On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote: > > Hi, > > i just had a quick look at the implementation of the base-apt signing > for the first time. The interface is not ideal and has potential for > the signing key and the checking key not actually belonging together. > > As far as i understand the code i read, Isar will start signing > base-apt if BASE_REPO_KEY is set to anything. The private key it will > use to sign the repo is not specified at all, it will be whatever gnupg > defaults to, given its configuration. > > I would suggest to switch from "SignWith yes" to "SignWith ", > and derive the id from BASE_REPO_KEY. > > Further improvements would be to actually configure gnupg inside Isar > and not rely on an outside configuration. Relying on the outside config > means that all (multi)configs will have to use the same keypair. > So we would add > > BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE > > Now we would create a new gpg homedir next to where we store base-apt. > We would import that one key there and potentially unlock it with its > passphrase. If we clean and rebuild we get a working gpghome for sure. > > Henning > Hi, Perhaps something like the following ... Of course, since BASE_REPO_KEY permits specifying multiple keys, this raises a question of which keyid? Amy >From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 2001 From: Amy Fong Date: Thu, 13 Jun 2019 12:52:06 -0400 Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing Extract keyid from BASE_REPO_KEY for signing Signed-off-by: Amy Fong --- meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb index 1c0b4c6..81245f7 100644 --- a/meta/recipes-devtools/base-apt/base-apt.bb +++ b/meta/recipes-devtools/base-apt/base-apt.bb @@ -19,8 +19,15 @@ do_cache_config() { sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \ ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions if [ "${BASE_REPO_KEY}" ] ; then + option="yes" + for key in ${BASE_REPO_KEY}; do + keyid=$(wget -qO - $key | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}') + if [ -n "$keyid" ]; then + option="$keyid" + fi + done # To generate Release.gpg - echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions + echo "SignWith: $option" >> ${CACHE_CONF_DIR}/distributions fi fi -- 2.20.1