summaryrefslogtreecommitdiff
path: root/scripts/build/config
diff options
context:
space:
mode:
authorDaniel Baumann <mail@daniel-baumann.ch>2013-11-04 13:34:43 +0100
committerDaniel Baumann <mail@daniel-baumann.ch>2013-11-04 13:34:43 +0100
commit83dacd9b39fdfd3053fcbc2c80fc3151525ed42d (patch)
treeb92a200d463973b8acf96d27ba078e04762a6059 /scripts/build/config
parent35919637afca7890c183930418f1d0580361f5dc (diff)
downloadvyos-live-build-83dacd9b39fdfd3053fcbc2c80fc3151525ed42d.tar.gz
vyos-live-build-83dacd9b39fdfd3053fcbc2c80fc3151525ed42d.zip
Stuffing bootstrapping of archive-keys for derivatives into lb_config, it's not a runtime thing and its logic should not be embedded in live-build but the config directory.
Diffstat (limited to 'scripts/build/config')
-rwxr-xr-xscripts/build/config86
1 files changed, 86 insertions, 0 deletions
diff --git a/scripts/build/config b/scripts/build/config
index 5f8012edb..080d2db25 100755
--- a/scripts/build/config
+++ b/scripts/build/config
@@ -1357,6 +1357,8 @@ then
Echo_warning "Make sure you are using the newest version at all times."
fi
+Echo_message "Symlinking hooks..."
+
for _HOOK in "${LIVE_BUILD}"/share/hooks/*.hook* /usr/share/live/build/hooks/*.hook*
do
if [ -e "${_HOOK}" ] && [ ! -e "config/hooks/$(basename ${_HOOK})" ]
@@ -1393,5 +1395,89 @@ Name: ${LIVE_IMAGE_NAME}
Type: ${LIVE_IMAGE_TYPE}
EOF
+# TODO: allow verification against user-specified keyring
+# For now, we'll only validate against debian-keyring
+
+# TODO2: use chrooted validation rather than host system based one
+
+case "${LB_MODE}" in
+ progress-linux)
+ case "${LB_DISTRIBUTION}" in
+ artax)
+ _KEYS="1-artax"
+ ;;
+
+ artax-backports)
+ _KEYS="1-artax 1+-artax-backports"
+ ;;
+
+ baureo)
+ _KEYS="2-baureo"
+ ;;
+
+ baureo-backports)
+ _KEYS="2-baureo 2+-baureo-backports"
+ ;;
+
+ chairon)
+ _KEYS="3-chairon"
+ ;;
+
+ chairon-backports)
+ _KEYS="3-chairon 3+-chairon-backports"
+ ;;
+ esac
+
+ _URL="${LB_MIRROR_CHROOT}/project/keys"
+ ;;
+
+ *)
+ _KEYS=""
+ ;;
+esac
+
+for _KEY in ${_KEYS}
+do
+ Echo_message "Fetching archive-key ${_KEY}..."
+
+ wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc" -O config/archives/${LB_MODE}.bootstrap.key
+ wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc.sig" -O config/archives/${LB_MODE}.bootstrap.key.sig
+
+ if [ -e /usr/bin/gpgv ]
+ then
+ if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
+ then
+ _KEY_VALID=""
+
+ for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
+ do
+ if [ -e "${_KEYRING}" ]
+ then
+ Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg | sed -e 's|-keyring||') keyring..."
+
+ set +e
+ /usr/bin/gpgv --quiet --keyring ${_KEYRING} config/archives/${LB_MODE}.key.sig config/archives/${LB_MODE}.key > /dev/null 2>&1 && _KEY_VALID="true" && break
+ set -e
+ fi
+ done
+
+ case "${_KEY_VALID}" in
+ true)
+ Echo_message "Verifying ${_KEY} signature successful."
+ ;;
+
+ *)
+ Echo_error "Verifying ${_KEY} signature failed."
+ return 1
+ ;;
+ esac
+ else
+ Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..."
+ fi
+ else
+ Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..."
+ fi
+done
+
# Creating stage file
Create_stagefile .build/config
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-26 20:27:58 +0000