If EXTRA_PPAS is set in the environment (as a space-separated sequence

of <ppa-owner>/<ppa-name> pairs), fetch signing keys for those from
Launchpad using python3-software-properties, and add those PPAs when
building the live filesystem.  This makes it easier for a builder to
build an image against an additional PPA (LP: #1334374).

debian/changelog

@@ -1,3 +1,13 @@
+livecd-rootfs (2.208.2) UNRELEASED; urgency=medium
+
+  * If EXTRA_PPAS is set in the environment (as a space-separated sequence
+    of <ppa-owner>/<ppa-name> pairs), fetch signing keys for those from
+    Launchpad using python3-software-properties, and add those PPAs when
+    building the live filesystem.  This makes it easier for a builder to
+    build an image against an additional PPA (LP: #1334374).
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Thu, 26 Jun 2014 12:39:33 +0100
+
 livecd-rootfs (2.208.1) trusty; urgency=medium
 
   * Install linux-signed-generic directly in live passes rather than relying

debian/control

@@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk
 
 Package: livecd-rootfs
 Architecture: any
-Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf]
+Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties
 Suggests: partimage
 Breaks: ubuntu-defaults-builder (<< 0.32)
 Description: construction script for the livecd rootfs

debian/install

@@ -1 +1,2 @@
 live-build usr/share/livecd-rootfs
+get-ppa-fingerprint usr/share/livecd-rootfs

get-ppa-fingerprint

@@ -0,0 +1,16 @@
+#! /usr/bin/python3
+
+from __future__ import print_function
+
+from optparse import OptionParser
+
+from softwareproperties import ppa
+
+
+parser = OptionParser(usage="%prog OWNER/NAME")
+_, args = parser.parse_args()
+if not args:
+    parser.error("must provide a PPA owner/name")
+owner_name, ppa_name = args[0].split("/")
+ppa_info = ppa.get_ppa_info_from_lp(owner_name, ppa_name)
+print(ppa_info["signing_key_fingerprint"])

live-build/auto/config

@@ -532,6 +532,45 @@ EOF
 		;;
 esac
 
+if [ "$EXTRA_PPAS" ]; then
+	rm -f config/archives/extra-ppas.list.chroot \
+	      config/archives/extra-ppas.key.chroot
+	gpg_tmpdir="$(mktemp -d)"
+	run_gpg () {
+		gpg --no-default-keyring --no-options --homedir "$gpg_tmpdir" \
+			--secret-keyring "$gpg_tmpdir/secring.gpg" \
+			--keyserver hkp://keyserver.ubuntu.com:80/ \
+			"$@"
+	}
+	for extra_ppa in $EXTRA_PPAS; do
+		extra_ppa_fingerprint="$(/usr/share/livecd-rootfs/get-ppa-fingerprint "$extra_ppa")"
+		echo "deb http://ppa.launchpad.net/$extra_ppa/ubuntu @DISTRIBUTION@ main" >> config/archives/extra-ppas.list.chroot
+		run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \
+			--recv "$extra_ppa_fingerprint"
+		run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \
+			--output "$gpg_tmpdir/export.gpg" \
+			--export "$extra_ppa_fingerprint"
+		got_fingerprint="$(
+			run_gpg --keyring "$gpg_tmpdir/export.gpg" \
+				--fingerprint --batch --with-colons |
+			grep '^fpr:' | cut -d: -f10)"
+		if [ "$got_fingerprint" != "$extra_ppa_fingerprint" ]; then
+			echo "Fingerprints do not match.  Got:" >&2
+			echo "$got_fingerprint" | sed 's/^/  /' >&2
+			echo "Expected:" >&2
+			echo "  $extra_ppa_fingerprint" >&2
+			exit 1
+		fi
+		cat "$gpg_tmpdir/export.gpg" >> config/archives/extra-ppas.key.chroot
+		rm -f "$gpg_tmpdir/export.gpg"
+	done
+	rm -rf "$gpg_tmpdir"
+	cp -a config/archives/extra-ppas.list.chroot \
+	      config/archives/extra-ppas.list.binary
+	cp -a config/archives/extra-ppas.key.chroot \
+	      config/archives/extra-ppas.key.binary
+fi
+
 # cribbed from cdimage, perhaps this should be a small helper script in germinate?
 add_inheritance () {
 	case " $inherit " in