From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6662700470316826624 X-Received: by 2002:ac2:43d7:: with SMTP id u23mr23917lfl.12.1551435746204; Fri, 01 Mar 2019 02:22:26 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:9a18:: with SMTP id o24ls1050760lji.3.gmail; Fri, 01 Mar 2019 02:22:25 -0800 (PST) X-Google-Smtp-Source: APXvYqx5zVmolwusQXG6sEPiVYu79FsYeDwafxC1xMLO2m8jOtIttq49rmdnYSECVidMeJjO0kMh X-Received: by 2002:a2e:8ec9:: with SMTP id e9mr216329ljl.6.1551435745709; Fri, 01 Mar 2019 02:22:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551435745; cv=none; d=google.com; s=arc-20160816; b=cxnUjsNwyUSf/SEpogVqPmnoLnYnmjXWcYNglvZcBlCbQ0TbyAZsCzuUlZR2vQUeWB I6o3rFCIyuEnCBqsVRgIDUeft51Hb2jdKfYo2Iv8wSMfyIx+6/HqrzoLBwvyQIqNAIwV Lhs7oxEyaptNQ0LpuW7/9du3NvsCLY4sX1rOXWhpqTBk0fjJq+MVPr9csxfn5qYXa3Ob GezmMRpjqe6kOlq6BLDbG/ZEE0PHS9GDRb7VFyJFG67IO/sC54KfhPKMo6JHO0V3Hz0C c3hG5haV2RCxkJQDRoupTVOkzb4PgXrSZ2clXv4VD1fZAbM//7l2voVBp9g64UwccT+H +cCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=j1tQBILLVltwobx7ynDvrmpOIOVmR+Rv2cMXbaxM1BM=; b=Qheoh24Sd+EEumXGhEuZnnYN/kQ4s0CmPj1+F9LWmff8dkCXRIVnCzwphFBC0TrCvj dctYYIqv69Ay0kr82zeCW2kqNwBhBGpcNAxJgoJRNj0neZ13tPb671jjjLtDZ4lvpWQG nV43u8NmGT2G3Z2crovZCNZnPGG7js2kQo31oB0EigAynG9sxfgRVFNBDX3RfAqzbHv2 2pviI/7prdt4BD6NZEB5ypoBdKhafgGO0J/E9C516hV5B5/t/S3kxKEO33CuNeYFut1l JY8V+eIyg80JkOk6zAABo5uePEYIA0MuctaG+dYZT/k1v3z1eou1VoC0Rwz00gsojc32 8uAA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id y13si467074lfg.4.2019.03.01.02.22.25 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Mar 2019 02:22:25 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x21AMPSE025331 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Fri, 1 Mar 2019 11:22:25 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.211]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x21AMOtv007756; Fri, 1 Mar 2019 11:22:24 +0100 Date: Fri, 1 Mar 2019 11:22:24 +0100 From: Henning Schild To: "[ext] Andreas J. Reichel" Cc: Subject: Re: [PATCH v2 1/3] Fix and simplify apt keyring generation Message-ID: <20190301112224.2c87fd85@md1za8fc.ad001.siemens.net> In-Reply-To: <20190227171242.5c2c73b4@md1za8fc.ad001.siemens.net> References: <20190227151856.11594-1-andreas.reichel.ext@siemens.com> <20190227151856.11594-2-andreas.reichel.ext@siemens.com> <20190227171242.5c2c73b4@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: vNsSGH17Iq4l Am Wed, 27 Feb 2019 17:12:42 +0100 schrieb "[ext] Henning Schild" : > Am Wed, 27 Feb 2019 16:18:54 +0100 > schrieb "[ext] Andreas J. Reichel" : > > > From: Andreas Reichel > > > > Different fetcher stored keys in different sub dirs, and we can > > never be sure about where downloaded files go. > > To avoid this without making any assumptions, we ask the fetcher > > where the file will be after it is downloaded. This way we also > > don't need to parse the URL manually. > > > > The code is simplified by removing duplicate code and using apt-key > > instead of manually calling gpg. > > > > Signed-off-by: Andreas Reichel > > --- > > meta/classes/isar-bootstrap-helper.bbclass | 11 ++++++ > > .../isar-bootstrap/isar-bootstrap.inc | 39 > > +++++++++---------- 2 files changed, 29 insertions(+), 21 > > deletions(-) > > > > diff --git a/meta/classes/isar-bootstrap-helper.bbclass > > b/meta/classes/isar-bootstrap-helper.bbclass index d780b85..b8c41f9 > > 100644 --- a/meta/classes/isar-bootstrap-helper.bbclass > > +++ b/meta/classes/isar-bootstrap-helper.bbclass > > @@ -119,6 +119,16 @@ setup_root_file_system() { > > export LANG=C > > export LANGUAGE=C > > export LC_ALL=C > > + > > + if [ -d ${TMPDIR}/aptkeys ]; then > > + for keyfile in ${TMPDIR}/aptkeys/* > > + do > > + kfn="tmp/$(basename $keyfile)" > > + cp $keyfile "$ROOTFSDIR/$kfn" > > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add > > "/$kfn" > > Would probably be a good idea to work in /tmp/ as well and in a > subdir. Try naming your key "root" or "usr" ... > > > + rm "$ROOTFSDIR/$kfn" > > + done > > + fi > > sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \ > > -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \ > > -o Dir::Etc::sourceparts="-" \ > > @@ -128,6 +138,7 @@ setup_root_file_system() { > > sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg > > --add-architecture ${DISTRO_ARCH} sudo -E chroot > > "$ROOTFSDIR" /usr/bin/apt-get update fi > > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update > > sudo -E chroot "$ROOTFSDIR" \ > > /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \ > > ${IMAGE_TRANSIENT_PACKAGES} > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index > > 234d339..2ef3b1e 100644 --- > > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ > > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -23,35 > > +23,30 @@ APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT = > > "${WORKDIR}/apt-sources-init" BASEAPTSRCS = > > "${WORKDIR}/base-apt-sources" APTKEYFILES = "" > > -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" > > -DEBOOTSTRAP_KEYRING = "" > > DEPLOY_ISAR_BOOTSTRAP ?= "" > > -DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > > +DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 > > apt-transport-https ca-certificates" > > That looks more like leftovers from an experiment. Are you sure that > is needed? > > > In general i think that patch should be splittet into two or > even more patches. Because it solves at least two problems. One possible split would be: - gpg -> apt-key - filename.join -> fetcher.localpath - adding BASE_PACKAGES depending on GPG needed - ... Henning > Henning > > > DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org > > file:///${REPO_BASE_DIR} \n" if > > bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else > > "" }" inherit base-apt-helper > > python () { > > - from urllib.parse import urlparse > > distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False) > > - wd = d.getVar("WORKDIR", True) > > + aptkeys = [] > > + > > if distro_apt_keys: > > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") > > - for key in distro_apt_keys.split(): > > - url = urlparse(key) > > - filename = ''.join([wd, url.path]) > > - d.appendVar("SRC_URI", " %s" % key) > > - d.appendVar("APTKEYFILES", " %s" % filename) > > + aptkeys += distro_apt_keys.split() > > + > > if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): > > own_pub_key = d.getVar("BASE_REPO_KEY", False) > > if own_pub_key: > > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring > > ${APTKEYRING}") > > - for key in own_pub_key.split(): > > - url = urlparse(key) > > - filename = ''.join([wd, url.path]) > > - d.appendVar("SRC_URI", " %s" % key) > > - d.appendVar("APTKEYFILES", " %s" % filename) > > + aptkeys += own_pub_keys.split() > > + > > + for key in aptkeys: > > + d.appendVar("SRC_URI", " %s" % key) > > + fetcher = bb.fetch2.Fetch([key], d) > > + filename = fetcher.localpath(key) > > + d.appendVar("APTKEYFILES", " %s" % filename) > > } > > > > def aggregate_files(d, file_list, file_out): > > @@ -174,13 +169,17 @@ def get_distro_components_argument(d, > > is_host): else: > > return "" > > > > +APTKEYTMPDIR := "${TMPDIR}/aptkeys" > > + > > +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}" > > do_generate_keyring[dirs] = "${DL_DIR}" > > do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" > > do_generate_keyring() { > > if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then > > + chmod 777 "${APTKEYTMPDIR}" > > for keyfile in ${@d.getVar("APTKEYFILES", True)}; do > > - gpg --no-default-keyring --keyring "${APTKEYRING}" \ > > - --no-tty --homedir "${DL_DIR}" --import "$keyfile" > > + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")" > > + sudo apt-key add "$keyfile" > > done > > fi > > } > > @@ -222,7 +221,6 @@ isar_bootstrap() { > > if [ ${IS_HOST} ]; then > > ${DEBOOTSTRAP} $debootstrap_args \ > > ${@get_distro_components_argument(d, > > True)} \ > > - ${DEBOOTSTRAP_KEYRING} \ > > "${@get_distro_suite(d, True)}" \ > > "${ROOTFSDIR}" \ > > "${@get_distro_source(d, True)}" > > @@ -231,7 +229,6 @@ isar_bootstrap() { > > "${DEBOOTSTRAP}" $debootstrap_args \ > > --arch="${DISTRO_ARCH}" \ > > ${@get_distro_components_argument(d, > > False)} \ > > - ${DEBOOTSTRAP_KEYRING} \ > > "${@get_distro_suite(d, False)}" > > \ "${ROOTFSDIR}" \ > > "${@get_distro_source(d, > > False)}" >