* [RFC v1 0/3] Fix additional apt repos with foreign keys
@ 2019-02-26 13:48 Andreas J. Reichel
2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw)
To: isar-users; +Cc: Andreas Reichel
From: Andreas Reichel <andreas.reichel.ext@siemens.com>
This patch series fixes problems when adding a additional repos
which need different gpg keys for authentication.
The patches are designed to make the existing 'API', i.e. bitbake
variables work, not to solve the remaining design problems.
On basis of this series, we should discuss how to further proceed
since there should be a destinction wether we change the bootstrapping
apt source or if we change the apt source for additional packages.
If we change the bootstrapping apt source, we already need keys
installed in the build environment to do the first debootstrap.
If we only want additional packages in the target rootfs, we only
need to add keys inside the target chroot.
Currently this is not possible and requires additional bitbake
variables, i.e. APT_KEYS_TARGET_PKGS, or APT_KEYS_TARGET_BOOTSTRAP.
Also the reason for the option I delete in patch 3 is unclear to me.
This way we could never add additional repositories.
Andreas Reichel (3):
Fix path to user gpg-keys
Refactor gpg code to use apt code
Use all source lists in target root apt
meta/classes/isar-bootstrap-helper.bbclass | 14 ++++++++----
.../isar-bootstrap/isar-bootstrap.inc | 22 +++++++++----------
2 files changed, 21 insertions(+), 15 deletions(-)
--
2.20.1
^ permalink raw reply [flat|nested] 9+ messages in thread* [RFC v1 1/3] Fix path to user gpg-keys 2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel @ 2019-02-26 13:48 ` Andreas J. Reichel 2019-02-26 15:33 ` Henning Schild 2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel ` (2 subsequent siblings) 3 siblings, 1 reply; 9+ messages in thread From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw) To: isar-users; +Cc: Andreas Reichel From: Andreas Reichel <andreas.reichel.ext@siemens.com> If the key is fetched from remote (currently http, https), use the basename, otherwise, use the absolute path. Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com> --- meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index 234d339..25133be 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -40,7 +40,10 @@ python () { d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") for key in distro_apt_keys.split(): url = urlparse(key) - filename = ''.join([wd, url.path]) + if "https://" in key or "http://" in key: + filename = os.path.basename(url.path) + else: + filename = ''.join([wd, url.path]) d.appendVar("SRC_URI", " %s" % key) d.appendVar("APTKEYFILES", " %s" % filename) if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): -- 2.20.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 1/3] Fix path to user gpg-keys 2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel @ 2019-02-26 15:33 ` Henning Schild 0 siblings, 0 replies; 9+ messages in thread From: Henning Schild @ 2019-02-26 15:33 UTC (permalink / raw) To: [ext] Andreas J. Reichel; +Cc: isar-users Am Tue, 26 Feb 2019 14:48:42 +0100 schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>: > From: Andreas Reichel <andreas.reichel.ext@siemens.com> > > If the key is fetched from remote (currently http, https), > use the basename, otherwise, use the absolute path. > > Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com> > --- > meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index > 234d339..25133be 100644 --- > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -40,7 +40,10 > @@ python () { d.setVar("DEBOOTSTRAP_KEYRING", "--keyring > ${APTKEYRING}") for key in distro_apt_keys.split(): > url = urlparse(key) > - filename = ''.join([wd, url.path]) > + if "https://" in key or "http://" in key: > + filename = os.path.basename(url.path) > + else: > + filename = ''.join([wd, url.path]) This is just weird. What happens with git, mercurial and bazaar fetches? > d.appendVar("SRC_URI", " %s" % key) > d.appendVar("APTKEYFILES", " %s" % filename) In fact we assume that we can guess the filename from the URI to construct APTKEYFILES. I think a better way to do that would be using something like: >> fetcher = bb.fetch2.Fetch(src_uri, d) >> filename = fetcher.localpath() ... not tested just reading bitbake code ;) Henning > if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): ^ permalink raw reply [flat|nested] 9+ messages in thread
* [RFC v1 2/3] Refactor gpg code to use apt code 2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel 2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel @ 2019-02-26 13:48 ` Andreas J. Reichel 2019-02-26 14:07 ` cedric_hombourger 2019-02-26 15:39 ` Henning Schild 2019-02-26 13:48 ` [RFC v1 3/3] Use all source lists in target root apt Andreas J. Reichel 2019-02-26 15:06 ` [RFC v1 0/3] Fix additional apt repos with foreign keys Henning Schild 3 siblings, 2 replies; 9+ messages in thread From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw) To: isar-users; +Cc: Andreas Reichel From: Andreas Reichel <andreas.reichel.ext@siemens.com> Don't manually move around keys and keyrings, use `apt-key` to do so Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com> --- meta/classes/isar-bootstrap-helper.bbclass | 9 +++++++++ .../isar-bootstrap/isar-bootstrap.inc | 17 +++++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/meta/classes/isar-bootstrap-helper.bbclass b/meta/classes/isar-bootstrap-helper.bbclass index d780b85..df6fbee 100644 --- a/meta/classes/isar-bootstrap-helper.bbclass +++ b/meta/classes/isar-bootstrap-helper.bbclass @@ -119,6 +119,14 @@ setup_root_file_system() { export LANG=C export LANGUAGE=C export LC_ALL=C + + if [ -d ${TMPDIR}/aptkeys ]; then + for keyfile in ${TMPDIR}/aptkeys/* + do + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile) + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename $keyfile) + done + fi sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \ -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \ -o Dir::Etc::sourceparts="-" \ @@ -128,6 +136,7 @@ setup_root_file_system() { sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture ${DISTRO_ARCH} sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update fi + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update sudo -E chroot "$ROOTFSDIR" \ /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \ ${IMAGE_TRANSIENT_PACKAGES} diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index 25133be..60bd061 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -23,10 +23,8 @@ APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT = "${WORKDIR}/apt-sources-init" BASEAPTSRCS = "${WORKDIR}/base-apt-sources" APTKEYFILES = "" -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" -DEBOOTSTRAP_KEYRING = "" DEPLOY_ISAR_BOOTSTRAP ?= "" -DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" +DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 apt-transport-https ca-certificates" DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" @@ -37,7 +35,6 @@ python () { distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False) wd = d.getVar("WORKDIR", True) if distro_apt_keys: - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") for key in distro_apt_keys.split(): url = urlparse(key) if "https://" in key or "http://" in key: @@ -49,7 +46,6 @@ python () { if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): own_pub_key = d.getVar("BASE_REPO_KEY", False) if own_pub_key: - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") for key in own_pub_key.split(): url = urlparse(key) filename = ''.join([wd, url.path]) @@ -181,9 +177,12 @@ do_generate_keyring[dirs] = "${DL_DIR}" do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" do_generate_keyring() { if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then + APTKEYTMPDIR="${TMPDIR}"/aptkeys + [ -d "${APTKEYTMPDIR}" ] || { mkdir -p "${APTKEYTMPDIR}"; \ + chmod 777 "${APTKEYTMPDIR}"; } for keyfile in ${@d.getVar("APTKEYFILES", True)}; do - gpg --no-default-keyring --keyring "${APTKEYRING}" \ - --no-tty --homedir "${DL_DIR}" --import "$keyfile" + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")" + sudo apt-key add "$keyfile" done fi } @@ -225,7 +224,6 @@ isar_bootstrap() { if [ ${IS_HOST} ]; then ${DEBOOTSTRAP} $debootstrap_args \ ${@get_distro_components_argument(d, True)} \ - ${DEBOOTSTRAP_KEYRING} \ "${@get_distro_suite(d, True)}" \ "${ROOTFSDIR}" \ "${@get_distro_source(d, True)}" @@ -234,7 +232,6 @@ isar_bootstrap() { "${DEBOOTSTRAP}" $debootstrap_args \ --arch="${DISTRO_ARCH}" \ ${@get_distro_components_argument(d, False)} \ - ${DEBOOTSTRAP_KEYRING} \ "${@get_distro_suite(d, False)}" \ "${ROOTFSDIR}" \ "${@get_distro_source(d, False)}" @@ -248,7 +245,7 @@ isar_bootstrap() { if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then sed -e "s#{BASE_DISTRO}#"${BASE_DISTRO}"#g" \ -e "s#{BASE_DISTRO_CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ - -i ${BASEAPTSRCS} + -i ${BASEAPTSRCS} mkdir -p ${ROOTFSDIR}/base-apt sudo mount --bind ${REPO_BASE_DIR} ${ROOTFSDIR}/base-apt install -v -m644 "${BASEAPTSRCS}" \ -- 2.20.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 2/3] Refactor gpg code to use apt code 2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel @ 2019-02-26 14:07 ` cedric_hombourger 2019-02-26 15:57 ` Henning Schild 2019-02-26 15:39 ` Henning Schild 1 sibling, 1 reply; 9+ messages in thread From: cedric_hombourger @ 2019-02-26 14:07 UTC (permalink / raw) To: isar-users [-- Attachment #1.1: Type: text/plain, Size: 1030 bytes --] > > diff --git a/meta/classes/isar-bootstrap-helper.bbclass > b/meta/classes/isar-bootstrap-helper.bbclass > index d780b85..df6fbee 100644 > --- a/meta/classes/isar-bootstrap-helper.bbclass > +++ b/meta/classes/isar-bootstrap-helper.bbclass > @@ -119,6 +119,14 @@ setup_root_file_system() { > export LANG=C > export LANGUAGE=C > export LC_ALL=C > + > + if [ -d ${TMPDIR}/aptkeys ]; then > + for keyfile in ${TMPDIR}/aptkeys/* > + do > + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile) > I have seen repos name their key debian.gpg or some other generic name I am concerned that we may get repositories using the same key names and only the last key would be added Should we do something like: tmpkey=$(mktemp -p "$ROOTFSDIR"/tmp) cp $keyfile $tmpkey sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename $tmpkey) rm -f $tmpkey + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add > /tmp/$(basename $keyfile) > + done > + fi > > [-- Attachment #1.2: Type: text/html, Size: 1694 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 2/3] Refactor gpg code to use apt code 2019-02-26 14:07 ` cedric_hombourger @ 2019-02-26 15:57 ` Henning Schild 0 siblings, 0 replies; 9+ messages in thread From: Henning Schild @ 2019-02-26 15:57 UTC (permalink / raw) To: cedric_hombourger; +Cc: isar-users Am Tue, 26 Feb 2019 06:07:38 -0800 schrieb <cedric_hombourger@mentor.com>: > > > > diff --git a/meta/classes/isar-bootstrap-helper.bbclass > > b/meta/classes/isar-bootstrap-helper.bbclass > > index d780b85..df6fbee 100644 > > --- a/meta/classes/isar-bootstrap-helper.bbclass > > +++ b/meta/classes/isar-bootstrap-helper.bbclass > > @@ -119,6 +119,14 @@ setup_root_file_system() { > > export LANG=C > > export LANGUAGE=C > > export LC_ALL=C > > + > > + if [ -d ${TMPDIR}/aptkeys ]; then > > + for keyfile in ${TMPDIR}/aptkeys/* > > + do > > + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile) > > > > I have seen repos name their key debian.gpg or some other generic name > I am concerned that we may get repositories using the same key names > and only the last key would be added > Should we do something like: > > tmpkey=$(mktemp -p "$ROOTFSDIR"/tmp) > cp $keyfile $tmpkey > sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename > $tmpkey) rm -f $tmpkey I think there is no point in doing that, they would already collide in the DLDIR. You probably want to use ";name=foo" in the SRC_URI. Henning > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add > > /tmp/$(basename $keyfile) > > + done > > + fi > > > > > > > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 2/3] Refactor gpg code to use apt code 2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel 2019-02-26 14:07 ` cedric_hombourger @ 2019-02-26 15:39 ` Henning Schild 1 sibling, 0 replies; 9+ messages in thread From: Henning Schild @ 2019-02-26 15:39 UTC (permalink / raw) To: [ext] Andreas J. Reichel; +Cc: isar-users Am Tue, 26 Feb 2019 14:48:43 +0100 schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>: > From: Andreas Reichel <andreas.reichel.ext@siemens.com> > > Don't manually move around keys and keyrings, use `apt-key` to do so > > Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com> > --- > meta/classes/isar-bootstrap-helper.bbclass | 9 +++++++++ > .../isar-bootstrap/isar-bootstrap.inc | 17 > +++++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) > > diff --git a/meta/classes/isar-bootstrap-helper.bbclass > b/meta/classes/isar-bootstrap-helper.bbclass index d780b85..df6fbee > 100644 --- a/meta/classes/isar-bootstrap-helper.bbclass > +++ b/meta/classes/isar-bootstrap-helper.bbclass > @@ -119,6 +119,14 @@ setup_root_file_system() { > export LANG=C > export LANGUAGE=C > export LC_ALL=C > + > + if [ -d ${TMPDIR}/aptkeys ]; then > + for keyfile in ${TMPDIR}/aptkeys/* > + do > + cp $keyfile "$ROOTFSDIR"/tmp/$(basename $keyfile) > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key > add /tmp/$(basename $keyfile) > + done > + fi > sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \ > -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \ > -o Dir::Etc::sourceparts="-" \ > @@ -128,6 +136,7 @@ setup_root_file_system() { > sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture > ${DISTRO_ARCH} sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update > fi > + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key update > sudo -E chroot "$ROOTFSDIR" \ > /usr/bin/apt-get ${APT_ARGS} --download-only $PACKAGES \ > ${IMAGE_TRANSIENT_PACKAGES} > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index > 25133be..60bd061 100644 --- > a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ > b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -23,10 +23,8 > @@ APTSRCS = "${WORKDIR}/apt-sources" APTSRCS_INIT = > "${WORKDIR}/apt-sources-init" BASEAPTSRCS = > "${WORKDIR}/base-apt-sources" APTKEYFILES = "" > -APTKEYRING = "${WORKDIR}/apt-keyring.gpg" > -DEBOOTSTRAP_KEYRING = "" > DEPLOY_ISAR_BOOTSTRAP ?= "" > -DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > +DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales gnupg2 apt-transport-https > ca-certificates" > DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org > file:///${REPO_BASE_DIR} \n" if > bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }" > @@ -37,7 +35,6 @@ python () { distro_apt_keys = > d.getVar("DISTRO_APT_KEYS", False) wd = d.getVar("WORKDIR", True) > if distro_apt_keys: > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}") > for key in distro_apt_keys.split(): > url = urlparse(key) > if "https://" in key or "http://" in key: > @@ -49,7 +46,6 @@ python () { > if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')): > own_pub_key = d.getVar("BASE_REPO_KEY", False) > if own_pub_key: > - d.setVar("DEBOOTSTRAP_KEYRING", "--keyring > ${APTKEYRING}") for key in own_pub_key.split(): > url = urlparse(key) > filename = ''.join([wd, url.path]) > @@ -181,9 +177,12 @@ do_generate_keyring[dirs] = "${DL_DIR}" > do_generate_keyring[vardeps] += "DISTRO_APT_KEYS" > do_generate_keyring() { > if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then > + APTKEYTMPDIR="${TMPDIR}"/aptkeys > + [ -d "${APTKEYTMPDIR}" ] || { mkdir -p "${APTKEYTMPDIR}"; \ > + chmod 777 "${APTKEYTMPDIR}"; } mkdir -p does not need test -d in fact you probably want that dir as a cleandir instead of all that > for keyfile in ${@d.getVar("APTKEYFILES", True)}; do > - gpg --no-default-keyring --keyring "${APTKEYRING}" \ > - --no-tty --homedir "${DL_DIR}" --import "$keyfile" > + cp "$keyfile" "${APTKEYTMPDIR}"/"$(basename "$keyfile")" > + sudo apt-key add "$keyfile" As i said, would be nice to be able to undo that after the debootstrap. Talking about undo, after the last apt-key operations that tmpdir can be removed from the chroot. > done > fi > } > @@ -225,7 +224,6 @@ isar_bootstrap() { > if [ ${IS_HOST} ]; then > ${DEBOOTSTRAP} $debootstrap_args \ > ${@get_distro_components_argument(d, > True)} \ > - ${DEBOOTSTRAP_KEYRING} \ > "${@get_distro_suite(d, True)}" \ > "${ROOTFSDIR}" \ > "${@get_distro_source(d, True)}" > @@ -234,7 +232,6 @@ isar_bootstrap() { > "${DEBOOTSTRAP}" $debootstrap_args \ > --arch="${DISTRO_ARCH}" \ > ${@get_distro_components_argument(d, > False)} \ > - ${DEBOOTSTRAP_KEYRING} \ > "${@get_distro_suite(d, False)}" \ > "${ROOTFSDIR}" \ > "${@get_distro_source(d, False)}" > @@ -248,7 +245,7 @@ isar_bootstrap() { > if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then > sed -e "s#{BASE_DISTRO}#"${BASE_DISTRO}"#g" \ > -e > "s#{BASE_DISTRO_CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ > - -i ${BASEAPTSRCS} > + -i ${BASEAPTSRCS} remove that whitespace change. Henning > mkdir -p ${ROOTFSDIR}/base-apt > sudo mount --bind ${REPO_BASE_DIR} > ${ROOTFSDIR}/base-apt install -v -m644 "${BASEAPTSRCS}" \ ^ permalink raw reply [flat|nested] 9+ messages in thread
* [RFC v1 3/3] Use all source lists in target root apt 2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel 2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel 2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel @ 2019-02-26 13:48 ` Andreas J. Reichel 2019-02-26 15:06 ` [RFC v1 0/3] Fix additional apt repos with foreign keys Henning Schild 3 siblings, 0 replies; 9+ messages in thread From: Andreas J. Reichel @ 2019-02-26 13:48 UTC (permalink / raw) To: isar-users; +Cc: Andreas Reichel From: Andreas Reichel <andreas.reichel.ext@siemens.com> When we only use isar-apt.list, we cannot add additional repositories since they are listed in the bootstrap list only. Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com> --- meta/classes/isar-bootstrap-helper.bbclass | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/meta/classes/isar-bootstrap-helper.bbclass b/meta/classes/isar-bootstrap-helper.bbclass index df6fbee..4213112 100644 --- a/meta/classes/isar-bootstrap-helper.bbclass +++ b/meta/classes/isar-bootstrap-helper.bbclass @@ -127,10 +127,7 @@ setup_root_file_system() { sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-key add /tmp/$(basename $keyfile) done fi - sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update \ - -o Dir::Etc::sourcelist="sources.list.d/isar-apt.list" \ - -o Dir::Etc::sourceparts="-" \ - -o APT::Get::List-Cleanup="0" + sudo -E chroot "$ROOTFSDIR" /usr/bin/apt-get update # Add multiarch for cross-target if [ "${ROOTFS_ARCH}" != "${DISTRO_ARCH}" ]; then sudo -E chroot "$ROOTFSDIR" /usr/bin/dpkg --add-architecture ${DISTRO_ARCH} -- 2.20.1 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [RFC v1 0/3] Fix additional apt repos with foreign keys 2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel ` (2 preceding siblings ...) 2019-02-26 13:48 ` [RFC v1 3/3] Use all source lists in target root apt Andreas J. Reichel @ 2019-02-26 15:06 ` Henning Schild 3 siblings, 0 replies; 9+ messages in thread From: Henning Schild @ 2019-02-26 15:06 UTC (permalink / raw) To: [ext] Andreas J. Reichel; +Cc: isar-users Am Tue, 26 Feb 2019 14:48:41 +0100 schrieb "[ext] Andreas J. Reichel" <andreas.reichel.ext@siemens.com>: > From: Andreas Reichel <andreas.reichel.ext@siemens.com> > > This patch series fixes problems when adding a additional repos > which need different gpg keys for authentication. > > The patches are designed to make the existing 'API', i.e. bitbake > variables work, not to solve the remaining design problems. > > On basis of this series, we should discuss how to further proceed > since there should be a destinction wether we change the bootstrapping > apt source or if we change the apt source for additional packages. > > If we change the bootstrapping apt source, we already need keys > installed in the build environment to do the first debootstrap. > > If we only want additional packages in the target rootfs, we only > need to add keys inside the target chroot. > > Currently this is not possible and requires additional bitbake > variables, i.e. APT_KEYS_TARGET_PKGS, or APT_KEYS_TARGET_BOOTSTRAP. I think it is useful to establish the trust twice and forget about extra variables. People might want to bootstrap from "new/unknown" mirrors, like i.e. the cache. So use the variables we know to establish trust on the guy running debootstrap and inside the chroots. That is two "apt-key" like in your current patches. But i would argue that you should play with "apt-key --keyring <file>". The goal would be to create a keyring just for that one debootstrap call, which you will remove/distrust later. For people not using docker that will prevent "messing with the host". > Also the reason for the option I delete in patch 3 is unclear to me. > This way we could never add additional repositories. Good catch. That pattern is used in a few places, assuming that isar-apt is the only repo that could have possibly changed. Maybe that whole pattern should be revised and we go for plain "apt-get update" Henning > Andreas Reichel (3): > Fix path to user gpg-keys > Refactor gpg code to use apt code > Use all source lists in target root apt > > meta/classes/isar-bootstrap-helper.bbclass | 14 ++++++++---- > .../isar-bootstrap/isar-bootstrap.inc | 22 > +++++++++---------- 2 files changed, 21 insertions(+), 15 deletions(-) > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-02-26 15:57 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-02-26 13:48 [RFC v1 0/3] Fix additional apt repos with foreign keys Andreas J. Reichel 2019-02-26 13:48 ` [RFC v1 1/3] Fix path to user gpg-keys Andreas J. Reichel 2019-02-26 15:33 ` Henning Schild 2019-02-26 13:48 ` [RFC v1 2/3] Refactor gpg code to use apt code Andreas J. Reichel 2019-02-26 14:07 ` cedric_hombourger 2019-02-26 15:57 ` Henning Schild 2019-02-26 15:39 ` Henning Schild 2019-02-26 13:48 ` [RFC v1 3/3] Use all source lists in target root apt Andreas J. Reichel 2019-02-26 15:06 ` [RFC v1 0/3] Fix additional apt repos with foreign keys Henning Schild
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox