From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6665315485307895808 X-Received: by 2002:a17:906:4f0a:: with SMTP id t10mr1292766eju.5.1552909895092; Mon, 18 Mar 2019 04:51:35 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:906:110a:: with SMTP id h10ls2406896eja.6.gmail; Mon, 18 Mar 2019 04:51:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzetHLl3toNEg6809u8GH3DTYO6zFWfZuDaCi6KbIjtyXwjRQ0sa4ltdrVkQqUbB1WCD8d4 X-Received: by 2002:a17:906:d541:: with SMTP id gk1mr1776914ejb.0.1552909894649; Mon, 18 Mar 2019 04:51:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552909894; cv=none; d=google.com; s=arc-20160816; b=XQs9u0GvpZGehnL+xSs/x2McwBcJ2U0P41Hn06a7mfdJgW8zINg6XZzk/mqPxPqs/2 8fIVIST15EY+AZnaM1pDX1UGkrr6skTCsh1inot37M7BgIkTZS65UxzlGr4geaYxYypw 9j5hLEwFVQyXcMZ7gUt9Er6dlK6pTluLahFJcI3VEdJ3IULOz5aE0w+SDDWBs4/GpQdT mbASb896rwpYZEsYej5rfabNdKbcynNYOPkJF6YUjGQS3iFRt9HBzeshEMMP81vvkV8a zGm9xi3umkcXa4AdA+n2RyuVdsRku5opdP3kn6wNu7u/BsHSjpCCGcJwaf9/ROgmtlnv sUBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:content-description :mime-version:references:message-id:subject:cc:to:from:date; bh=sdMwH8k093ghLfozZs4y536Te+OurG7lF5sbg3mddF4=; b=KcAlSBV+XBqpwebbsCghXwzqRQjUnttgVNmlh3mwUQEtzNHbIzNHVKGqafMbnW5gwz KFQR4ZYGQZSvsRJ7ZqtiWJcWsLaQ9L+QOBJEHchY2In/OTCdkVhalfWtn3ezicuC+/hv JHffEf36mUTcR3zzp7/paWO0b+ZnivQniNvOPBhGRcSjbyjGHeSexwh8gSgY1/7SGDgo ffQiWWECiwraBMMIpg6vVScSXoknjzJLSHANK32t6Df6S9OVTP9rcaKbxFd1am6F3RPW EFxijP2DmZUxvkbA3TGTrOomKjABJiBK8C2bjoJvCMUtf9a4d9CVghYbI1w7If/yT3OC rcJg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id l25si385458edb.4.2019.03.18.04.51.34 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Mar 2019 04:51:34 -0700 (PDT) Received-SPF: pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x2IBpXin020304 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 18 Mar 2019 12:51:34 +0100 Received: from iiotirae (golem.ppmd.siemens.net [139.25.69.17]) by mail1.sbs.de (8.15.2/8.15.2) with SMTP id x2IBpXTk003467; Mon, 18 Mar 2019 12:51:33 +0100 Date: Mon, 18 Mar 2019 12:49:39 +0100 From: Andreas Reichel To: Claudius Heine Cc: isar-users@googlegroups.com Subject: Re: [PATCH v4 5/6] Use apt-key to generate apt-keyring Message-ID: <20190318114939.GA18504@iiotirae> References: <20190307142304.14508-1-andreas.reichel.ext@siemens.com> <20190307142304.14508-6-andreas.reichel.ext@siemens.com> <7e4f740c-61a8-514c-a2c5-80ebb694501a@siemens.com> <20190318102104.GC9919@iiotirae> <50eeee22-fe66-8fc9-3215-e534b47b4a8d@siemens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: message Content-Disposition: inline In-Reply-To: <50eeee22-fe66-8fc9-3215-e534b47b4a8d@siemens.com> User-Agent: Mutt/1.11.4 (2019-03-13) X-TUID: kaLCsbYg9ICj On Mon, Mar 18, 2019 at 12:48:03PM +0100, Claudius Heine wrote: > Hi Andreas, > > On 18/03/2019 11.21, Andreas Reichel wrote: > > On Thu, Mar 07, 2019 at 03:58:32PM +0100, Claudius Heine wrote: > > > Hi Andreas, > > > > > > On 07/03/2019 15.23, [ext] Andreas J. Reichel wrote: > > > > From: Andreas Reichel > > > > > > > > Use apt-key instead of manually calling gpg. > > > > > > > > @@ -82,6 +82,7 @@ isar_image_cleanup() { > > > > fi > > > > rm -f "${IMAGE_ROOTFS}/etc/apt/sources-list" > > > > ' > > > > + sudo rm -f "${ISARKEYRING}" > > > > > > If I understand this correctly, you are removing the keys of third-party > > > repositories here. Why? Aren't they needed if someone wants to update the > > > image later manually via apt on a running system? > > > > > > IMO that only makes sense if this file only contains keys for repositories > > > like isar-apt or the cache repo. > > > > > Do we really want to split everything up because of this or not just > > keep all keys? If we keep keys we cannot use anymore, it does not hurt. > > Right! I would prefer keeping all keys instead of removing some that might > be needed for an update. > Okay, then my next series will keep the keys for simplicity :) > > Another way would be to specify the keys we want to keep like with > > ";keep=yes" in the fetcher URI and parse this. What do you think? > > That would be fine, if that works. > > > That would probably be better than to introduce different APT_KEY > > variables, which might be confusing in code. > > Well you can always come up with a better name for variables to avoid > confusion. > > [...] > > > > > # Base apt repository paths > > > > REPO_BASE_DIR = "${DL_DIR}/base-apt/apt" > > > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > > > index dbc3938..2fb5c5b 100644 > > > > --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > > > +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > > > > @@ -23,10 +23,9 @@ APTSRCS = "${WORKDIR}/apt-sources" > > > > APTSRCS_INIT = "${WORKDIR}/apt-sources-init" > > > > BASEAPTSRCS = "${WORKDIR}/base-apt-sources" > > > > APTKEYFILES = "" > > > > -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" > > > > -DEBOOTSTRAP_KEYRING = "" > > > > DEPLOY_ISAR_BOOTSTRAP ?= "" > > > > DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > > > > +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2" > > > > DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" > > > > @@ -43,7 +42,6 @@ python () { > > > > if own_pub_key: > > > > aptkeys += own_pub_key.split() > > > > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") > > > > for key in aptkeys: > > > > d.appendVar("SRC_URI", " %s" % key) > > > > fetcher = bb.fetch2.Fetch([key], d) > > > > @@ -158,6 +156,14 @@ def get_distro_needs_https_support(d, is_host=False): > > > > else: > > > > return "" > > > > +def get_distro_needs_gpg_support(d): > > > > + apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False) > > > > + if apt_keys: > > > > + return "gnupg" > > > > + return "" > > > > + > > > > +OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}" > > > > + > > > > def get_distro_source(d, is_host): > > > > return get_distro_primary_source_entry(d, is_host)[0] > > > > @@ -171,13 +177,17 @@ def get_distro_components_argument(d, is_host): > > > > else: > > > > return "" > > > > > +APTKEYTMPDIR := "${TMPDIR}/aptkeys" > > > > > > Is there a reason why this is in TMPDIR and not in WORKDIR? > > > > > Because we throw it way. We don't throw things in WORKDIR away. > > Sorry, I don't understand this. What do you mean with 'throw it away'? > > And even if you mean that that this is only used in a intermediate step, I > would prefer having it in the WORKDIR. > > What happens if two isar-bootstraps are run in parallel with a different > configuration? Could that not cause conflict? > > > > > > > + > > > > +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}" > > > > do_generate_keyring[dirs] = "${DL_DIR}" > > > > do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" > > > > do_generate_keyring() { > > > > if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then > > > > + chmod 777 "${APTKEYTMPDIR}" > > > > for keyfile in ${@d.getVar("APTKEYFILES", True)}; do > > > > - gpg --no-default-keyring --keyring "${APTKEYRING}" \ > > > > - --no-tty --homedir "${DL_DIR}" --import "$keyfile" > > > > + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")" > > > > + sudo apt-key --keyring "${ISARKEYRING}" add "$keyfile" > > > > done > > > > fi > > > > } > > > > @@ -221,7 +231,6 @@ isar_bootstrap() { > > > > if [ ${IS_HOST} ]; then > > > > ${DEBOOTSTRAP} $debootstrap_args \ > > > > ${@get_distro_components_argument(d, True)} \ > > > > - ${DEBOOTSTRAP_KEYRING} \ > > > > "${@get_distro_suite(d, True)}" \ > > > > "${ROOTFSDIR}" \ > > > > "${@get_distro_source(d, True)}" > > > > @@ -230,7 +239,6 @@ isar_bootstrap() { > > > > "${DEBOOTSTRAP}" $debootstrap_args \ > > > > --arch="${DISTRO_ARCH}" \ > > > > ${@get_distro_components_argument(d, False)} \ > > > > - ${DEBOOTSTRAP_KEYRING} \ > > > > "${@get_distro_suite(d, False)}" \ > > > > "${ROOTFSDIR}" \ > > > > "${@get_distro_source(d, False)}" > > > > @@ -259,6 +267,16 @@ isar_bootstrap() { > > > > mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" > > > > install -v -m644 "${WORKDIR}/isar-apt.conf" \ > > > > "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" > > > > + if [ -d ${TMPDIR}/aptkeys ]; then > > > > + for keyfile in ${TMPDIR}/aptkeys/* > > > > > > Maybe use APTKEYTMPDIR here, deduplication then it is easier to find usage > > > of this directory. > > > > True > > > > > > If the aptkeys directory is used somewhere outside of isar-bootstrap, then > > > the placeing it in TMPDIR directly makes sence, but if only isar-bootstrap > > > uses this directory WORKDIR would be better. > > > > > Do we know this beforehand? It is always allowed to put anything > > temporary in TMPDIR and it is temporary because we copy the keys around. > > Well the WORKDIR is inside the TMPDIR as well... And things in the WORKDIR > are copied around as well... I think I currently have trouble understanding > you here... > > Claudius > > > -- > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de -- Andreas Reichel Dipl.-Phys. (Univ.) Software Consultant Andreas.Reichel@tngtech.com, +49-174-3180074 TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082