From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6669723628337102848 X-Received: by 2002:a2e:975a:: with SMTP id f26mr3926533ljj.5.1555419923247; Tue, 16 Apr 2019 06:05:23 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:5bc1:: with SMTP id m62ls765687lje.2.gmail; Tue, 16 Apr 2019 06:05:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqy4Kp16uAyh1XY8Fk6ppvS1/6/8fDmYi4P5lGFqsR6aXK/fDOtI3E7nEiSHQ6fJaNilkrHr X-Received: by 2002:a05:651c:152:: with SMTP id c18mr4192299ljd.15.1555419922623; Tue, 16 Apr 2019 06:05:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555419922; cv=none; d=google.com; s=arc-20160816; b=W9EG0q5Q8XfNhYFa14YyYTudIFLiz9tstsS060aGSdUBSjvKDeDGbBBcZatrljJE2V 8Cx0JdEgk3LS8nUKqFh0b0W57aekXS/u7KrqbCdsl67xN6jTLi0I3imynu6og6RI2aot qkfN4LNHcvywqRZVUpiMAO8ozt4W6ixPT7k4XmZx+3+zOg4hyK4pVP5Cbgd5SOYJ9vdp sEgYGw8Pd8cxJdaD1WSuTsSQo9CZL2emvxa0KSRoNKmwBjRrSrrYepWnod7xIVGahYEa Pj9AghNPgQiAm5NrnFuv3FwNhNgFjWjpEx4GuPVyxqbRxExtGUO6Rljj8GAv1H3tYeqd fVFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=5igg9pxCcIfkTZTxdKf5IOgbWGLo+IilkvoRORDV2xM=; b=yTwUmJjYkZDF0iP/SU+ADP9B2gmKGQh5trJvDisNRgMB63QwUWB5VjP54ANRFLuTQE eZeIiP4YLwl2CJe6uTKo57etKxY+I1OcvONMunl1UiaEZozQsJVIqsMPWlwOm8JbN6zv 5/daKxF9mvGgeQjIijsrtFRS6PH+2JTt0f7AVgNhp4kPniQcrH/KuP74vPXx7fHtF8vc i/k2pErE3XoZNtBLGLKeXKR782puvS6CrNxumTO6wR2CrzpmiXVBdrotfgYcsNTew23T 4AA6PwTgWqs27ouxgPcbLDe/3yhWR4ey8bJzHPFXxsEwWMAzz5hq7wIQvLrw3qo8W1ys 234Q== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id p16si1034917ljp.1.2019.04.16.06.05.22 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 06:05:22 -0700 (PDT) Received-SPF: pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of andreas.reichel.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=andreas.reichel.ext@siemens.com Received: from mail2.siemens.de (mail2.siemens.de [139.25.208.11]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x3GD5Lx1011393 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 16 Apr 2019 15:05:21 +0200 Received: from localhost.localdomain (golem.ppmd.siemens.net [139.25.69.122]) by mail2.siemens.de (8.15.2/8.15.2) with ESMTP id x3GD5L2q003341; Tue, 16 Apr 2019 15:05:21 +0200 From: "Andreas J. Reichel" To: isar-users@googlegroups.com Cc: Andreas Reichel Subject: [PATCH v9 2/5] Use apt-key to generate keyrings Date: Tue, 16 Apr 2019 15:05:08 +0200 Message-Id: <20190416130511.10873-3-andreas.reichel.ext@siemens.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190416130511.10873-1-andreas.reichel.ext@siemens.com> References: <20190416130511.10873-1-andreas.reichel.ext@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-TUID: CFF4KJB5ThcI From: Andreas Reichel * Keyring names as well as variable names are now cleanly separated: DISTRO_BOOTSTRAP_KEYS, DISTRO_BOOTSTRAP_KEYRING and DISTRO_BOOTSTRAP_KEYFILES for bootstrapping the distro. THIRD_PARTY_APT_KEYS, THIRD_PARTY_APT_KEYRING and THIRD_PARTY_APT_KEYFILES for installing packages after bootstrapping. Signed-off-by: Andreas Reichel --- meta/conf/bitbake.conf | 1 + .../isar-bootstrap/isar-bootstrap-host.bb | 4 +- .../isar-bootstrap/isar-bootstrap-target.bb | 4 +- .../isar-bootstrap/isar-bootstrap.inc | 75 +++++++++++++------ 4 files changed, 59 insertions(+), 25 deletions(-) diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf index 0e521bb..3782e5c 100644 --- a/meta/conf/bitbake.conf +++ b/meta/conf/bitbake.conf @@ -62,6 +62,7 @@ DEBDISTRONAME = "isar" # Isar apt repository paths REPO_ISAR_DIR = "${DEPLOY_DIR}/isar-apt/apt" REPO_ISAR_DB_DIR = "${DEPLOY_DIR}/isar-apt/db" +THIRD_PARTY_APT_KEYRING = "/etc/apt/trusted.gpg.d/third_party.gpg" # Base apt repository paths REPO_BASE_DIR = "${DL_DIR}/base-apt/apt" diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb b/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb index 08b068f..7ee4c61 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb @@ -14,7 +14,7 @@ ISAR_BOOTSTRAP_LOCK = "${DEPLOY_DIR_BOOTSTRAP}/${HOST_DISTRO}-${HOST_ARCH}.lock" require isar-bootstrap.inc inherit isar-bootstrap-helper -do_generate_keyring[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" +do_generate_keyrings[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" do_apt_config_prepare[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" do_apt_config_prepare[dirs] = "${WORKDIR}" @@ -52,4 +52,4 @@ do_bootstrap[vardeps] += "HOST_DISTRO_APT_SOURCES" do_bootstrap() { isar_bootstrap --host } -addtask bootstrap before do_build after do_generate_keyring +addtask bootstrap before do_build after do_generate_keyrings diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb b/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb index 79f3e34..39f12b5 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb @@ -13,7 +13,7 @@ ISAR_BOOTSTRAP_LOCK = "${DEPLOY_DIR_BOOTSTRAP}/${DISTRO}-${DISTRO_ARCH}.lock" require isar-bootstrap.inc -do_generate_keyring[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" +do_generate_keyrings[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" do_apt_config_prepare[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}" do_apt_config_prepare[dirs] = "${WORKDIR}" @@ -49,5 +49,5 @@ do_bootstrap[vardeps] += "DISTRO_APT_SOURCES" do_bootstrap() { isar_bootstrap } -addtask bootstrap before do_build after do_generate_keyring +addtask bootstrap before do_build after do_generate_keyrings diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index 90a0faa..835ad52 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -22,34 +22,41 @@ APTPREFS = "${WORKDIR}/apt-preferences" APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT = "${WORKDIR}/apt-sources-init" BASEAPTSRCS = "${WORKDIR}/base-apt-sources" -APTKEYFILES = "" -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" -DEBOOTSTRAP_KEYRING = "" +DISTRO_BOOTSTRAP_KEYFILES = "" +THIRD_PARTY_APT_KEYFILES = "" DEPLOY_ISAR_BOOTSTRAP ?= "" DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2" DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" inherit base-apt-helper python () { - distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False) - aptkeys = [] + distro_bootstrap_keys = (d.getVar("DISTRO_BOOTSTRAP_KEYS", False) or "").split() - if distro_apt_keys: - aptkeys += distro_apt_keys.split() + third_party_apt_keys = (d.getVar("THIRD_PARTY_APT_KEYS", False) or "").split() + + # The cached repo key can be both for bootstrapping and apt package + # installation afterwards. However, debootstrap will include the key into + # the rootfs automatically thus the right place is distro_bootstrap_keys. if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): own_pub_key = d.getVar("BASE_REPO_KEY", False) if own_pub_key: - aptkeys += own_pub_key.split() + distro_bootstrap_keys += own_pub_key.split() + + for key in distro_bootstrap_keys: + d.appendVar("SRC_URI", " %s" % key) + fetcher = bb.fetch2.Fetch([key], d) + filename = fetcher.localpath(key) + d.appendVar("DISTRO_BOOTSTRAP_KEYFILES", " %s" % filename) - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") - for key in aptkeys: + for key in third_party_apt_keys: d.appendVar("SRC_URI", " %s" % key) fetcher = bb.fetch2.Fetch([key], d) filename = fetcher.localpath(key) - d.appendVar("APTKEYFILES", " %s" % filename) + d.appendVar("THIRD_PARTY_APT_KEYFILES", " %s" % filename) } def aggregate_files(d, file_list, file_out): @@ -159,6 +166,14 @@ def get_distro_needs_https_support(d, is_host=False): else: return "" +def get_distro_needs_gpg_support(d): + apt_keys = d.getVar("THIRD_PARTY_APT_KEYS", False) + if apt_keys and apt_keys != "": + return "gnupg" + return "" + +OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}" + def get_distro_source(d, is_host): return get_distro_primary_source_entry(d, is_host)[0] @@ -172,17 +187,26 @@ def get_distro_components_argument(d, is_host): else: return "" -do_generate_keyring[dirs] = "${DL_DIR}" -do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" -do_generate_keyring() { - if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then - for keyfile in ${@d.getVar("APTKEYFILES", True)}; do - gpg --no-default-keyring --keyring "${APTKEYRING}" \ - --no-tty --homedir "${DL_DIR}" --import "$keyfile" +APT_KEYS_DIR := "${WORKDIR}/aptkeys" +DISTRO_BOOTSTRAP_KEYRING := "${WORKDIR}/distro-keyring.gpg" + +do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}" +do_generate_keyrings[dirs] = "${DL_DIR}" +do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS" +do_generate_keyrings() { + if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then + chmod 777 "${APT_KEYS_DIR}" + for keyfile in ${@d.getVar("THIRD_PARTY_APT_KEYFILES", True)}; do + cp "$keyfile" "${APT_KEYS_DIR}"/"$(basename "$keyfile")" + done + fi + if [ -n "${@d.getVar("DISTRO_BOOTSTRAP_KEYFILES", True) or ""}" ]; then + for keyfile in ${@d.getVar("DISTRO_BOOTSTRAP_KEYFILES", True)}; do + sudo apt-key --keyring "${DISTRO_BOOTSTRAP_KEYRING}" add $keyfile done fi } -addtask generate_keyring before do_build after do_unpack +addtask generate_keyrings before do_build after do_unpack @@ -206,6 +230,9 @@ isar_bootstrap() { shift done debootstrap_args="--verbose --variant=minbase --include=${DISTRO_BOOTSTRAP_BASE_PACKAGES}" + if [ ! "x${DISTRO_BOOTSTRAP_KEYS}" = "x" ]; then + debootstrap_args="$debootstrap_args --keyring=${DISTRO_BOOTSTRAP_KEYRING}" + fi if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then if [ -z "${BASE_REPO_KEY}" ] ; then debootstrap_args="$debootstrap_args --no-check-gpg" @@ -222,7 +249,6 @@ isar_bootstrap() { if [ ${IS_HOST} ]; then ${DEBOOTSTRAP} $debootstrap_args \ ${@get_distro_components_argument(d, True)} \ - ${DEBOOTSTRAP_KEYRING} \ "${@get_distro_suite(d, True)}" \ "${ROOTFSDIR}" \ "${@get_distro_source(d, True)}" @@ -231,7 +257,6 @@ isar_bootstrap() { "${DEBOOTSTRAP}" $debootstrap_args \ --arch="${DISTRO_ARCH}" \ ${@get_distro_components_argument(d, False)} \ - ${DEBOOTSTRAP_KEYRING} \ "${@get_distro_suite(d, False)}" \ "${ROOTFSDIR}" \ "${@get_distro_source(d, False)}" @@ -260,6 +285,14 @@ isar_bootstrap() { mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" install -v -m644 "${WORKDIR}/isar-apt.conf" \ "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" + find ${APT_KEYS_DIR}/ -type f | while read keyfile + do + kfn="$(basename $keyfile)" + cp $keyfile "${ROOTFSDIR}/tmp/$kfn" + sudo -E chroot "${ROOTFSDIR}" /usr/bin/apt-key \ + --keyring ${THIRD_PARTY_APT_KEYRING} add "/tmp/$kfn" + rm "${ROOTFSDIR}/tmp/$kfn" + done if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \ -- 2.21.0