From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6665315485307895808 X-Received: by 2002:a17:906:d541:: with SMTP id gk1mr1714597ejb.0.1552904586955; Mon, 18 Mar 2019 03:23:06 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:f182:: with SMTP id gs2ls3194247ejb.5.gmail; Mon, 18 Mar 2019 03:23:06 -0700 (PDT) X-Google-Smtp-Source: APXvYqxk41wJt0+fIoq4iKAipI6r4kCmyKKOUI+BvtbBYaMcbCu7PbHSSMSXFnyxvl0e5bzFRV6J X-Received: by 2002:a17:906:1959:: with SMTP id b25mr1717303eje.16.1552904586515; Mon, 18 Mar 2019 03:23:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552904586; cv=none; d=google.com; s=arc-20160816; b=PjOqJ51oQUWKC62gxeHjkbdA618UTVIZHOpHkYPJtv9kfL97rjqMQYkf9jvgLheBmU +eE+hpUwbIw7zAXBp/tjk1qiQd1wnX14pgsZIR9o3wt8jt7M7X/HWloMo3u2drfriops 0b5BJRutEJxGf14oe5yc/DEAPU2FcrxcX9QKy+g9Cjr9OHDtqRbcj+T0Hwj3HaGX+SCL GU4l32UiKnWXBrEbtsXFVrkayEGdjH+MhKlaxxc38uOByo2i0CYrmoYchn/Wbm/38KYm mqtN7g2ZFqY3y7bP/yPMeriRNjUJHB9aZ2ymqY5DJ7pRgFB80B92lIk5jfNh3cVcvywN 1DHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:content-description :mime-version:references:message-id:subject:cc:to:from:date; bh=9ytdCHdL/KCAKHNJhVh4Vqg07mgItgJNggkv1Fn2XmI=; b=XxYSM2dZma3QgzsTzTrHRHwc/IhWfhnbRcGfWWguM9oidHrPT3Hx9WHSguV59sXdcH uHvhT/culkOMBHNC7l0V7fBJ16D2OVj5ZL9FEPgH6j/N/tOrBYpJUfrFZMG+L2JYhk9x DXh2kTDt1hP06RAlFyVf0olXUd92CitGAZFgxc9FyY5wc7YVz754iKBLlEP+ICDIu7pu UlD7oxyZqK3olBRLi1KGU3XCeSI8AVK2Rmhdm2hwZkxmrg68n6HZgXEuXf548EZ4vbzC HSipCrnGCdWpCmjmG6aCWLBLkQn+Ra+QF5bEkKZA8DaP4l3LMaC0jBlKvOxYxnsogs/9 UqUg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id a7si489428edb.1.2019.03.18.03.23.06 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Mar 2019 03:23:06 -0700 (PDT) Received-SPF: pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x2IAN5SZ001719 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 18 Mar 2019 11:23:06 +0100 Received: from iiotirae (golem.ppmd.siemens.net [139.25.69.17]) by mail2.sbs.de (8.15.2/8.15.2) with SMTP id x2IAN5E0012057; Mon, 18 Mar 2019 11:23:05 +0100 Date: Mon, 18 Mar 2019 11:21:11 +0100 From: Andreas Reichel To: Claudius Heine Cc: isar-users@googlegroups.com Subject: Re: [PATCH v4 5/6] Use apt-key to generate apt-keyring Message-ID: <20190318102104.GC9919@iiotirae> References: <20190307142304.14508-1-andreas.reichel.ext@siemens.com> <20190307142304.14508-6-andreas.reichel.ext@siemens.com> <7e4f740c-61a8-514c-a2c5-80ebb694501a@siemens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: message Content-Disposition: inline In-Reply-To: <7e4f740c-61a8-514c-a2c5-80ebb694501a@siemens.com> User-Agent: Mutt/1.11.4 (2019-03-13) X-TUID: rSiOhLGPmXU/ On Thu, Mar 07, 2019 at 03:58:32PM +0100, Claudius Heine wrote: > Hi Andreas, > > On 07/03/2019 15.23, [ext] Andreas J. Reichel wrote: > > From: Andreas Reichel > > > > Use apt-key instead of manually calling gpg. > > > > @@ -82,6 +82,7 @@ isar_image_cleanup() { > > fi > > rm -f "${IMAGE_ROOTFS}/etc/apt/sources-list" > > ' > > + sudo rm -f "${ISARKEYRING}" > > If I understand this correctly, you are removing the keys of third-party > repositories here. Why? Aren't they needed if someone wants to update the > image later manually via apt on a running system? > > IMO that only makes sense if this file only contains keys for repositories > like isar-apt or the cache repo. > Do we really want to split everything up because of this or not just keep all keys? If we keep keys we cannot use anymore, it does not hurt. Another way would be to specify the keys we want to keep like with ";keep=yes" in the fetcher URI and parse this. What do you think? That would probably be better than to introduce different APT_KEY variables, which might be confusing in code. > > } > > do_rootfs() { > > diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf > > index 0e521bb..769ec9a 100644 > > --- a/meta/conf/bitbake.conf > > +++ b/meta/conf/bitbake.conf > > @@ -62,6 +62,7 @@ DEBDISTRONAME = "isar" > > # Isar apt repository paths > > REPO_ISAR_DIR = "${DEPLOY_DIR}/isar-apt/apt" > > REPO_ISAR_DB_DIR = "${DEPLOY_DIR}/isar-apt/db" > > +ISARKEYRING = "/etc/apt/trusted.gpg.d/isar.gpg" > > I would separate third-party and isar created repo keys here. Since > third-party keyrings should not be removed and isar created ones might be > removed if those repos are not shared with the device while it is deployed. > ... as suggested before. > > # Base apt repository paths > > REPO_BASE_DIR = "${DL_DIR}/base-apt/apt" > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > index dbc3938..2fb5c5b 100644 > > --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > @@ -23,10 +23,9 @@ APTSRCS = "${WORKDIR}/apt-sources" > > APTSRCS_INIT = "${WORKDIR}/apt-sources-init" > > BASEAPTSRCS = "${WORKDIR}/base-apt-sources" > > APTKEYFILES = "" > > -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" > > -DEBOOTSTRAP_KEYRING = "" > > DEPLOY_ISAR_BOOTSTRAP ?= "" > > DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > > +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2" > > DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" > > @@ -43,7 +42,6 @@ python () { > > if own_pub_key: > > aptkeys += own_pub_key.split() > > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") > > for key in aptkeys: > > d.appendVar("SRC_URI", " %s" % key) > > fetcher = bb.fetch2.Fetch([key], d) > > @@ -158,6 +156,14 @@ def get_distro_needs_https_support(d, is_host=False): > > else: > > return "" > > +def get_distro_needs_gpg_support(d): > > + apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False) > > + if apt_keys: > > + return "gnupg" > > + return "" > > + > > +OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}" > > + > > def get_distro_source(d, is_host): > > return get_distro_primary_source_entry(d, is_host)[0] > > @@ -171,13 +177,17 @@ def get_distro_components_argument(d, is_host): > > else: > > return "" > > > +APTKEYTMPDIR := "${TMPDIR}/aptkeys" > > Is there a reason why this is in TMPDIR and not in WORKDIR? > Because we throw it way. We don't throw things in WORKDIR away. > > + > > +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}" > > do_generate_keyring[dirs] = "${DL_DIR}" > > do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" > > do_generate_keyring() { > > if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then > > + chmod 777 "${APTKEYTMPDIR}" > > for keyfile in ${@d.getVar("APTKEYFILES", True)}; do > > - gpg --no-default-keyring --keyring "${APTKEYRING}" \ > > - --no-tty --homedir "${DL_DIR}" --import "$keyfile" > > + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")" > > + sudo apt-key --keyring "${ISARKEYRING}" add "$keyfile" > > done > > fi > > } > > @@ -221,7 +231,6 @@ isar_bootstrap() { > > if [ ${IS_HOST} ]; then > > ${DEBOOTSTRAP} $debootstrap_args \ > > ${@get_distro_components_argument(d, True)} \ > > - ${DEBOOTSTRAP_KEYRING} \ > > "${@get_distro_suite(d, True)}" \ > > "${ROOTFSDIR}" \ > > "${@get_distro_source(d, True)}" > > @@ -230,7 +239,6 @@ isar_bootstrap() { > > "${DEBOOTSTRAP}" $debootstrap_args \ > > --arch="${DISTRO_ARCH}" \ > > ${@get_distro_components_argument(d, False)} \ > > - ${DEBOOTSTRAP_KEYRING} \ > > "${@get_distro_suite(d, False)}" \ > > "${ROOTFSDIR}" \ > > "${@get_distro_source(d, False)}" > > @@ -259,6 +267,16 @@ isar_bootstrap() { > > mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" > > install -v -m644 "${WORKDIR}/isar-apt.conf" \ > > "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" > > + if [ -d ${TMPDIR}/aptkeys ]; then > > + for keyfile in ${TMPDIR}/aptkeys/* > > Maybe use APTKEYTMPDIR here, deduplication then it is easier to find usage > of this directory. True > > If the aptkeys directory is used somewhere outside of isar-bootstrap, then > the placeing it in TMPDIR directly makes sence, but if only isar-bootstrap > uses this directory WORKDIR would be better. > Do we know this beforehand? It is always allowed to put anything temporary in TMPDIR and it is temporary because we copy the keys around. > Claudius > > > + do > > + kfn="$(basename $keyfile)" > > + cp $keyfile "${ROOTFSDIR}/tmp/$kfn" > > + sudo -E chroot "${ROOTFSDIR}" /usr/bin/apt-key \ > > + --keyring ${ISARKEYRING} add "/tmp/$kfn" > > + rm "${ROOTFSDIR}/tmp/$kfn" > > + done > > + fi > > if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then > > install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \ > > > > -- > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de -- Andreas Reichel Dipl.-Phys. (Univ.) Software Consultant Andreas.Reichel@tngtech.com, +49-174-3180074 TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082