Codebase list live-build / 17899c7
Handle packages.chroot with an explicitly trusted file:// repository Up to now we created a temporary GPG key that we registered with apt-key but with the switch to GnuPG 2 by default, this code broke. Now we stop doing that but we add the “trusted=yes“ attribute in sources.list so that APT knows that the repository can be trusted even if it's unsigned. Signed-off-by: Raphaël Hertzog <[email protected]> Sophie Brun authored 7 years ago Raphaël Hertzog committed 7 years ago
1 changed file(s) with 1 addition(s) and 88 deletion(s). Raw diff Collapse all Expand all
+1
-88
scripts/build/chroot_archives less more
2828
2929 # Requiring stage file
3030 Require_stagefile .build/config .build/bootstrap
31
32 _LB_LOCAL_KEY_EMAIL="live-build-local-key@invalid"
3331
3432 case "${LB_DERIVATIVE}" in
3533 true)
279277 -o APT::FTPArchive::Release::Origin=config/packages.chroot \
280278 release . > Release" | Chroot chroot sh
281279
282 if [ "${LB_APT_SECURE}" = "true" ]
283 then
284 if [ -e chroot/root/.gnupg ]
285 then
286 mv chroot/root/.gnupg chroot/root/.gnupg.orig
287 fi
288
289 # Ensure ~/.gnupg exists
290 mkdir -p chroot/root/.gnupg
291
292 # Temporarily replace /dev/random with /dev/urandom so as not
293 # to block automated image builds; we don't care about the
294 # security of this key anyway.
295 if [ -e chroot/dev/random ]
296 then
297 mv chroot/dev/random chroot/dev/random.orig
298 cp -a chroot/dev/urandom chroot/dev/random
299 fi
300
301 if Find_files cache/local-package-keyring.*
302 then
303 cp cache/local-package-keyring.* chroot/root
304 else
305 # Generate temporary key
306 echo "Key-Type: RSA
307 Key-Length: 1024
308 Subkey-Type: ELG-E
309 Subkey-Length: 1024
310 Name-Real: live-build local packages key
311 Name-Email: ${_LB_LOCAL_KEY_EMAIL}
312 Expire-Date: 0
313 %secring /root/local-package-keyring.sec
314 %pubring /root/local-package-keyring.pub
315 %commit" | Chroot chroot "gpg --batch --gen-key" || _LB_RET=${?}
316
317 case "${_LB_RET}" in
318 ""|2)
319 # Gnupg sometimes seems to return with a status of 2 when there was not
320 # enough entropy (and key creation blocks temporarily) even if the
321 # operation was ultimately successful.
322 ;;
323 *)
324 Echo_error "GPG exited with error status %s" "${_LB_RET}"
325 exit ${_LB_RET}
326 ;;
327 esac
328
329 # Save keyrings to avoid regeneration
330 cp chroot/root/local-package-keyring.* cache/
331 fi
332
333 # Sign release
334 Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \
335 --keyring /root/local-package-keyring.pub -abs -o \
336 /root/packages/Release.gpg /root/packages/Release"
337
338 # Import key
339 Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \
340 --keyring /root/local-package-keyring.pub --armor \
341 --export ${_LB_LOCAL_KEY_EMAIL}" | Chroot chroot "apt-key add -"
342
343 # Remove temporary keyrings
344 rm chroot/root/local-package-keyring.pub
345 rm chroot/root/local-package-keyring.sec
346
347 # Revert /dev/random
348 if [ -e chroot/dev/random.orig ]
349 then
350 mv chroot/dev/random.orig chroot/dev/random
351 fi
352
353 rm -rf chroot/root/.gnupg
354
355 if [ -e chroot/root/.gnupg.orig ]
356 then
357 mv chroot/root/.gnupg.orig chroot/root/.gnupg
358 fi
359 fi
360
361280 # Add to sources.list.d
362 echo "deb file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list
281 echo "deb [ trusted=yes ] file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list
363282
364283 # Move top-level sources away, otherwise apt always preferes it (#644148)
365284 if [ -e chroot/etc/apt/sources.list ]
758677 rm -f chroot/etc/apt/sources.list.d/packages.list
759678 rm -rf chroot/root/packages
760679
761 # Remove local packages key if it exists
762 if Chroot chroot apt-key list | grep -q ${_LB_LOCAL_KEY_EMAIL}
763 then
764 Chroot chroot apt-key del ${_LB_LOCAL_KEY_EMAIL}
765 fi
766
767680 # Removing stage file
768681 rm -f .build/chroot_archives
769682 ;;