Handle packages.chroot with an explicitly trusted file:// repository
Up to now we created a temporary GPG key that we registered with apt-key
but with the switch to GnuPG 2 by default, this code broke. Now we stop
doing that but we add the “trusted=yes“ attribute in sources.list so
that APT knows that the repository can be trusted even if it's unsigned.
Signed-off-by: Raphaël Hertzog <[email protected]>
Sophie Brun authored 7 years ago
Raphaël Hertzog committed 7 years ago
28 | 28 | |
29 | 29 | # Requiring stage file |
30 | 30 | Require_stagefile .build/config .build/bootstrap |
31 | ||
32 | _LB_LOCAL_KEY_EMAIL="live-build-local-key@invalid" | |
33 | 31 | |
34 | 32 | case "${LB_DERIVATIVE}" in |
35 | 33 | true) |
279 | 277 | -o APT::FTPArchive::Release::Origin=config/packages.chroot \ |
280 | 278 | release . > Release" | Chroot chroot sh |
281 | 279 | |
282 | if [ "${LB_APT_SECURE}" = "true" ] | |
283 | then | |
284 | if [ -e chroot/root/.gnupg ] | |
285 | then | |
286 | mv chroot/root/.gnupg chroot/root/.gnupg.orig | |
287 | fi | |
288 | ||
289 | # Ensure ~/.gnupg exists | |
290 | mkdir -p chroot/root/.gnupg | |
291 | ||
292 | # Temporarily replace /dev/random with /dev/urandom so as not | |
293 | # to block automated image builds; we don't care about the | |
294 | # security of this key anyway. | |
295 | if [ -e chroot/dev/random ] | |
296 | then | |
297 | mv chroot/dev/random chroot/dev/random.orig | |
298 | cp -a chroot/dev/urandom chroot/dev/random | |
299 | fi | |
300 | ||
301 | if Find_files cache/local-package-keyring.* | |
302 | then | |
303 | cp cache/local-package-keyring.* chroot/root | |
304 | else | |
305 | # Generate temporary key | |
306 | echo "Key-Type: RSA | |
307 | Key-Length: 1024 | |
308 | Subkey-Type: ELG-E | |
309 | Subkey-Length: 1024 | |
310 | Name-Real: live-build local packages key | |
311 | Name-Email: ${_LB_LOCAL_KEY_EMAIL} | |
312 | Expire-Date: 0 | |
313 | %secring /root/local-package-keyring.sec | |
314 | %pubring /root/local-package-keyring.pub | |
315 | %commit" | Chroot chroot "gpg --batch --gen-key" || _LB_RET=${?} | |
316 | ||
317 | case "${_LB_RET}" in | |
318 | ""|2) | |
319 | # Gnupg sometimes seems to return with a status of 2 when there was not | |
320 | # enough entropy (and key creation blocks temporarily) even if the | |
321 | # operation was ultimately successful. | |
322 | ;; | |
323 | *) | |
324 | Echo_error "GPG exited with error status %s" "${_LB_RET}" | |
325 | exit ${_LB_RET} | |
326 | ;; | |
327 | esac | |
328 | ||
329 | # Save keyrings to avoid regeneration | |
330 | cp chroot/root/local-package-keyring.* cache/ | |
331 | fi | |
332 | ||
333 | # Sign release | |
334 | Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \ | |
335 | --keyring /root/local-package-keyring.pub -abs -o \ | |
336 | /root/packages/Release.gpg /root/packages/Release" | |
337 | ||
338 | # Import key | |
339 | Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \ | |
340 | --keyring /root/local-package-keyring.pub --armor \ | |
341 | --export ${_LB_LOCAL_KEY_EMAIL}" | Chroot chroot "apt-key add -" | |
342 | ||
343 | # Remove temporary keyrings | |
344 | rm chroot/root/local-package-keyring.pub | |
345 | rm chroot/root/local-package-keyring.sec | |
346 | ||
347 | # Revert /dev/random | |
348 | if [ -e chroot/dev/random.orig ] | |
349 | then | |
350 | mv chroot/dev/random.orig chroot/dev/random | |
351 | fi | |
352 | ||
353 | rm -rf chroot/root/.gnupg | |
354 | ||
355 | if [ -e chroot/root/.gnupg.orig ] | |
356 | then | |
357 | mv chroot/root/.gnupg.orig chroot/root/.gnupg | |
358 | fi | |
359 | fi | |
360 | ||
361 | 280 | # Add to sources.list.d |
362 | echo "deb file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list | |
281 | echo "deb [ trusted=yes ] file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list | |
363 | 282 | |
364 | 283 | # Move top-level sources away, otherwise apt always preferes it (#644148) |
365 | 284 | if [ -e chroot/etc/apt/sources.list ] |
758 | 677 | rm -f chroot/etc/apt/sources.list.d/packages.list |
759 | 678 | rm -rf chroot/root/packages |
760 | 679 | |
761 | # Remove local packages key if it exists | |
762 | if Chroot chroot apt-key list | grep -q ${_LB_LOCAL_KEY_EMAIL} | |
763 | then | |
764 | Chroot chroot apt-key del ${_LB_LOCAL_KEY_EMAIL} | |
765 | fi | |
766 | ||
767 | 680 | # Removing stage file |
768 | 681 | rm -f .build/chroot_archives |
769 | 682 | ;; |