}" \ > > > - --no-tty --homedir "${DL_DIR}" --import > > > "$keyfile" > > > + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename > > > "$keyfile")" > > > + sudo apt-key add "$keyfile" > > > done > > > fi > > > } > > > @@ -222,7 +221,6 @@ isar_bootstrap() { > > > if [ ${IS_HOST} ]; then > > > ${DEBOOTSTRAP} $debootstrap_args \ > > > ${@get_distro_components_argument(d, > > > True)} \ > > > - ${DEBOOTSTRAP_KEYRING} \ > > > "${@get_distro_suite(d, True)}" \ > > > "${ROOTFSDIR}" \ > > > "${@get_distro_source(d, True)}" > > > @@ -231,7 +229,6 @@ isar_bootstrap() { > > > "${DEBOOTSTRAP}" $debootstrap_args \ > > > --arch="${DISTRO_ARCH}" \ > > > ${@get_distro_components_argument(d, > > > False)} \ > > > - ${DEBOOTSTRAP_KEYRING} \ > > > "${@get_distro_suite(d, > > > False)}" \ "${ROOTFSDIR}" \ > > > "${@get_distro_source(d, > > > False)}" > > >