From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6665315485307895808 X-Received: by 2002:a1c:55c9:: with SMTP id j192mr936365wmb.21.1552909685333; Mon, 18 Mar 2019 04:48:05 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:adf:ec8d:: with SMTP id z13ls979610wrn.3.gmail; Mon, 18 Mar 2019 04:48:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqwl77zzCndAujcwkORqLLrF29Mcoahq4n1cQhmKdLUsx6MPY2rIHosKdlNSbG48rBO3b83v X-Received: by 2002:adf:8121:: with SMTP id 30mr734639wrm.22.1552909684677; Mon, 18 Mar 2019 04:48:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552909684; cv=none; d=google.com; s=arc-20160816; b=tvhl61YAKiftnjClZPtvJn8C9ZburwCJ/keeoVFM95kFS4M5fKSev++Q7OT4es/a34 +hSciMmyakpjxXKA+GyGQwlTs+o1fPZkl+HE+lznZg6tn/WO+r29ms+LUK8GVBNu2qev LXWA2o1W1nTpYvzLNvcKXYUXnw6J5c8PqU08ZAjHP2Vd11NWKZwfbz10Y49sLWujer1L 3DgGTcGcqSra698j/x1T46lSZHwlqLWwEIV5g2cGosckorxpzqxHGa0omdnz7KapccuG M2cxcK1yeCYj8xBylRhQVYiWdp+uNyJCZENKHgniSNg0WzuyD2+NIGN8kpTkcfeWYuUX jG+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=Ihnv1tR3/g5OgA6PmWO/qRb/bwDVcE1mBNxvkyb70x4=; b=jQAMfnT/OMYhNVPOdWgVFQ78JUiS53B2uRKFVnP1/65XP6NFWps+DG3tahbYBjmeb6 /YhqSW85BAtG0XSVyJZHcS+ipxhhoErnf7NiWGRLdwu0omDVGAmh4ESjjHM4UPQUJNEw dEFWokAS2Efr1Uw2Jvs7SQItNhnIgiUmuUqAO/b2nNGmJG2gDJn40ZZOvATV4edFxnD5 2pDQ48b4eAjl7Jn2yeEOkUP76cJGNVd6nDM2MP7xkAQJxCkn993/647HogMdz2YW162R KP2s2q2oGyG0TcIZUDDjQzNHku0jODVzfH6LgsczPkzj0pTa099MpnURq7BY4Fp0ZtX0 krhQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id k15si132848wrq.1.2019.03.18.04.48.04 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Mar 2019 04:48:04 -0700 (PDT) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x2IBm4w8008056 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Mon, 18 Mar 2019 12:48:04 +0100 Received: from [139.25.69.232] (linux-ses-ext02.ppmd.siemens.net [139.25.69.232]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x2IBm3fi028148; Mon, 18 Mar 2019 12:48:04 +0100 Subject: Re: [PATCH v4 5/6] Use apt-key to generate apt-keyring To: Andreas Reichel Cc: isar-users@googlegroups.com References: <20190307142304.14508-1-andreas.reichel.ext@siemens.com> <20190307142304.14508-6-andreas.reichel.ext@siemens.com> <7e4f740c-61a8-514c-a2c5-80ebb694501a@siemens.com> <20190318102104.GC9919@iiotirae> From: Claudius Heine Message-ID: <50eeee22-fe66-8fc9-3215-e534b47b4a8d@siemens.com> Date: Mon, 18 Mar 2019 12:48:03 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <20190318102104.GC9919@iiotirae> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: agFAc7OMdj00 Hi Andreas, On 18/03/2019 11.21, Andreas Reichel wrote: > On Thu, Mar 07, 2019 at 03:58:32PM +0100, Claudius Heine wrote: >> Hi Andreas, >> >> On 07/03/2019 15.23, [ext] Andreas J. Reichel wrote: >>> From: Andreas Reichel >>> >>> Use apt-key instead of manually calling gpg. >>> >>> @@ -82,6 +82,7 @@ isar_image_cleanup() { >>> fi >>> rm -f "${IMAGE_ROOTFS}/etc/apt/sources-list" >>> ' >>> + sudo rm -f "${ISARKEYRING}" >> >> If I understand this correctly, you are removing the keys of third-party >> repositories here. Why? Aren't they needed if someone wants to update the >> image later manually via apt on a running system? >> >> IMO that only makes sense if this file only contains keys for repositories >> like isar-apt or the cache repo. >> > Do we really want to split everything up because of this or not just > keep all keys? If we keep keys we cannot use anymore, it does not hurt. Right! I would prefer keeping all keys instead of removing some that might be needed for an update. > Another way would be to specify the keys we want to keep like with > ";keep=yes" in the fetcher URI and parse this. What do you think? That would be fine, if that works. > That would probably be better than to introduce different APT_KEY > variables, which might be confusing in code. Well you can always come up with a better name for variables to avoid confusion. [...] >>> # Base apt repository paths >>> REPO_BASE_DIR = "${DL_DIR}/base-apt/apt" >>> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc >>> index dbc3938..2fb5c5b 100644 >>> --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc >>> +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc >>> @@ -23,10 +23,9 @@ APTSRCS = "${WORKDIR}/apt-sources" >>> APTSRCS_INIT = "${WORKDIR}/apt-sources-init" >>> BASEAPTSRCS = "${WORKDIR}/base-apt-sources" >>> APTKEYFILES = "" >>> -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" >>> -DEBOOTSTRAP_KEYRING = "" >>> DEPLOY_ISAR_BOOTSTRAP ?= "" >>> DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" >>> +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2" >>> DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" >>> @@ -43,7 +42,6 @@ python () { >>> if own_pub_key: >>> aptkeys += own_pub_key.split() >>> - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") >>> for key in aptkeys: >>> d.appendVar("SRC_URI", " %s" % key) >>> fetcher = bb.fetch2.Fetch([key], d) >>> @@ -158,6 +156,14 @@ def get_distro_needs_https_support(d, is_host=False): >>> else: >>> return "" >>> +def get_distro_needs_gpg_support(d): >>> + apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False) >>> + if apt_keys: >>> + return "gnupg" >>> + return "" >>> + >>> +OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}" >>> + >>> def get_distro_source(d, is_host): >>> return get_distro_primary_source_entry(d, is_host)[0] >>> @@ -171,13 +177,17 @@ def get_distro_components_argument(d, is_host): >>> else: >>> return "" >>> > +APTKEYTMPDIR := "${TMPDIR}/aptkeys" >> >> Is there a reason why this is in TMPDIR and not in WORKDIR? >> > Because we throw it way. We don't throw things in WORKDIR away. Sorry, I don't understand this. What do you mean with 'throw it away'? And even if you mean that that this is only used in a intermediate step, I would prefer having it in the WORKDIR. What happens if two isar-bootstraps are run in parallel with a different configuration? Could that not cause conflict? > >>> + >>> +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}" >>> do_generate_keyring[dirs] = "${DL_DIR}" >>> do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" >>> do_generate_keyring() { >>> if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then >>> + chmod 777 "${APTKEYTMPDIR}" >>> for keyfile in ${@d.getVar("APTKEYFILES", True)}; do >>> - gpg --no-default-keyring --keyring "${APTKEYRING}" \ >>> - --no-tty --homedir "${DL_DIR}" --import "$keyfile" >>> + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")" >>> + sudo apt-key --keyring "${ISARKEYRING}" add "$keyfile" >>> done >>> fi >>> } >>> @@ -221,7 +231,6 @@ isar_bootstrap() { >>> if [ ${IS_HOST} ]; then >>> ${DEBOOTSTRAP} $debootstrap_args \ >>> ${@get_distro_components_argument(d, True)} \ >>> - ${DEBOOTSTRAP_KEYRING} \ >>> "${@get_distro_suite(d, True)}" \ >>> "${ROOTFSDIR}" \ >>> "${@get_distro_source(d, True)}" >>> @@ -230,7 +239,6 @@ isar_bootstrap() { >>> "${DEBOOTSTRAP}" $debootstrap_args \ >>> --arch="${DISTRO_ARCH}" \ >>> ${@get_distro_components_argument(d, False)} \ >>> - ${DEBOOTSTRAP_KEYRING} \ >>> "${@get_distro_suite(d, False)}" \ >>> "${ROOTFSDIR}" \ >>> "${@get_distro_source(d, False)}" >>> @@ -259,6 +267,16 @@ isar_bootstrap() { >>> mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" >>> install -v -m644 "${WORKDIR}/isar-apt.conf" \ >>> "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" >>> + if [ -d ${TMPDIR}/aptkeys ]; then >>> + for keyfile in ${TMPDIR}/aptkeys/* >> >> Maybe use APTKEYTMPDIR here, deduplication then it is easier to find usage >> of this directory. > > True >> >> If the aptkeys directory is used somewhere outside of isar-bootstrap, then >> the placeing it in TMPDIR directly makes sence, but if only isar-bootstrap >> uses this directory WORKDIR would be better. >> > Do we know this beforehand? It is always allowed to put anything > temporary in TMPDIR and it is temporary because we copy the keys around. Well the WORKDIR is inside the TMPDIR as well... And things in the WORKDIR are copied around as well... I think I currently have trouble understanding you here... Claudius -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de