From d06b25079fb147be2cdc8a201662f7bc6da2211f Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 27 Jan 2013 11:16:25 +0100 Subject: Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. --- scripts/build/bootstrap_archive-keys | 77 ++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100755 scripts/build/bootstrap_archive-keys (limited to 'scripts/build/bootstrap_archive-keys') diff --git a/scripts/build/bootstrap_archive-keys b/scripts/build/bootstrap_archive-keys new file mode 100755 index 000000000..2dc94b28f --- /dev/null +++ b/scripts/build/bootstrap_archive-keys @@ -0,0 +1,77 @@ +#!/bin/sh + +## live-build(7) - System Build Scripts +## Copyright (C) 2006-2013 Daniel Baumann +## +## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING. +## This is free software, and you are welcome to redistribute it +## under certain conditions; see COPYING for details. + + +set -e + +# Including common functions +[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh + +# Setting static variables +DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')" +HELP="" +USAGE="${PROGRAM} [--force]" + +Arguments "${@}" + +# Reading configuration files +Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source +Set_defaults + +# TODO: allow verification against user-specified keyring +# For now, we'll only validate against debian-keyring + +# TODO2: use chrooted validation rather than host system based one + +case "${LB_MODE}" in + progress-linux) + case "${LB_DISTRIBUTION}" in + artax*) + _KEYS="1.0-artax 1.0-artax-packages" + ;; + + baureo*) + _KEYS="2.0-baureo 2.0-baureo-packages" + ;; + + chairon*) + _KEYS="3.0-chairon 3.0-chairon-packages" + ;; + esac + + _URL="${LB_MIRROR_CHROOT}/project/keys" + ;; +esac + +for _KEY in ${_KEYS} +do + Echo_message "Fetching archive-key ${_KEY}..." + + wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc + wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig + + if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ] + then + Echo_message "Verifying archive-key ${_KEY} against debian-keyring..." + + /usr/bin/gpgv --quiet --keyring /usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature."; return 1;} + else + Echo_warning "Skipping archive-key ${_KEY} verification, either gpgv or debian-keyring not available on host system..." + fi + + Echo_message "Importing archive-key ${_KEY}..." + + Chroot chroot "apt-key add key.asc" + rm -f chroot/key.asc chroot/key.asc.sig +done + +Chroot chroot "apt-get update" + +# Creating stage file +Create_stagefile .build/bootstrap_archive-keys -- cgit v1.2.3