From 1bbd4778e085913b5c28f65109ba575ff34fe502 Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Thu, 26 Jun 2014 12:43:29 +0100 Subject: [PATCH] If EXTRA_PPAS is set in the environment (as a space-separated sequence of / pairs), fetch signing keys for those from Launchpad using python3-software-properties, and add those PPAs when building the live filesystem. This makes it easier for a builder to build an image against an additional PPA (LP: #1334374). --- debian/changelog | 10 ++++++++++ debian/control | 2 +- debian/install | 1 + get-ppa-fingerprint | 16 ++++++++++++++++ live-build/auto/config | 39 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+), 1 deletion(-) create mode 100755 get-ppa-fingerprint diff --git a/debian/changelog b/debian/changelog index 19f6abde..bb83b18b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +livecd-rootfs (2.208.2) UNRELEASED; urgency=medium + + * If EXTRA_PPAS is set in the environment (as a space-separated sequence + of / pairs), fetch signing keys for those from + Launchpad using python3-software-properties, and add those PPAs when + building the live filesystem. This makes it easier for a builder to + build an image against an additional PPA (LP: #1334374). + + -- Colin Watson Thu, 26 Jun 2014 12:39:33 +0100 + livecd-rootfs (2.208.1) trusty; urgency=medium * Install linux-signed-generic directly in live passes rather than relying diff --git a/debian/control b/debian/control index 0a8bd9b2..541576ff 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk Package: livecd-rootfs Architecture: any -Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf] +Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties Suggests: partimage Breaks: ubuntu-defaults-builder (<< 0.32) Description: construction script for the livecd rootfs diff --git a/debian/install b/debian/install index 4304692e..91d6ea37 100644 --- a/debian/install +++ b/debian/install @@ -1 +1,2 @@ live-build usr/share/livecd-rootfs +get-ppa-fingerprint usr/share/livecd-rootfs diff --git a/get-ppa-fingerprint b/get-ppa-fingerprint new file mode 100755 index 00000000..fed1dfc7 --- /dev/null +++ b/get-ppa-fingerprint @@ -0,0 +1,16 @@ +#! /usr/bin/python3 + +from __future__ import print_function + +from optparse import OptionParser + +from softwareproperties import ppa + + +parser = OptionParser(usage="%prog OWNER/NAME") +_, args = parser.parse_args() +if not args: + parser.error("must provide a PPA owner/name") +owner_name, ppa_name = args[0].split("/") +ppa_info = ppa.get_ppa_info_from_lp(owner_name, ppa_name) +print(ppa_info["signing_key_fingerprint"]) diff --git a/live-build/auto/config b/live-build/auto/config index 92003a5e..0e2f735a 100755 --- a/live-build/auto/config +++ b/live-build/auto/config @@ -532,6 +532,45 @@ EOF ;; esac +if [ "$EXTRA_PPAS" ]; then + rm -f config/archives/extra-ppas.list.chroot \ + config/archives/extra-ppas.key.chroot + gpg_tmpdir="$(mktemp -d)" + run_gpg () { + gpg --no-default-keyring --no-options --homedir "$gpg_tmpdir" \ + --secret-keyring "$gpg_tmpdir/secring.gpg" \ + --keyserver hkp://keyserver.ubuntu.com:80/ \ + "$@" + } + for extra_ppa in $EXTRA_PPAS; do + extra_ppa_fingerprint="$(/usr/share/livecd-rootfs/get-ppa-fingerprint "$extra_ppa")" + echo "deb http://ppa.launchpad.net/$extra_ppa/ubuntu @DISTRIBUTION@ main" >> config/archives/extra-ppas.list.chroot + run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \ + --recv "$extra_ppa_fingerprint" + run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \ + --output "$gpg_tmpdir/export.gpg" \ + --export "$extra_ppa_fingerprint" + got_fingerprint="$( + run_gpg --keyring "$gpg_tmpdir/export.gpg" \ + --fingerprint --batch --with-colons | + grep '^fpr:' | cut -d: -f10)" + if [ "$got_fingerprint" != "$extra_ppa_fingerprint" ]; then + echo "Fingerprints do not match. Got:" >&2 + echo "$got_fingerprint" | sed 's/^/ /' >&2 + echo "Expected:" >&2 + echo " $extra_ppa_fingerprint" >&2 + exit 1 + fi + cat "$gpg_tmpdir/export.gpg" >> config/archives/extra-ppas.key.chroot + rm -f "$gpg_tmpdir/export.gpg" + done + rm -rf "$gpg_tmpdir" + cp -a config/archives/extra-ppas.list.chroot \ + config/archives/extra-ppas.list.binary + cp -a config/archives/extra-ppas.key.chroot \ + config/archives/extra-ppas.key.binary +fi + # cribbed from cdimage, perhaps this should be a small helper script in germinate? add_inheritance () { case " $inherit " in