From 4923df1abfb1cd9eb6454b3d8f6130a86d03738b Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Mon, 19 May 2014 15:28:05 +0100 Subject: [PATCH] The EXTRA_ARCHIVES environment variable defined in 2.212 doesn't quite work properly because it doesn't allow for signing key configuration. Rename it to the more domain-specific EXTRA_PPAS (which is now a space-separated sequence of / pairs), and fetch signing keys for those from Launchpad using python3-software-properties. --- debian/changelog | 10 ++++++++++ debian/control | 2 +- debian/install | 1 + get-ppa-fingerprint | 16 ++++++++++++++++ live-build/auto/config | 42 +++++++++++++++++++++++++++++++++++++----- 5 files changed, 65 insertions(+), 6 deletions(-) create mode 100755 get-ppa-fingerprint diff --git a/debian/changelog b/debian/changelog index b8891371..f9550cf4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +livecd-rootfs (2.213) UNRELEASED; urgency=medium + + * The EXTRA_ARCHIVES environment variable defined in 2.212 doesn't quite + work properly because it doesn't allow for signing key configuration. + Rename it to the more domain-specific EXTRA_PPAS (which is now a + space-separated sequence of / pairs), and fetch + signing keys for those from Launchpad using python3-software-properties. + + -- Colin Watson Mon, 19 May 2014 15:24:43 +0100 + livecd-rootfs (2.212) utopic; urgency=medium * live-build/auto/config: If EXTRA_ARCHIVES is set in the environment, diff --git a/debian/control b/debian/control index 0a8bd9b2..541576ff 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Vcs-Bzr: http://bazaar.launchpad.net/~ubuntu-core-dev/livecd-rootfs/trunk Package: livecd-rootfs Architecture: any -Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf] +Depends: ${misc:Depends}, debootstrap, rsync, python-minimal | python, procps, squashfs-tools (>= 1:3.3-1), grep-dctrl, fdupes, lsb-release, lzma, e2fsprogs, germinate (>= 1.25.1), apt-utils, gnupg, live-build (>= 3.0~a55-1), android-tools-fsutils [armhf], python3-software-properties Suggests: partimage Breaks: ubuntu-defaults-builder (<< 0.32) Description: construction script for the livecd rootfs diff --git a/debian/install b/debian/install index 4304692e..91d6ea37 100644 --- a/debian/install +++ b/debian/install @@ -1 +1,2 @@ live-build usr/share/livecd-rootfs +get-ppa-fingerprint usr/share/livecd-rootfs diff --git a/get-ppa-fingerprint b/get-ppa-fingerprint new file mode 100755 index 00000000..fed1dfc7 --- /dev/null +++ b/get-ppa-fingerprint @@ -0,0 +1,16 @@ +#! /usr/bin/python3 + +from __future__ import print_function + +from optparse import OptionParser + +from softwareproperties import ppa + + +parser = OptionParser(usage="%prog OWNER/NAME") +_, args = parser.parse_args() +if not args: + parser.error("must provide a PPA owner/name") +owner_name, ppa_name = args[0].split("/") +ppa_info = ppa.get_ppa_info_from_lp(owner_name, ppa_name) +print(ppa_info["signing_key_fingerprint"]) diff --git a/live-build/auto/config b/live-build/auto/config index 0334ec4f..f81e1c0c 100755 --- a/live-build/auto/config +++ b/live-build/auto/config @@ -498,11 +498,43 @@ EOF ;; esac -if [ "$EXTRA_ARCHIVES" ]; then - printf '%s\n' "$EXTRA_ARCHIVES" \ - > config/archives/extra-archives.list.chroot - cp -a config/archives/extra-archives.list.chroot \ - config/archives/extra-archives.list.binary +if [ "$EXTRA_PPAS" ]; then + rm -f config/archives/extra-ppas.list.chroot \ + config/archives/extra-ppas.key.chroot + gpg_tmpdir="$(mktemp -d)" + run_gpg () { + gpg --no-default-keyring --no-options --homedir "$gpg_tmpdir" \ + --secret-keyring "$gpg_tmpdir/secring.gpg" \ + --keyserver hkp://keyserver.ubuntu.com:80/ \ + "$@" + } + for extra_ppa in $EXTRA_PPAS; do + extra_ppa_fingerprint="$(/usr/share/livecd-rootfs/get-ppa-fingerprint "$extra_ppa")" + echo "deb http://ppa.launchpad.net/$extra_ppa/ubuntu @DISTRIBUTION@ main" >> config/archives/extra-ppas.list.chroot + run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \ + --recv "$extra_ppa_fingerprint" + run_gpg --keyring "$gpg_tmpdir/pubring.gpg" \ + --output "$gpg_tmpdir/export.gpg" \ + --export "$extra_ppa_fingerprint" + got_fingerprint="$( + run_gpg --keyring "$gpg_tmpdir/export.gpg" \ + --fingerprint --batch --with-colons | + grep '^fpr:' | cut -d: -f10)" + if [ "$got_fingerprint" != "$extra_ppa_fingerprint" ]; then + echo "Fingerprints do not match. Got:" >&2 + echo "$got_fingerprint" | sed 's/^/ /' >&2 + echo "Expected:" >&2 + echo " $extra_ppa_fingerprint" >&2 + exit 1 + fi + cat "$gpg_tmpdir/export.gpg" >> config/archives/extra-ppas.key.chroot + rm -f "$gpg_tmpdir/export.gpg" + done + rm -rf "$gpg_tmpdir" + cp -a config/archives/extra-ppas.list.chroot \ + config/archives/extra-ppas.list.binary + cp -a config/archives/extra-ppas.key.chroot \ + config/archives/extra-ppas.key.binary fi # cribbed from cdimage, perhaps this should be a small helper script in germinate?