From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6880878174534631424 X-Received: by 2002:adf:b78d:: with SMTP id s13mr8790962wre.344.1611140145203; Wed, 20 Jan 2021 02:55:45 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:a54b:: with SMTP id j11ls437771wrb.3.gmail; Wed, 20 Jan 2021 02:55:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJyKG16VdjSMWUeqLSkwYYKcCvi+kSGJcP8gxP9ovuCy9/1JyeiDxznflbFNoJZr83F0PaqG X-Received: by 2002:adf:ef51:: with SMTP id c17mr8787264wrp.101.1611140144319; Wed, 20 Jan 2021 02:55:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611140144; cv=none; d=google.com; s=arc-20160816; b=nyRapNvQ/qc9EPvvI6N34iWBiCNAX0id6R7rL7Hk5aPTgPYOAuuAHZG4DMiEL1TBF/ FviT1GiMMFiYgB0wzQK71PoPx/D4jclgEuLnjqx32ZxFQ9wSbq7Y5KvqFfS8tbH2TF2t UUn2Ka0soWeaL3mu5el9phcDSodow+WW43mTVYaHlMMUvZwmUjPBSsCZjcw2lkvRr/oT MeGFtZMe3HV5G0Rd/q2Sy8JEjxIGWfJwUB0l3W8R4Lwnk6hQ0pu5DyV7JVjBSAYHZSbe inLfhfhTKVRc77U4undJz4QEEUPGauDWZwMnhWpjSxwT+RHvx3lBJ7Qrb4dfEhM/mvet ZVGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=30FTfG2CjVAr5bTAOjZg3i75s4T9dI8sKX+ad5BTQd8=; b=HoWzb3QYiOPHERFOk0tOWcduRB7LUyjwZM06mshhOCCLUPeRnWjZPDi5hYpGQKE75D ASVPqu4Ue4js5+ikBk0C4PZt0z620nfh8x15Mrkrn1H4Wn6/XdffuFOhHS02HNioje6c R3+31ik66MNF+hNBEQm/EX8Ds+tpTITVjzOvFTRv9oU4Ml99cH0MCpBtt+DGgsUnpO28 QRqDdv09FfeBatuDO5kMrn8zDMDK2m9q/SyFlPXqTRIj7ZDsghYizQ2OCxDocDtshxCE c16XvCFwejOGzt83OJYoOzUpKt0b5ZuTyPYAWK2xE5adC/wjtzYO6bECXWTHDzbD63Jr H+1Q== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id u24si114265wmm.1.2021.01.20.02.55.44 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Jan 2021 02:55:44 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 10KAthpo003493 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 20 Jan 2021 11:55:44 +0100 Received: from md1za8fc.ad001.siemens.net ([139.22.120.228]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 10KAthu7009319; Wed, 20 Jan 2021 11:55:43 +0100 Date: Wed, 20 Jan 2021 11:55:42 +0100 From: Henning Schild To: Anton Mikanovich Cc: isar-users@googlegroups.com, Yuri Adamov Subject: Re: [PATCH v2] isar-bootstrap: Run gpg-agent before starting apt-key Message-ID: <20210120115542.074eeef1@md1za8fc.ad001.siemens.net> In-Reply-To: <20210119112001.11651-1-amikan@ilbers.de> References: <20210119112001.11651-1-amikan@ilbers.de> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: l5YVygW8EiY0 Am Tue, 19 Jan 2021 14:20:01 +0300 schrieb Anton Mikanovich : > From: Yuri Adamov > > Building rpi-stretch natively (under qemu) sometimes fails with: > > gpg: can't connect to the agent: IPC connect call failed > > gpg starts gpg-agent and times out after 5 s. This value is > hard-coded. > > Besides, leaving running gpg-agent processes is not clean and prevents > unmounting of filesystems. > > This patch starts and stops the agent manually. > > gnupg now appended to package list unconditionally because gpg-agent > is used in every isar_bootstrap run. > > Signed-off-by: Yuri Adamov > Signed-off-by: Anton Mikanovich > --- > Changes since v1: > - Removed unnecessary sleeping. > - Removed -9 in kill. > - Commented unconditionally gnupg package append. > - Removed unused OVERRIDES_append and get_distro_needs_gpg_support(). > --- > .../isar-bootstrap/isar-bootstrap.inc | 22 > +++++++++---------- 1 file changed, 10 insertions(+), 12 deletions(-) > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index > 8f5f727..751980f 100644 --- > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -24,7 +24,7 > @@ DISTRO_BOOTSTRAP_KEYFILES = "" THIRD_PARTY_APT_KEYFILES = "" > DEPLOY_ISAR_BOOTSTRAP ?= "" > DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg" > +DISTRO_BOOTSTRAP_BASE_PACKAGES_append = ",gnupg" > DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = > "${@https_support(d)}" > inherit deb-dl-dir > @@ -175,16 +175,6 @@ def get_distro_needs_https_support(d, > is_host=False): else: > return "" > > -def get_distro_needs_gpg_support(d): > - apt_keys = d.getVar("DISTRO_BOOTSTRAP_KEYS") or "" > - apt_keys += " " + (d.getVar("THIRD_PARTY_APT_KEYS") or "") > - apt_keys += " " + (d.getVar("BASE_REPO_KEY") or "") > - if apt_keys != " ": > - return "gnupg" > - return "" > - > -OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}" > - > def get_distro_source(d, is_host): > return get_distro_primary_source_entry(d, is_host)[0] > > @@ -309,14 +299,22 @@ isar_bootstrap() { > mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" > install -v -m644 "${WORKDIR}/isar-apt.conf" \ > "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" > + MY_GPGHOME=$(chroot "${ROOTFSDIR}" mktemp -d > /tmp/gpghomeXXXXXXXXXX) > + echo "Created temporary directory ${MY_GPGHOME} for > gpg-agent" It is probably better to "export GNUPGHOME" and skip the extra argument to all the calls, this way we can not forget that argument on some calls. > + chroot "${ROOTFSDIR}" gpg-agent --homedir > "${MY_GPGHOME}" --daemon find ${APT_KEYS_DIR}/ -type f | while read > keyfile do > kfn="$(basename $keyfile)" > cp $keyfile "${ROOTFSDIR}/tmp/$kfn" > chroot "${ROOTFSDIR}" /usr/bin/apt-key \ > - --keyring ${THIRD_PARTY_APT_KEYRING} add > "/tmp/$kfn" > + --keyring ${THIRD_PARTY_APT_KEYRING} \ > + --homedir ${MY_GPGHOME} add "/tmp/$kfn" > rm "${ROOTFSDIR}/tmp/$kfn" > done > + GPG_AGENT_PID=$(ps -aux | grep > "gpg-agent.*${MY_GPGHOME}" | grep -v grep | awk '{print $2}') > + echo "Killing gpg-agent with pid $GPG_AGENT_PID" > + /bin/kill ${GPG_AGENT_PID} That kill is better done with "gpgconf --kill gpg-agent". In fact you should kill always before the first use, in case something fails and a second run finds a running agent. > + chroot "${ROOTFSDIR}" /bin/rm -rf "${MY_GPGHOME}" this should be guarded making sure MY_GPGHOME is indeed a directory with a matching name ... would be a pity if for some reason it would be i.e. "/usr" or even only "/tmp" Henning > if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ > "${@get_host_release().split('.')[0]}" -lt "4" ]; then install -v > -m644 "${WORKDIR}/isar-apt-fallback.conf" \