diff options
| author | Daniel Baumann <daniel@debian.org> | 2013-01-27 11:16:25 +0100 |
|---|---|---|
| committer | Daniel Baumann <daniel@debian.org> | 2013-02-08 21:40:27 +0100 |
| commit | 628c93f923da2a3693d8467517bb919cc1d5c591 (patch) | |
| tree | 6495c3b759d91d9d99cba18d5a55788fd5587d9c | |
| parent | 74dbadf2ff2cb63b9ad7e261bc0fc7c5ed35b33a (diff) | |
| download | vyos-live-build-628c93f923da2a3693d8467517bb919cc1d5c591.tar.gz vyos-live-build-628c93f923da2a3693d8467517bb919cc1d5c591.zip | |
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives.
| -rw-r--r-- | debian/control | 4 | ||||
| -rwxr-xr-x | scripts/build/bootstrap | 1 | ||||
| -rwxr-xr-x | scripts/build/bootstrap_archive-keys | 77 | ||||
| -rwxr-xr-x | scripts/build/chroot_archives | 8 |
4 files changed, 81 insertions, 9 deletions
diff --git a/debian/control b/debian/control index fc32657de..d057acef5 100644 --- a/debian/control +++ b/debian/control @@ -16,8 +16,8 @@ Recommends: live-boot-doc, live-config-doc, live-manual-html | live-manual, cpio, gnu-fdisk Suggests: - dosfstools, xorriso, git, loadlin, memtest86+ | memtest86, mtools, parted, - squashfs-tools | mtd-tools, sudo | fakeroot, syslinux | grub, + dosfstools, debian-keyring, xorriso, git, gpgv, loadlin, memtest86+ | memtest86, + mtools, parted, squashfs-tools | mtd-tools, sudo | fakeroot, syslinux | grub, uuid-runtime, win32-loader Description: Live System Build Scripts live-build contains the scripts that build a live system from a configuration diff --git a/scripts/build/bootstrap b/scripts/build/bootstrap index ba4f103fb..337e5cfd3 100755 --- a/scripts/build/bootstrap +++ b/scripts/build/bootstrap @@ -38,6 +38,7 @@ Setup_cleanup lb bootstrap_cache restore ${@} lb bootstrap_cdebootstrap ${@} lb bootstrap_debootstrap ${@} +lb bootstrap_archive-keys ${@} lb bootstrap_cache save ${@} # Temporary hack for base-files wrt/ plymouth diff --git a/scripts/build/bootstrap_archive-keys b/scripts/build/bootstrap_archive-keys new file mode 100755 index 000000000..2dc94b28f --- /dev/null +++ b/scripts/build/bootstrap_archive-keys @@ -0,0 +1,77 @@ +#!/bin/sh + +## live-build(7) - System Build Scripts +## Copyright (C) 2006-2013 Daniel Baumann <daniel@debian.org> +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +set -e + +# Including common functions +[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh + +# Setting static variables +DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')" +HELP="" +USAGE="${PROGRAM} [--force]" + +Arguments "${@}" + +# Reading configuration files +Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source +Set_defaults + +# TODO: allow verification against user-specified keyring +# For now, we'll only validate against debian-keyring + +# TODO2: use chrooted validation rather than host system based one + +case "${LB_MODE}" in + progress-linux) + case "${LB_DISTRIBUTION}" in + artax*) + _KEYS="1.0-artax 1.0-artax-packages" + ;; + + baureo*) + _KEYS="2.0-baureo 2.0-baureo-packages" + ;; + + chairon*) + _KEYS="3.0-chairon 3.0-chairon-packages" + ;; + esac + + _URL="${LB_MIRROR_CHROOT}/project/keys" + ;; +esac + +for _KEY in ${_KEYS} +do + Echo_message "Fetching archive-key ${_KEY}..." + + wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc + wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig + + if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ] + then + Echo_message "Verifying archive-key ${_KEY} against debian-keyring..." + + /usr/bin/gpgv --quiet --keyring /usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature."; return 1;} + else + Echo_warning "Skipping archive-key ${_KEY} verification, either gpgv or debian-keyring not available on host system..." + fi + + Echo_message "Importing archive-key ${_KEY}..." + + Chroot chroot "apt-key add key.asc" + rm -f chroot/key.asc chroot/key.asc.sig +done + +Chroot chroot "apt-get update" + +# Creating stage file +Create_stagefile .build/bootstrap_archive-keys diff --git a/scripts/build/chroot_archives b/scripts/build/chroot_archives index 2e02c5448..06e16fb78 100755 --- a/scripts/build/chroot_archives +++ b/scripts/build/chroot_archives @@ -554,13 +554,7 @@ EOF # Installing keyring packages if [ -n "${LB_KEYRING_PACKAGES}" ] then - if [ "${LB_DERIVATIVE}" = "true" ] - then - # Temporary hack (FIXME) - Chroot chroot "apt-get ${APT_OPTIONS} --force-yes install ${LB_KEYRING_PACKAGES}" - else - Apt chroot "install ${LB_KEYRING_PACKAGES}" - fi + Apt chroot "install ${LB_KEYRING_PACKAGES}" fi rm -rf chroot/var/cache/apt/*.bin |