diff options
| author | Daniel Baumann <mail@daniel-baumann.ch> | 2013-11-05 12:32:59 +0100 |
|---|---|---|
| committer | Daniel Baumann <mail@daniel-baumann.ch> | 2013-11-06 08:16:31 +0100 |
| commit | 038b1fa8f627bb83c060f17db3e100b541de8df7 (patch) | |
| tree | 142186cad476d8caa8733965c6d4f53690075175 | |
| parent | 9f37451f92ae0b32561f028844fa0cf051375576 (diff) | |
| download | vyos-live-build-038b1fa8f627bb83c060f17db3e100b541de8df7.tar.gz vyos-live-build-038b1fa8f627bb83c060f17db3e100b541de8df7.zip | |
Moving bootstrapping of derivative archive-keys from config to init.
| -rwxr-xr-x | components/init | 62 | ||||
| -rwxr-xr-x | scripts/build/config | 84 |
2 files changed, 61 insertions, 85 deletions
diff --git a/components/init b/components/init index e0c8458d1..a54c8e756 100755 --- a/components/init +++ b/components/init @@ -15,6 +15,7 @@ import os import shutil import subprocess import sys +import urllib.request # TODO: @@ -50,6 +51,21 @@ def main(): # --project project = args.project + ## Setting defaults + + if not project: + # FIXME: hardcoded project information + project = 'debian' + + if not distribution: + # FIXME hardcoded release information + default_distribution = { 'debian' : 'wheezy', + 'progress-linux' : 'baureo', + 'ubuntu' : 'saucy', + } + + distribution = default_distribution[project] + ## Creating configuration directory # stagefile @@ -57,9 +73,53 @@ def main(): if verbose: print('I: configuration directory already initialized - nothing to do') - # Note: until further tests, we do not allow to re-run lb init on an already initialized directory. + # Notes: + # * until further tests, we do not allow to re-run lb init on an already initialized directory. sys.exit(0) + # Configuring default archive-keys + if (project == 'progress-linux'): + # dependencies + if not os.path.isfile('/usr/bin/gpgv'): + print('E: /usr/bin/gpgv - no such file', file=sys.stderr) + + if verbose: + print('I: gnupg can be obtained from:\n' + 'I: http://www.gnupg.org/\n' + 'I: On Debian based systems, gnupg can be installed with:\n' + 'I: # sudo apt-get install gnupg') + + sys.exit(1) + + os.makedirs('config/archives', exist_ok=True) + + # FIXME hardcoded release information + archive_keys_url = 'http://cdn.archive.progress-linux.org/packages/project/keys/' + + archive_keys = { 'artax' : [ 'archive-key-1-artax.asc' , 'archive-key-1+-artax-backports.asc' ], + 'artax-backports' : [ 'archive-key-1-artax.asc' , 'archive-key-1+-artax-backports.asc' ], + 'baureo' : [ 'archive-key-2-baureo.asc' , 'archive-key-2+-baureo-backports.asc' ], + 'baureo-backports' : [ 'archive-key-2-baureo.asc' , 'archive-key-2+-baureo-backports.asc' ], + 'cairon' : [ 'archive-key-3-cairon.asc' , 'archive-key-3+-cairon-backports.asc' ], + 'cairon-backports' : [ 'archive-key-3-cairon.asc' , 'archive-key-3+-cairon-backports.asc' ], + } + + keys = archive_keys[distribution] + + for key in keys: + url = archive_keys_url + key + target = os.path.splitext(os.path.basename(key)) + + if verbose: + print('I: Downloading ' + url) + + r = urllib.request.urlopen(url) + f = open('config/archives/' + target[0] + '.key', 'b+w') + + f.write(r.read()) + + # FIXME: download signatures and verify them against debian-keyring + # Configuring default hooks os.makedirs('config/hooks', exist_ok=True) diff --git a/scripts/build/config b/scripts/build/config index 7610d5e83..822e265b0 100755 --- a/scripts/build/config +++ b/scripts/build/config @@ -1378,89 +1378,5 @@ Name: ${LIVE_IMAGE_NAME} Type: ${LIVE_IMAGE_TYPE} EOF -# TODO: allow verification against user-specified keyring -# For now, we'll only validate against debian-keyring - -# TODO2: use chrooted validation rather than host system based one - -case "${LB_MODE}" in - progress-linux) - case "${LB_DISTRIBUTION}" in - artax) - _KEYS="1-artax" - ;; - - artax-backports) - _KEYS="1-artax 1+-artax-backports" - ;; - - baureo) - _KEYS="2-baureo" - ;; - - baureo-backports) - _KEYS="2-baureo 2+-baureo-backports" - ;; - - chairon) - _KEYS="3-chairon" - ;; - - chairon-backports) - _KEYS="3-chairon 3+-chairon-backports" - ;; - esac - - _URL="${LB_MIRROR_CHROOT}/project/keys" - ;; - - *) - _KEYS="" - ;; -esac - -for _KEY in ${_KEYS} -do - Echo_message "Fetching archive-key ${_KEY}..." - - wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc" -O config/archives/${LB_MODE}.bootstrap.key - wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc.sig" -O config/archives/${LB_MODE}.bootstrap.key.sig - - if [ -e /usr/bin/gpgv ] - then - if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ] - then - _KEY_VALID="" - - for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg - do - if [ -e "${_KEYRING}" ] - then - Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg | sed -e 's|-keyring||') keyring..." - - set +e - /usr/bin/gpgv --quiet --keyring ${_KEYRING} config/archives/${LB_MODE}.key.sig config/archives/${LB_MODE}.key > /dev/null 2>&1 && _KEY_VALID="true" && break - set -e - fi - done - - case "${_KEY_VALID}" in - true) - Echo_message "Verifying ${_KEY} signature successful." - ;; - - *) - Echo_error "Verifying ${_KEY} signature failed." - return 1 - ;; - esac - else - Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..." - fi - else - Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..." - fi -done - # Creating stage file Create_stagefile .build/config |