mkarchiso: support setting gpg sender

Add new -G option to set gpg's --sender. This allows to see who signed the rootfs image without needing to import the gpg key from the keyring in initramfs.
This commit is contained in:
nl6720 2021-08-03 21:12:25 +03:00
parent ea9572b98e
commit 59dffcf11a
No known key found for this signature in database
GPG Key ID: 5CE88535E188D369

View File

@ -19,6 +19,7 @@ quiet=""
work_dir="" work_dir=""
out_dir="" out_dir=""
gpg_key="" gpg_key=""
gpg_sender=""
iso_name="" iso_name=""
iso_label="" iso_label=""
iso_publisher="" iso_publisher=""
@ -88,7 +89,10 @@ usage: ${app_name} [options] <profile_dir>
Multiple files are provided as quoted, space delimited list. Multiple files are provided as quoted, space delimited list.
The first file is considered as the signing certificate, The first file is considered as the signing certificate,
the second as the key. the second as the key.
-g <gpg_key> Set the PGP key ID to be used for signing the rootfs image -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image.
Passed to gpg as the value for --default-key
-G <mbox> Set the PGP signer (must include an email address)
Passed to gpg as the value for --sender
-h This message -h This message
-m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot'). -m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot').
Multiple build modes are provided as quoted, space delimited list. Multiple build modes are provided as quoted, space delimited list.
@ -119,6 +123,7 @@ _show_config() {
_msg_info " Current build mode: ${buildmode}" _msg_info " Current build mode: ${buildmode}"
_msg_info " Build modes: ${buildmodes[*]}" _msg_info " Build modes: ${buildmodes[*]}"
_msg_info " GPG key: ${gpg_key:-None}" _msg_info " GPG key: ${gpg_key:-None}"
_msg_info " GPG signer: ${gpg_sender:-None}"
_msg_info "Code signing certificates: ${cert_list[*]}" _msg_info "Code signing certificates: ${cert_list[*]}"
_msg_info " Profile: ${profile}" _msg_info " Profile: ${profile}"
_msg_info "Pacman configuration file: ${pacman_conf}" _msg_info "Pacman configuration file: ${pacman_conf}"
@ -238,7 +243,7 @@ _mkchecksum() {
# GPG sign the root file system image. # GPG sign the root file system image.
_mksignature() { _mksignature() {
local airootfs_image_filename local airootfs_image_filename gpg_options=()
_msg_info "Signing rootfs image..." _msg_info "Signing rootfs image..."
if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
@ -246,9 +251,11 @@ _mksignature() {
airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
fi fi
rm -f -- "${airootfs_image_filename}.sig" rm -f -- "${airootfs_image_filename}.sig"
# Add gpg sender option if the value is provided
[[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
# always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \ gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \
--default-key "${gpg_key}" "${airootfs_image_filename}" --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}"
_msg_info "Done!" _msg_info "Done!"
} }
@ -1111,6 +1118,7 @@ _set_overrides() {
install_dir="${app_name}" install_dir="${app_name}"
fi fi
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key" [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
[[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender"
if [[ -v override_cert_list ]]; then if [[ -v override_cert_list ]]; then
sign_netboot_artifacts="y" sign_netboot_artifacts="y"
fi fi
@ -1261,7 +1269,7 @@ _build() {
done done
} }
while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do
case "${arg}" in case "${arg}" in
p) read -r -a override_pkg_list <<< "${OPTARG}" ;; p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
C) override_pacman_conf="${OPTARG}" ;; C) override_pacman_conf="${OPTARG}" ;;
@ -1274,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
m) read -r -a override_buildmodes <<< "${OPTARG}" ;; m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
o) override_out_dir="${OPTARG}" ;; o) override_out_dir="${OPTARG}" ;;
g) override_gpg_key="${OPTARG}" ;; g) override_gpg_key="${OPTARG}" ;;
G) override_gpg_sender="${OPTARG}" ;;
v) override_quiet="n" ;; v) override_quiet="n" ;;
h|?) _usage 0 ;; h|?) _usage 0 ;;
*) *)