On Thursday, 6 June 2019 09:46:02 UTC-4, Henning Schild wrote:
Hi,

i just had a quick look at the implementation of the base-apt signing
for the first time. The interface is not ideal and has potential for
the signing key and the checking key not actually belonging together.

As far as i understand the code i read, Isar will start signing
base-apt if BASE_REPO_KEY is set to anything. The private key it will
use to sign the repo is not specified at all, it will be whatever gnupg
defaults to, given its configuration.

I would suggest to switch from "SignWith yes" to "SignWith <keyid>",
and derive the id from BASE_REPO_KEY.

Further improvements would be to actually configure gnupg inside Isar
and not rely on an outside configuration. Relying on the outside config
means that all (multi)configs will have to use the same keypair.
So we would add

BASE_REPO_KEY_PRIVATE and ..._PASSPHRASE

Now we would create a new gpg homedir next to where we store base-apt.
We would import that one key there and potentially unlock it with its
passphrase. If we clean and rebuild we get a working gpghome for sure.

Henning

Hi,

Perhaps something like the following ...

Of course, since BASE_REPO_KEY permits specifying
multiple keys, this raises a question of which keyid?

Amy

From 5ceb4a2ef97bc7fa6c44cd9ce6f73f9a831773f3 Mon Sep 17 00:00:00 2001
From: Amy Fong <Amy_Fong@mentor.com>
Date: Thu, 13 Jun 2019 12:52:06 -0400
Subject: [PATCH] base-apt: Use BASE_REPO_KEY for signing

Extract keyid from BASE_REPO_KEY for signing

Signed-off-by: Amy Fong <Amy_Fong@mentor.com>
---
 meta/recipes-devtools/base-apt/base-apt.bb | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/base-apt/base-apt.bb b/meta/recipes-devtools/base-apt/base-apt.bb
index 1c0b4c6..81245f7 100644
--- a/meta/recipes-devtools/base-apt/base-apt.bb
+++ b/meta/recipes-devtools/base-apt/base-apt.bb
@@ -19,8 +19,15 @@ do_cache_config() {
         sed -e "s#{CODENAME}#"${BASE_DISTRO_CODENAME}"#g" \
             ${WORKDIR}/distributions.in > ${CACHE_CONF_DIR}/distributions
         if [ "${BASE_REPO_KEY}" ] ; then
+            option="yes"
+            for key in ${BASE_REPO_KEY}; do
+                keyid=$(wget -qO - $key | gpg --keyid-format 0xlong --with-colons - 2>/dev/null |grep "^pub:" |awk -F':' '{print $5;}')
+                if [ -n "$keyid" ]; then
+                    option="$keyid"
+                fi
+            done
             # To generate Release.gpg
-            echo "SignWith: yes" >> ${CACHE_CONF_DIR}/distributions
+            echo "SignWith: $option" >> ${CACHE_CONF_DIR}/distributions
         fi
     fi
 
-- 
2.20.1