The EXTRA_ARCHIVES environment variable defined in 2.212 doesn't quite

work properly because it doesn't allow for signing key configuration. Rename it to the more domain-specific EXTRA_PPAS (which is now a space-separated sequence of <ppa-owner>/<ppa-name> pairs), and fetch signing keys for those from Launchpad using python3-software-properties.
2025-02-12 13:57:08 +00:00 · 2014-05-19 15:28:05 +01:00 · 2014-05-19 15:28:05 +01:00 · 4923df1abf
commit 4923df1abf
parent 14c091eff2
5 changed files with 65 additions and 6 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,13 @@
+livecd-rootfs (2.213) UNRELEASED; urgency=medium
+
+  * The EXTRA_ARCHIVES environment variable defined in 2.212 doesn't quite
+    work properly because it doesn't allow for signing key configuration.
+    Rename it to the more domain-specific EXTRA_PPAS (which is now a
+    space-separated sequence of <ppa-owner>/<ppa-name> pairs), and fetch
+    signing keys for those from Launchpad using python3-software-properties.
+
+ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 19 May 2014 15:24:43 +0100
+
 livecd-rootfs (2.212) utopic; urgency=medium

  * live-build/auto/config: If EXTRA_ARCHIVES is set in the environment,
--- a/debian/control
+++ b/debian/control
@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk

 Package: livecd-rootfs
 Architecture: any
-Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf]
+Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties
 Suggests: partimage
 Breaks: ubuntu-defaults-builder (<< 0.32)
 Description: construction script for the livecd rootfs
--- a/debian/install
+++ b/debian/install
@ -1 +1,2 @@
 live-build usr/share/livecd-rootfs
+get-ppa-fingerprint usr/share/livecd-rootfs
--- a/16
+++ b/16
@ -0,0 +1,16 @@
+#! /usr/bin/python3
+
+from __future__ import print_function
+
+from optparse import OptionParser
+
+from softwareproperties import ppa
+
+
+parser = OptionParser(usage="%prog OWNER/NAME")
+_, args = parser.parse_args()
+if not args:
+    parser.error("must provide a PPA owner/name")
+owner_name, ppa_name = args[0].split("/")
+ppa_info = ppa.get_ppa_info_from_lp(owner_name, ppa_name)
+print(ppa_info["signing_key_fingerprint"])
--- a/live-build/auto/config
+++ b/live-build/auto/config
@ -498,11 +498,43 @@ EOF
 		;;
 esac

-if [ "$EXTRA_ARCHIVES" ]; then
-	printf '%s\n' "$EXTRA_ARCHIVES" \
-		> config/archives/extra-archives.list.chroot
-	cp -a config/archives/extra-archives.list.chroot \
-	      config/archives/extra-archives.list.binary
+if [ "$EXTRA_PPAS" ]; then
+	rm -f config/archives/extra-ppas.list.chroot \
+	      config/archives/extra-ppas.key.chroot
+	gpg_tmpdir="$(mktemp -d)"
+	run_gpg () {
+		gpg --no-default-keyring --no-options --homedir "$gpg_tmpdir" \
+			--secret-keyring "$gpg_tmpdir/secring.gpg" \
+			--keyserver hkp://keyserver.ubuntu.com:80/ \
+			"$@"
+	}
+	for extra_ppa in $EXTRA_PPAS; do
+		extra_ppa_fingerprint="$(/usr/share/livecd-rootfs/get-ppa-fingerprint "$extra_ppa")"
+		echo "deb http://ppa.launchpad.net/$extra_ppa/ubuntu @DISTRIBUTION@ main" >> config/archives/extra-ppas.list.chroot
+		run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \
+			--recv "$extra_ppa_fingerprint"
+		run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \
+			--output "$gpg_tmpdir/export.gpg" \
+			--export "$extra_ppa_fingerprint"
+		got_fingerprint="$(
+			run_gpg --keyring "$gpg_tmpdir/export.gpg" \
+				--fingerprint --batch --with-colons |
+			grep '^fpr:' | cut -d: -f10)"
+		if [ "$got_fingerprint" != "$extra_ppa_fingerprint" ]; then
+			echo "Fingerprints do not match.  Got:" >&2
+			echo "$got_fingerprint" | sed 's/^/  /' >&2
+			echo "Expected:" >&2
+			echo "  $extra_ppa_fingerprint" >&2
+			exit 1
+		fi
+		cat "$gpg_tmpdir/export.gpg" >> config/archives/extra-ppas.key.chroot
+		rm -f "$gpg_tmpdir/export.gpg"
+	done
+	rm -rf "$gpg_tmpdir"
+	cp -a config/archives/extra-ppas.list.chroot \
+	      config/archives/extra-ppas.list.binary
+	cp -a config/archives/extra-ppas.key.chroot \
+	      config/archives/extra-ppas.key.binary
 fi

 # cribbed from cdimage, perhaps this should be a small helper script in germinate?