Merge remote-tracking branch 'nl6720/gpg-sender'

* nl6720/gpg-sender:
  .gitlab/ci/build_archiso.sh: use mkarchiso's -G option
  mkarchiso: support setting gpg sender
  mkarchiso: add some sane gpg options to override those set in user's gpg.conf
This commit is contained in:
David Runge 2021-08-24 23:27:17 +02:00
commit 019f5aaeb6
No known key found for this signature in database
GPG Key ID: 7258734B41C31549
2 changed files with 23 additions and 8 deletions

View File

@ -199,6 +199,8 @@ EOF
| awk -F':' '{if($1 ~ /sec/){ print $5 }}' | awk -F':' '{if($1 ~ /sec/){ print $5 }}'
)" )"
pgp_sender="Arch Linux Release Engineering (Ephemeral Signing Key) <arch-releng@lists.archlinux.org>"
print_section_end "ephemeral_pgp_key" print_section_end "ephemeral_pgp_key"
} }
@ -240,6 +242,7 @@ run_mkarchiso() {
-D "${install_dir}" \ -D "${install_dir}" \
-c "${codesigning_cert} ${codesigning_key}" \ -c "${codesigning_cert} ${codesigning_key}" \
-g "${pgp_key_id}" \ -g "${pgp_key_id}" \
-G "${pgp_sender}" \
-o "${output}/" \ -o "${output}/" \
-w "${tmpdir}/" \ -w "${tmpdir}/" \
-m "${buildmode}" \ -m "${buildmode}" \

View File

@ -19,6 +19,7 @@ quiet=""
work_dir="" work_dir=""
out_dir="" out_dir=""
gpg_key="" gpg_key=""
gpg_sender=""
iso_name="" iso_name=""
iso_label="" iso_label=""
iso_publisher="" iso_publisher=""
@ -88,7 +89,10 @@ usage: ${app_name} [options] <profile_dir>
Multiple files are provided as quoted, space delimited list. Multiple files are provided as quoted, space delimited list.
The first file is considered as the signing certificate, The first file is considered as the signing certificate,
the second as the key. the second as the key.
-g <gpg_key> Set the PGP key ID to be used for signing the rootfs image -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image.
Passed to gpg as the value for --default-key
-G <mbox> Set the PGP signer (must include an email address)
Passed to gpg as the value for --sender
-h This message -h This message
-m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot'). -m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot').
Multiple build modes are provided as quoted, space delimited list. Multiple build modes are provided as quoted, space delimited list.
@ -119,6 +123,7 @@ _show_config() {
_msg_info " Current build mode: ${buildmode}" _msg_info " Current build mode: ${buildmode}"
_msg_info " Build modes: ${buildmodes[*]}" _msg_info " Build modes: ${buildmodes[*]}"
_msg_info " GPG key: ${gpg_key:-None}" _msg_info " GPG key: ${gpg_key:-None}"
_msg_info " GPG signer: ${gpg_sender:-None}"
_msg_info "Code signing certificates: ${cert_list[*]}" _msg_info "Code signing certificates: ${cert_list[*]}"
_msg_info " Profile: ${profile}" _msg_info " Profile: ${profile}"
_msg_info "Pacman configuration file: ${pacman_conf}" _msg_info "Pacman configuration file: ${pacman_conf}"
@ -238,15 +243,19 @@ _mkchecksum() {
# GPG sign the root file system image. # GPG sign the root file system image.
_mksignature() { _mksignature() {
local airootfs_image_filename gpg_options=()
_msg_info "Signing rootfs image..." _msg_info "Signing rootfs image..."
cd -- "${isofs_dir}/${install_dir}/${arch}"
# always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
fi fi
cd -- "${OLDPWD}" rm -f -- "${airootfs_image_filename}.sig"
# Add gpg sender option if the value is provided
[[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
# always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \
--default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}"
_msg_info "Done!" _msg_info "Done!"
} }
@ -1109,6 +1118,7 @@ _set_overrides() {
install_dir="${app_name}" install_dir="${app_name}"
fi fi
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key" [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
[[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender"
if [[ -v override_cert_list ]]; then if [[ -v override_cert_list ]]; then
sign_netboot_artifacts="y" sign_netboot_artifacts="y"
fi fi
@ -1126,7 +1136,8 @@ _set_overrides() {
} }
_export_gpg_publickey() { _export_gpg_publickey() {
gpg --batch --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" rm -f -- "${work_dir}/pubkey.gpg"
gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}"
} }
_make_version() { _make_version() {
@ -1258,7 +1269,7 @@ _build() {
done done
} }
while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do
case "${arg}" in case "${arg}" in
p) read -r -a override_pkg_list <<< "${OPTARG}" ;; p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
C) override_pacman_conf="${OPTARG}" ;; C) override_pacman_conf="${OPTARG}" ;;
@ -1271,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
m) read -r -a override_buildmodes <<< "${OPTARG}" ;; m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
o) override_out_dir="${OPTARG}" ;; o) override_out_dir="${OPTARG}" ;;
g) override_gpg_key="${OPTARG}" ;; g) override_gpg_key="${OPTARG}" ;;
G) override_gpg_sender="${OPTARG}" ;;
v) override_quiet="n" ;; v) override_quiet="n" ;;
h|?) _usage 0 ;; h|?) _usage 0 ;;
*) *)