[PATCH] meta-isar: Add local ubuntu-focal public key

[PATCH] meta-isar: Add local ubuntu-focal public key

[Uladzimir Bely]

When debootstrapping Ubuntu in signed mode we need a local key
taken from official Ubuntu repository, similar to RaspiOS.

This makes debootstrapping more strict and additionally allows to use
other debootstrapping utilities (like mmdebstrap).

Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
---
Debootstrap log before the patch:

```
I: Running command: debootstrap --verbose --variant=minbase --include=locales --arch=amd64 --components=main,restricted,universe,multiverse focal /build/tmp/work/ubuntu-focal-amd64/isar-bootstrap-target/1.0-r0/rootfs http://archive.ubuntu.com/ubuntu /usr/share/debootstrap/scripts/gutsy
W: Cannot check Release signature; keyring file not available /usr/share/keyrings/ubuntu-archive-keyring.gpg
I: Retrieving InRelease 
I: Retrieving Packages 
```
Debootstrap log after the patch:

```
I: Running command: debootstrap --verbose --variant=minbase --include=locales,gnupg --keyring=/build/tmp/work/ubuntu-focal-amd64/isar-bootstrap-target/1.0-r0/distro-keyring.gpg --arch=amd64 --components=main,restricted,universe,multiverse focal /build/tmp/work/ubuntu-focal-amd64/isar-bootstrap-target/1.0-r0/rootfs http://archive.ubuntu.com/ubuntu /usr/share/debootstrap/scripts/gutsy
I: Retrieving InRelease 
I: Checking Release signature
I: Valid Release signature (key id F6ECB3762474EDA9D21B7022871920D1991BC93C)
I: Retrieving Packages 
```

 meta-isar/conf/distro/ubuntu-focal.conf |  5 +++
 meta-isar/conf/distro/ubuntu.public.key | 53 +++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 meta-isar/conf/distro/ubuntu.public.key

diff --git a/meta-isar/conf/distro/ubuntu-focal.conf b/meta-isar/conf/distro/ubuntu-focal.conf
index 6292501a..0cb6958d 100644
--- a/meta-isar/conf/distro/ubuntu-focal.conf
+++ b/meta-isar/conf/distro/ubuntu-focal.conf
@@ -13,6 +13,11 @@ HOST_BASE_DISTRO = "${BASE_DISTRO}"
 DISTRO_APT_SOURCES:arm64 ?= "conf/distro/${BASE_DISTRO}-${BASE_DISTRO_CODENAME}-ports.list"
 HOST_DISTRO_APT_SOURCES:arm64 ?= "conf/distro/${HOST_DISTRO}.list conf/distro/${HOST_DISTRO}-ports.list"
 
+BOOTSTRAP_KEY = "file://${LAYERDIR_isar}/conf/distro/ubuntu.public.key;sha256sum=36a38199a4bf4eae1e7f574891f7dfcb79b91b87a33a499383265e1224b5e989"
+DISTRO_BOOTSTRAP_KEYS += "${BOOTSTRAP_KEY}"
+HOST_DISTRO_BOOTSTRAP_KEYS += "${BOOTSTRAP_KEY}"
+
+
 # that is what debootstrap_1.0.118ubuntu1 does anyways
 DISTRO_DEBOOTSTRAP_SCRIPT = "/usr/share/debootstrap/scripts/gutsy"
 
diff --git a/meta-isar/conf/distro/ubuntu.public.key b/meta-isar/conf/distro/ubuntu.public.key
new file mode 100644
index 00000000..994f9f19
--- /dev/null
+++ b/meta-isar/conf/distro/ubuntu.public.key
@@ -0,0 +1,53 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFufwdoBEADv/Gxytx/LcSXYuM0MwKojbBye81s0G1nEx+lz6VAUpIUZnbkq
+dXBHC+dwrGS/CeeLuAjPRLU8AoxE/jjvZVp8xFGEWHYdklqXGZ/gJfP5d3fIUBtZ
+HZEJl8B8m9pMHf/AQQdsC+YzizSG5t5Mhnotw044LXtdEEkx2t6Jz0OGrh+5Ioxq
+X7pZiq6Cv19BohaUioKMdp7ES6RYfN7ol6HSLFlrMXtVfh/ijpN9j3ZhVGVeRC8k
+KHQsJ5PkIbmvxBiUh7SJmfZUx0IQhNMaDHXfdZAGNtnhzzNReb1FqNLSVkrS/Pns
+AQzMhG1BDm2VOSF64jebKXffFqM5LXRQTeqTLsjUbbrqR6s/GCO8UF7jfUj6I7ta
+LygmsHO/JD4jpKRC0gbpUBfaiJyLvuepx3kWoqL3sN0LhlMI80+fA7GTvoOx4tpq
+VlzlE6TajYu+jfW3QpOFS5ewEMdL26hzxsZg/geZvTbArcP+OsJKRmhv4kNo6Ayd
+yHQ/3ZV/f3X9mT3/SPLbJaumkgp3Yzd6t5PeBu+ZQk/mN5WNNuaihNEV7llb1Zhv
+Y0Fxu9BVd/BNl0rzuxp3rIinB2TX2SCg7wE5xXkwXuQ/2eTDE0v0HlGntkuZjGow
+DZkxHZQSxZVOzdZCRVaX/WEFLpKa2AQpw5RJrQ4oZ/OfifXyJzP27o03wQARAQAB
+tEJVYnVudHUgQXJjaGl2ZSBBdXRvbWF0aWMgU2lnbmluZyBLZXkgKDIwMTgpIDxm
+dHBtYXN0ZXJAdWJ1bnR1LmNvbT6JAjgEEwEKACIFAlufwdoCGwMGCwkIBwMCBhUI
+AgkKCwQWAgMBAh4BAheAAAoJEIcZINGZG8k8LHMQAKS2cnxz/5WaoCOWArf5g6UH
+beOCgc5DBm0hCuFDZWWv427aGei3CPuLw0DGLCXZdyc5dqE8mvjMlOmmAKKlj1uG
+g3TYCbQWjWPeMnBPZbkFgkZoXJ7/6CB7bWRht1sHzpt1LTZ+SYDwOwJ68QRp7DRa
+Zl9Y6QiUbeuhq2DUcTofVbBxbhrckN4ZteLvm+/nG9m/ciopc66LwRdkxqfJ32Cy
+q+1TS5VaIJDG7DWziG+Kbu6qCDM4QNlg3LH7p14CrRxAbc4lvohRgsV4eQqsIcdF
+kuVY5HPPj2K8TqpY6STe8Gh0aprG1RV8ZKay3KSMpnyV1fAKn4fM9byiLzQAovC0
+LZ9MMMsrAS/45AvC3IEKSShjLFn1X1dRCiO6/7jmZEoZtAp53hkf8SMBsi78hVNr
+BumZwfIdBA1v22+LY4xQK8q4XCoRcA9G+pvzU9YVW7cRnDZZGl0uwOw7z9PkQBF5
+KFKjWDz4fCk+K6+YtGpovGKekGBb8I7EA6UpvPgqA/QdI0t1IBP0N06RQcs1fUaA
+QEtz6DGy5zkRhR4pGSZn+dFET7PdAjEK84y7BdY4t+U1jcSIvBj0F2B7LwRL7xGp
+SpIKi/ekAXLs117bvFHaCvmUYN7JVp1GMmVFxhIdx6CFm3fxG8QjNb5tere/YqK+
+uOgcXny1UlwtCUzlrSaPmQINBE+tgXgBEADfiL1KNFHT4H4Dw0OR9LemR8ebsFl+
+b9E44IpGhgWYDufj0gaM/UJ1Ti3bHfRT39VVZ6cv1P4mQy0bnAKFbYz/wo+GhzjB
+Wtn6dThYv7n+KL8bptSCXgg1a6en8dCCIA/pwtS2Ut/g4Eu6Z467dvYNlMgCqvg+
+prKIrXf5ibio48j3AFvd1dDJl2cHfyuON35/83vXKXz0FPohQ7N7kPfI+qrlGBYG
+WFzC/QEGje360Q2Yo+rfMoyDEXmPsoZVqf7EE8gjfnXiRqmz/Bg5YQb5bgnGbLGi
+HWtjS+ACIdLUq/h+jlSp57jw8oQktMh2xVMX4utDM0UENeZnPllVJSlR0b+ZmZz7
+paeSar8Yxn4wsNlL7GZbpW5A/WmcmWfuMYoPhBo5Fq1V2/siKNU3UKuf1KH+X0p1
+oZ4oOcZ2bS0Zh3YEG8IQce9Bferq4QMKsekcG9IKS6WBIU7BwaElI2ILD0gSwu8K
+zvNSEeIJhYSsBIEzrWxIBXoN2AC9PCqqXkWlI5Xr/86RWllB3CsoPwEfO8CLJW2L
+lXTen/Fkq4wT+apdhHeiWiSsq/J5OEff0rKHBQ3fK7fyVuVNrJFb2CopaBLyCxTu
+pvxs162jjUNopt0c7OqNBoPoUoVFAxUSpeEwAw6xrM5vROyLMSeh/YnTuRy8WviR
+apZCYo6naTCY5wARAQABtEJVYnVudHUgQXJjaGl2ZSBBdXRvbWF0aWMgU2lnbmlu
+ZyBLZXkgKDIwMTIpIDxmdHBtYXN0ZXJAdWJ1bnR1LmNvbT6JAjgEEwECACIFAk+t
+gXgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEDtP5qzAsh8yXX4QAJHU
+dK6eYMyJcrFP3yKXtUYQMpaHRM/floqZtOFhlmcLVMgBNOr0eLvBU0JcZyZpHMvZ
+ciTDBMWX8ItCYVjRejf0K0lPvHHRGaE7t6JHVUCeznNbDMnOPYVwlVJdZLOa6PmE
+5WXVXpk8uTA8vm6RO2rS23vE7U0pQlV+1GVXMWH4ZLjaQs/Tm7wdvRxeqTbtfOEe
+HGLjmsoh0erHfzMV4wA/9Zq86WzuJS1HxXR6OYDC3/aQX7CxYT1MQxEw/PObnHtk
+l3PRMWdTW7fSQtulEXzpr2/JCev6Mfc8Uy0aD3jng9byVk9GpdNFEjGgaUqjqyZo
+svwAZ4/dmRjmMEibXeNUGC8HeWC3WOVV8L/DiA+miJlwPvwPiA1ZuKBI5A8VF0rN
+HW7QVsG8kQ+PDHgRdsmhpzSRgykN1PgK6UxScKX8LqNKCtKpuEPApka7FQ1u4BoZ
+KjjpBhY1R4TpfFkMIe7qW8XfqoaP99pED3xXch2zFRNHitNJr+yQJH4z/o+2UvnT
+A2niUTHlFSCBoU1MvSq1N2J3qU6oR2cOYJ4ZxqWyCoeQR1x8aPnLlcn4le6HU7To
+cYbHaImcIt7qnG4Ni0OWP4giEhjOpgxtrWgl36mdufvriwya+EHXzn36EvQ9O+bm
+3fyarsnhPe01rlsRxqBiK1JOw/g4GnpX8iLGEX1V
+=kRV1
+-----END PGP PUBLIC KEY BLOCK-----
-- 
2.20.1

Re: [PATCH] meta-isar: Add local ubuntu-focal public key

[Uladzimir Bely]

In mail from Friday, 7 April 2023 08:28:38 +03 user Uladzimir Bely wrote:
> When debootstrapping Ubuntu in signed mode we need a local key
> taken from official Ubuntu repository, similar to RaspiOS.
> 
> This makes debootstrapping more strict and additionally allows to use
> other debootstrapping utilities (like mmdebstrap).
> 
> Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
> ---
> Debootstrap log before the patch:
> 
> ```
> I: Running command: debootstrap --verbose --variant=minbase
> --include=locales --arch=amd64
> --components=main,restricted,universe,multiverse focal
> /build/tmp/work/ubuntu-focal-amd64/isar-bootstrap-target/1.0-r0/rootfs
> http://archive.ubuntu.com/ubuntu /usr/share/debootstrap/scripts/gutsy W:
> Cannot check Release signature; keyring file not available
> /usr/share/keyrings/ubuntu-archive-keyring.gpg I: Retrieving InRelease
> I: Retrieving Packages
> ```
> Debootstrap log after the patch:
> 
> ```
> I: Running command: debootstrap --verbose --variant=minbase
> --include=locales,gnupg
> --keyring=/build/tmp/work/ubuntu-focal-amd64/isar-bootstrap-target/1.0-r0/d
> istro-keyring.gpg --arch=amd64
> --components=main,restricted,universe,multiverse focal
> /build/tmp/work/ubuntu-focal-amd64/isar-bootstrap-target/1.0-r0/rootfs
> http://archive.ubuntu.com/ubuntu /usr/share/debootstrap/scripts/gutsy I:
> Retrieving InRelease
> I: Checking Release signature
> I: Valid Release signature (key id F6ECB3762474EDA9D21B7022871920D1991BC93C)
> I: Retrieving Packages
> ```
> 
>  meta-isar/conf/distro/ubuntu-focal.conf |  5 +++
>  meta-isar/conf/distro/ubuntu.public.key | 53 +++++++++++++++++++++++++
>  2 files changed, 58 insertions(+)

Applied to next.