From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6665315485307895808
X-Received: by 2002:a17:906:938b:: with SMTP id l11mr1597438ejx.8.1551970713359;
        Thu, 07 Mar 2019 06:58:33 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a50:9835:: with SMTP id g50ls1482887edb.9.gmail; Thu, 07 Mar
 2019 06:58:32 -0800 (PST)
X-Google-Smtp-Source: APXvYqy+crpO+6QXHElWhsVyyLFzEmZzAJyXUqCZ/tkIxD7sDtSINw9nzZGUn3GQgkzm02Iw2/BI
X-Received: by 2002:a50:a499:: with SMTP id w25mr4971969edb.3.1551970712943;
        Thu, 07 Mar 2019 06:58:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551970712; cv=none;
        d=google.com; s=arc-20160816;
        b=nrTLQXXxh7v1jZgQBol3iv/W9G0u6ukdqI7Rv/38XDTTb0m8NR0skRFOPV9REhZKvN
         Xl5t6yOfjnG9yF3lKgvpmPRi3ty/Zj4W6VJN9hD4mkz8/i0otYqJ1U0moA/zOgZ7reeJ
         G5k5jyaBosF0DKH8mtnNBi6eiBezYm+E6PjAIjmcAugXcTcU+DGZoAjqRih/zcQj5Yrh
         kpP4pwk4N/sXwr5B/a45hXxxVPlWU5rwDI8Fgk1X9OLJzAcCzb2zwbOQytA1x0GvPBCo
         o08UWJY3LMgkDJT6vUcXLkkCT+JtRXAOLC1fJ2cfdnJvZBKNcBnJXJTChmM5f7QuQRtZ
         stkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:to:subject;
        bh=rsluOc56IbfK2P25J4i2xB3Ac7Q+FP+GVGDWFnIJGfo=;
        b=LKvzLSt28OUtYOuBgq/EAz8TQV5JcGS8CgcVYGdaRJFP7EzE1mE4pSY3xdraFEXgUr
         kGQxfdiEivxy5JN0c9SS1zpV8d411pc5GVmMvlp39IjB0IiTqnpLmBojb4VuNZH54xpL
         Gju1K5/0yVbuODuufMKN87YVxdWTUXk7xP+cOB40CS9wRSettU0vGzUFznZ9LcEqSoVB
         +F1ZseEBfCxwR1DgzJrMLmfDFYSvIdY6eLkCKkrsF62uj0mRksOCxddAdACPQi6R7+H1
         flHiwuQ06TSZL+X35+3k42qyzysG6XQz//XVrBqrphgpdwKNlkSJT+5oqL7l8AMLcSe0
         fKKg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com
Return-Path: <claudius.heine.ext@siemens.com>
Received: from david.siemens.de (david.siemens.de. [192.35.17.14])
        by gmr-mx.google.com with ESMTPS id c7si170645ejx.1.2019.03.07.06.58.32
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 07 Mar 2019 06:58:32 -0800 (PST)
Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x27EwW4d015144
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)
	for <isar-users@googlegroups.com>; Thu, 7 Mar 2019 15:58:32 +0100
Received: from [139.25.69.232] (linux-ses-ext02.ppmd.siemens.net [139.25.69.232])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x27EwW5n004588;
	Thu, 7 Mar 2019 15:58:32 +0100
Subject: Re: [PATCH v4 5/6] Use apt-key to generate apt-keyring
To: "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>,
        isar-users@googlegroups.com
References: <20190307142304.14508-1-andreas.reichel.ext@siemens.com>
 <20190307142304.14508-6-andreas.reichel.ext@siemens.com>
From: Claudius Heine <claudius.heine.ext@siemens.com>
Message-ID: <7e4f740c-61a8-514c-a2c5-80ebb694501a@siemens.com>
Date: Thu, 7 Mar 2019 15:58:32 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.5.1
MIME-Version: 1.0
In-Reply-To: <20190307142304.14508-6-andreas.reichel.ext@siemens.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TUID: sS+frcqInasN

Hi Andreas,

On 07/03/2019 15.23, [ext] Andreas J. Reichel wrote:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> Use apt-key instead of manually calling gpg.
> 
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> ---
>   meta/classes/isar-bootstrap-helper.bbclass    |  2 ++
>   meta/classes/isar-image.bbclass               |  1 +
>   meta/conf/bitbake.conf                        |  1 +
>   .../isar-bootstrap/isar-bootstrap.inc         | 32 +++++++++++++++----
>   4 files changed, 29 insertions(+), 7 deletions(-)
> 
> diff --git a/meta/classes/isar-bootstrap-helper.bbclass b/meta/classes/isar-bootstrap-helper.bbclass
> index d780b85..c5e39e9 100644
> --- a/meta/classes/isar-bootstrap-helper.bbclass
> +++ b/meta/classes/isar-bootstrap-helper.bbclass
> @@ -119,6 +119,7 @@ setup_root_file_system() {
>       export LANG=C
>       export LANGUAGE=C
>       export LC_ALL=C
> +
>       sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \
>           -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \
>           -o Dir::Etc::sourceparts="-" \
> @@ -128,6 +129,7 @@ setup_root_file_system() {
>           sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture ${DISTRO_ARCH}
>           sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update
>       fi
> +    sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update
>       sudo -E chroot "$ROOTFSDIR" \
>           /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \
>               ${IMAGE_TRANSIENT_PACKAGES}
> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass
> index cdd1651..4a89bd7 100644
> --- a/meta/classes/isar-image.bbclass
> +++ b/meta/classes/isar-image.bbclass
> @@ -82,6 +82,7 @@ isar_image_cleanup() {
>           fi
>           rm -f "${IMAGE_ROOTFS}/etc/apt/sources-list"
>       '
> +    sudo rm -f "${ISARKEYRING}"

If I understand this correctly, you are removing the keys of third-party 
repositories here. Why? Aren't they needed if someone wants to update 
the image later manually via apt on a running system?

IMO that only makes sense if this file only contains keys for 
repositories like isar-apt or the cache repo.

>   }
>   
>   do_rootfs() {
> diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
> index 0e521bb..769ec9a 100644
> --- a/meta/conf/bitbake.conf
> +++ b/meta/conf/bitbake.conf
> @@ -62,6 +62,7 @@ DEBDISTRONAME = "isar"
>   # Isar apt repository paths
>   REPO_ISAR_DIR = "${DEPLOY_DIR}/isar-apt/apt"
>   REPO_ISAR_DB_DIR = "${DEPLOY_DIR}/isar-apt/db"
> +ISARKEYRING = "/etc/apt/trusted.gpg.d/isar.gpg"

I would separate third-party and isar created repo keys here. Since 
third-party keyrings should not be removed and isar created ones might 
be removed if those repos are not shared with the device while it is 
deployed.

>   
>   # Base apt repository paths
>   REPO_BASE_DIR = "${DL_DIR}/base-apt/apt"
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> index dbc3938..2fb5c5b 100644
> --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> @@ -23,10 +23,9 @@ APTSRCS = "${WORKDIR}/apt-sources"
>   APTSRCS_INIT = "${WORKDIR}/apt-sources-init"
>   BASEAPTSRCS = "${WORKDIR}/base-apt-sources"
>   APTKEYFILES = ""
> -APTKEYRING = "${WORKDIR}/apt-keyring.gpg"
> -DEBOOTSTRAP_KEYRING = ""
>   DEPLOY_ISAR_BOOTSTRAP ?= ""
>   DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
> +DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2"
>   
>   DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org  file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
>   
> @@ -43,7 +42,6 @@ python () {
>           if own_pub_key:
>               aptkeys += own_pub_key.split()
>   
> -    d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
>       for key in aptkeys:
>           d.appendVar("SRC_URI", " %s" % key)
>           fetcher = bb.fetch2.Fetch([key], d)
> @@ -158,6 +156,14 @@ def get_distro_needs_https_support(d, is_host=False):
>       else:
>           return ""
>   
> +def get_distro_needs_gpg_support(d):
> +    apt_keys = d.getVar("HAVE_CUSTOM_APT_KEYS", False)
> +    if apt_keys:
> +        return "gnupg"
> +    return ""
> +
> +OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}"
> +
>   def get_distro_source(d, is_host):
>       return get_distro_primary_source_entry(d, is_host)[0]
>   
> @@ -171,13 +177,17 @@ def get_distro_components_argument(d, is_host):
>       else:
>           return ""
>    > +APTKEYTMPDIR := "${TMPDIR}/aptkeys"

Is there a reason why this is in TMPDIR and not in WORKDIR?

> +
> +do_generate_keyring[cleandirs] = "${APTKEYTMPDIR}"
>   do_generate_keyring[dirs] = "${DL_DIR}"
>   do_generate_keyring[vardeps] += "DISTRO_APT_KEYS"
>   do_generate_keyring() {
>       if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then
> +        chmod 777 "${APTKEYTMPDIR}"
>           for keyfile in ${@d.getVar("APTKEYFILES", True)}; do
> -           gpg --no-default-keyring --keyring "${APTKEYRING}" \
> -               --no-tty --homedir "${DL_DIR}"  --import "$keyfile"
> +           cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")"
> +           sudo apt-key --keyring "${ISARKEYRING}" add "$keyfile"
>           done
>       fi
>   }
> @@ -221,7 +231,6 @@ isar_bootstrap() {
>               if [ ${IS_HOST} ]; then
>                   ${DEBOOTSTRAP} $debootstrap_args \
>                                  ${@get_distro_components_argument(d, True)} \
> -                               ${DEBOOTSTRAP_KEYRING} \
>                                  "${@get_distro_suite(d, True)}" \
>                                  "${ROOTFSDIR}" \
>                                  "${@get_distro_source(d, True)}"
> @@ -230,7 +239,6 @@ isar_bootstrap() {
>                    "${DEBOOTSTRAP}" $debootstrap_args \
>                                     --arch="${DISTRO_ARCH}" \
>                                     ${@get_distro_components_argument(d, False)} \
> -                                  ${DEBOOTSTRAP_KEYRING} \
>                                     "${@get_distro_suite(d, False)}" \
>                                     "${ROOTFSDIR}" \
>                                     "${@get_distro_source(d, False)}"
> @@ -259,6 +267,16 @@ isar_bootstrap() {
>               mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d"
>               install -v -m644 "${WORKDIR}/isar-apt.conf" \
>                                "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf"
> +            if [ -d ${TMPDIR}/aptkeys ]; then
> +                for keyfile in ${TMPDIR}/aptkeys/*

Maybe use APTKEYTMPDIR here, deduplication then it is easier to find 
usage of this directory.

If the aptkeys directory is used somewhere outside of isar-bootstrap, 
then the placeing it in TMPDIR directly makes sence, but if only 
isar-bootstrap uses this directory WORKDIR would be better.

Claudius

> +                do
> +                    kfn="$(basename $keyfile)"
> +                    cp $keyfile "${ROOTFSDIR}/tmp/$kfn"
> +                    sudo -E chroot "${ROOTFSDIR}" /usr/bin/apt-key \
> +                       --keyring ${ISARKEYRING} add "/tmp/$kfn"
> +                    rm "${ROOTFSDIR}/tmp/$kfn"
> +                done
> +            fi
>   
>               if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then
>                   install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de