summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSophie Brun <sophie@freexian.com>2016-10-27 16:16:19 +0200
committerRaphaël Hertzog <hertzog@debian.org>2016-10-28 08:57:37 +0200
commite92dbc3696008b33700c7c033b9556bd75415a64 (patch)
tree8f2bf0138110da4ed8377cef791fcf890e7c07e7
parent6e0b98ce05c1a8e8dd140009cc60c7ea348b6fa1 (diff)
downloadvyos-live-build-e92dbc3696008b33700c7c033b9556bd75415a64.tar.gz
vyos-live-build-e92dbc3696008b33700c7c033b9556bd75415a64.zip
Handle packages.chroot with an explicitly trusted file:// repository
Up to now we created a temporary GPG key that we registered with apt-key but with the switch to GnuPG 2 by default, this code broke. Now we stop doing that but we add the “trusted=yes“ attribute in sources.list so that APT knows that the repository can be trusted even if it's unsigned. Signed-off-by: Raphaël Hertzog <hertzog@debian.org>
-rwxr-xr-xscripts/build/chroot_archives89
1 files changed, 1 insertions, 88 deletions
diff --git a/scripts/build/chroot_archives b/scripts/build/chroot_archives
index 029afe7df..cd27380f7 100755
--- a/scripts/build/chroot_archives
+++ b/scripts/build/chroot_archives
@@ -30,8 +30,6 @@ Set_defaults
# Requiring stage file
Require_stagefile .build/config .build/bootstrap
-_LB_LOCAL_KEY_EMAIL="live-build-local-key@invalid"
-
case "${LB_DERIVATIVE}" in
true)
_PARENT_FILE="sources.list.d/debian.list"
@@ -280,87 +278,8 @@ EOF
-o APT::FTPArchive::Release::Origin=config/packages.chroot \
release . > Release" | Chroot chroot sh
- if [ "${LB_APT_SECURE}" = "true" ]
- then
- if [ -e chroot/root/.gnupg ]
- then
- mv chroot/root/.gnupg chroot/root/.gnupg.orig
- fi
-
- # Ensure ~/.gnupg exists
- mkdir -p chroot/root/.gnupg
-
- # Temporarily replace /dev/random with /dev/urandom so as not
- # to block automated image builds; we don't care about the
- # security of this key anyway.
- if [ -e chroot/dev/random ]
- then
- mv chroot/dev/random chroot/dev/random.orig
- cp -a chroot/dev/urandom chroot/dev/random
- fi
-
- if Find_files cache/local-package-keyring.*
- then
- cp cache/local-package-keyring.* chroot/root
- else
- # Generate temporary key
- echo "Key-Type: RSA
- Key-Length: 1024
- Subkey-Type: ELG-E
- Subkey-Length: 1024
- Name-Real: live-build local packages key
- Name-Email: ${_LB_LOCAL_KEY_EMAIL}
- Expire-Date: 0
- %secring /root/local-package-keyring.sec
- %pubring /root/local-package-keyring.pub
- %commit" | Chroot chroot "gpg --batch --gen-key" || _LB_RET=${?}
-
- case "${_LB_RET}" in
- ""|2)
- # Gnupg sometimes seems to return with a status of 2 when there was not
- # enough entropy (and key creation blocks temporarily) even if the
- # operation was ultimately successful.
- ;;
- *)
- Echo_error "GPG exited with error status %s" "${_LB_RET}"
- exit ${_LB_RET}
- ;;
- esac
-
- # Save keyrings to avoid regeneration
- cp chroot/root/local-package-keyring.* cache/
- fi
-
- # Sign release
- Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \
- --keyring /root/local-package-keyring.pub -abs -o \
- /root/packages/Release.gpg /root/packages/Release"
-
- # Import key
- Chroot chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \
- --keyring /root/local-package-keyring.pub --armor \
- --export ${_LB_LOCAL_KEY_EMAIL}" | Chroot chroot "apt-key add -"
-
- # Remove temporary keyrings
- rm chroot/root/local-package-keyring.pub
- rm chroot/root/local-package-keyring.sec
-
- # Revert /dev/random
- if [ -e chroot/dev/random.orig ]
- then
- mv chroot/dev/random.orig chroot/dev/random
- fi
-
- rm -rf chroot/root/.gnupg
-
- if [ -e chroot/root/.gnupg.orig ]
- then
- mv chroot/root/.gnupg.orig chroot/root/.gnupg
- fi
- fi
-
# Add to sources.list.d
- echo "deb file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list
+ echo "deb [ trusted=yes ] file:/root/packages ./" > chroot/etc/apt/sources.list.d/packages.list
# Move top-level sources away, otherwise apt always preferes it (#644148)
if [ -e chroot/etc/apt/sources.list ]
@@ -759,12 +678,6 @@ EOF
rm -f chroot/etc/apt/sources.list.d/packages.list
rm -rf chroot/root/packages
- # Remove local packages key if it exists
- if Chroot chroot apt-key list | grep -q ${_LB_LOCAL_KEY_EMAIL}
- then
- Chroot chroot apt-key del ${_LB_LOCAL_KEY_EMAIL}
- fi
-
# Removing stage file
rm -f .build/chroot_archives
;;