diff options
author | Sophie Brun <sophie@freexian.com> | 2016-10-27 16:16:19 +0200 |
---|---|---|
committer | Raphaël Hertzog <hertzog@debian.org> | 2016-10-28 08:57:37 +0200 |
commit | e92dbc3696008b33700c7c033b9556bd75415a64 (patch) | |
tree | 8f2bf0138110da4ed8377cef791fcf890e7c07e7 | |
parent | 6e0b98ce05c1a8e8dd140009cc60c7ea348b6fa1 (diff) | |
download | vyos-live-build-e92dbc3696008b33700c7c033b9556bd75415a64.tar.gz vyos-live-build-e92dbc3696008b33700c7c033b9556bd75415a64.zip |
Handle packages.chroot with an explicitly trusted file:// repository
Up to now we created a temporary GPG key that we registered with apt-key
but with the switch to GnuPG 2 by default, this code broke. Now we stop
doing that but we add the “trusted=yes“ attribute in sources.list so
that APT knows that the repository can be trusted even if it's unsigned.
Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
-rwxr-xr-x | scripts/build/chroot_archives | 89 |
1 files changed, 1 insertions, 88 deletions
diff --git a/scripts/build/chroot_archives b/scripts/build/chroot_archives index 029afe7df..cd27380f7 100755 --- a/scripts/build/chroot_archives +++ b/scripts/build/chroot_archives @@ -30,8 +30,6 @@ Set_defaults # Requiring stage file Require_stagefile .build/config .build/bootstrap -_LB_LOCAL_KEY_EMAIL="live-build-local-key@invalid" - case "${LB_DERIVATIVE}" in true) _PARENT_FILE="sources.list.d/debian.list" @@ -280,87 +278,8 @@ EOF -o APT::FTPArchive::Release::Origin=config/packages.chroot \ release . > Release" | Chroot chroot sh - if [ "${LB_APT_SECURE}" = "true" ] - then - if [ -e chroot/root/.gnupg ] - then - mv chroot/root/.gnupg chroot/root/.gnupg.orig - fi - - # Ensure ~/.gnupg exists - mkdir -p chroot/root/.gnupg - - # Temporarily replace /dev/random with /dev/urandom so as not - # to block automated image builds; we don't care about the - # security of this key anyway. - if [ -e chroot/dev/random ] - then - mv chroot/dev/random chroot/dev/random.orig - cp -a chroot/dev/urandom chroot/dev/random - fi - - if Find_files cache/local-package-keyring.* - then - cp cache/local-package-keyring.* chroot/root - else - # Generate temporary key - echo "Key-Type: RSA - Key-Length: 1024 - Subkey-Type: ELG-E - Subkey-Length: 1024 - Name-Real: live-build local packages key - Name-Email: ${_LB_LOCAL_KEY_EMAIL} - Expire-Date: 0 - %secring /root/local-package-keyring.sec - %pubring /root/local-package-keyring.pub - %commit" | Chroot chroot "gpg --batch --gen-key" || _LB_RET=${?} - - case "${_LB_RET}" in - ""|2) - # Gnupg sometimes seems to return with a status of 2 when there was not - # enough entropy (and key creation blocks temporarily) even if the - # operation was ultimately successful. - ;; - *) - Echo_error "GPG exited with error status %s" "${_LB_RET}" - exit ${_LB_RET} - ;; - esac - - # Save keyrings to avoid regeneration - cp chroot/root/local-package-keyring.* cache/ - fi - - # Sign release - Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \ - --keyring /root/local-package-keyring.pub -abs -o \ - /root/packages/Release.gpg /root/packages/Release" - - # Import key - Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \ - --keyring /root/local-package-keyring.pub --armor \ - --export ${_LB_LOCAL_KEY_EMAIL}" | Chroot chroot "apt-key add -" - - # Remove temporary keyrings - rm chroot/root/local-package-keyring.pub - rm chroot/root/local-package-keyring.sec - - # Revert /dev/random - if [ -e chroot/dev/random.orig ] - then - mv chroot/dev/random.orig chroot/dev/random - fi - - rm -rf chroot/root/.gnupg - - if [ -e chroot/root/.gnupg.orig ] - then - mv chroot/root/.gnupg.orig chroot/root/.gnupg - fi - fi - # Add to sources.list.d - echo "deb file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list + echo "deb [ trusted=yes ] file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list # Move top-level sources away, otherwise apt always preferes it (#644148) if [ -e chroot/etc/apt/sources.list ] @@ -759,12 +678,6 @@ EOF rm -f chroot/etc/apt/sources.list.d/packages.list rm -rf chroot/root/packages - # Remove local packages key if it exists - if Chroot chroot apt-key list | grep -q ${_LB_LOCAL_KEY_EMAIL} - then - Chroot chroot apt-key del ${_LB_LOCAL_KEY_EMAIL} - fi - # Removing stage file rm -f .build/chroot_archives ;; |