Re: base-apt signing interface could be improved

[Henning Schild <henning.schild@siemens.com>]

Am Thu, 13 Jun 2019 09:55:29 -0700
schrieb "Amy_Fong@mentor.com" <amy.fong.3142@gmail.com>:

> On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote:
> >
> > Hi, 
> >
> > i just had a quick look at the implementation of the base-apt
> > signing for the first time. The interface is not ideal and has
> > potential for the signing key and the checking key not actually
> > belonging together. 
> >
> > As far as i understand the code i read, Isar will start signing 
> > base-apt if BASE_REPO_KEY is set to anything. The private key it
> > will use to sign the repo is not specified at all, it will be
> > whatever gnupg defaults to, given its configuration. 
> >
> > I would suggest to switch from "SignWith yes" to "SignWith
> > <keyid>", and derive the id from BASE_REPO_KEY. 
> >
> > Further improvements would be to actually configure gnupg inside
> > Isar and not rely on an outside configuration. Relying on the
> > outside config means that all (multi)configs will have to use the
> > same keypair. So we would add 
> >
> > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE 
> >
> > Now we would create a new gpg homedir next to where we store
> > base-apt. We would import that one key there and potentially unlock
> > it with its passphrase. If we clean and rebuild we get a working
> > gpghome for sure. 
> >
> > Henning 
> >  
> 
> Hi,
> 
> Perhaps something like the following ... 
> 
> Of course, since BASE_REPO_KEY permits specifying
> multiple keys, this raises a question of which keyid?

Oh that is a nice hidden feature, indeed one can specify multiple keys
there. So that variable should be called BASE_REPO_KEYS instead.

And yes reprepro also supports multiple values. So i guess your patch
is correct and it would probably sign the repo with all the keys
specified.

Whether that is what we want is another question, and i am not sure
whether "yes" will also use all keys or just the default one.

> Amy
> 
> From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 2001
> From: Amy Fong <Amy_Fong@mentor.com>
> Date: Thu, 13 Jun 2019 12:52:06 -0400
> Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing
> 
> Extract keyid from BASE_REPO_KEY for signing
> 
> Signed-off-by: Amy Fong <Amy_Fong@mentor.com>
> ---
>  meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-devtools/base-apt/base-apt.bb 
> b/meta/recipes-devtools/base-apt/base-apt.bb
> index 1c0b4c6..81245f7 100644
> --- a/meta/recipes-devtools/base-apt/base-apt.bb
> +++ b/meta/recipes-devtools/base-apt/base-apt.bb
> @@ -19,8 +19,15 @@ do_cache_config() {
>          sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
>              ${WORKDIR}/distributions.in >
> ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then
> +            option="yes"

maybe there is a better name for the variable?

Henning

> +            for key in ${BASE_REPO_KEY}; do
> +                keyid=$(wget -qO - $key | gpg --keyid-format 0xlong 
> --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
> +                if [ -n "$keyid" ]; then
> +                    option="$keyid"
> +                fi
> +            done
>              # To generate Release.gpg
> -            echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
> +            echo "SignWith: $option" >>
> ${CACHE_CONF_DIR}/distributions fi
>      fi
>