Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Runge <dvzrv@archlinux.org>2021-08-24 23:27:17 +0200
committerDavid Runge <dvzrv@archlinux.org>2021-08-24 23:27:17 +0200
commit019f5aaeb6a8903a96adbaeb6eba10d479a1c91a (patch)
treefabce631a161b94bf6ec2286823b8dd0c60def9f
parentd3caf6f3a1d7055d788d8abda3f162c83f67ca48 (diff)
parent3c6cdb1469dddbb617fe29b14c57e1fff6a43240 (diff)
Merge remote-tracking branch 'nl6720/gpg-sender'
* nl6720/gpg-sender: .gitlab/ci/build_archiso.sh: use mkarchiso's -G option mkarchiso: support setting gpg sender mkarchiso: add some sane gpg options to override those set in user's gpg.conf
-rwxr-xr-x.gitlab/ci/build_archiso.sh3
-rwxr-xr-xarchiso/mkarchiso28
2 files changed, 23 insertions, 8 deletions
diff --git a/.gitlab/ci/build_archiso.sh b/.gitlab/ci/build_archiso.sh
index 8a6f92f..5250b51 100755
--- a/.gitlab/ci/build_archiso.sh
+++ b/.gitlab/ci/build_archiso.sh
@@ -199,6 +199,8 @@ EOF
| awk -F':' '{if($1 ~ /sec/){ print $5 }}'
)"
+ pgp_sender="Arch Linux Release Engineering (Ephemeral Signing Key) <arch-releng@lists.archlinux.org>"
+
print_section_end "ephemeral_pgp_key"
}
@@ -240,6 +242,7 @@ run_mkarchiso() {
-D "${install_dir}" \
-c "${codesigning_cert} ${codesigning_key}" \
-g "${pgp_key_id}" \
+ -G "${pgp_sender}" \
-o "${output}/" \
-w "${tmpdir}/" \
-m "${buildmode}" \
diff --git a/archiso/mkarchiso b/archiso/mkarchiso
index 267804a..a77d3d9 100755
--- a/archiso/mkarchiso
+++ b/archiso/mkarchiso
@@ -19,6 +19,7 @@ quiet=""
work_dir=""
out_dir=""
gpg_key=""
+gpg_sender=""
iso_name=""
iso_label=""
iso_publisher=""
@@ -88,7 +89,10 @@ usage: ${app_name} [options] <profile_dir>
Multiple files are provided as quoted, space delimited list.
The first file is considered as the signing certificate,
the second as the key.
- -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image
+ -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image.
+ Passed to gpg as the value for --default-key
+ -G <mbox> Set the PGP signer (must include an email address)
+ Passed to gpg as the value for --sender
-h This message
-m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot').
Multiple build modes are provided as quoted, space delimited list.
@@ -119,6 +123,7 @@ _show_config() {
_msg_info " Current build mode: ${buildmode}"
_msg_info " Build modes: ${buildmodes[*]}"
_msg_info " GPG key: ${gpg_key:-None}"
+ _msg_info " GPG signer: ${gpg_sender:-None}"
_msg_info "Code signing certificates: ${cert_list[*]}"
_msg_info " Profile: ${profile}"
_msg_info "Pacman configuration file: ${pacman_conf}"
@@ -238,15 +243,19 @@ _mkchecksum() {
# GPG sign the root file system image.
_mksignature() {
+ local airootfs_image_filename gpg_options=()
_msg_info "Signing rootfs image..."
- cd -- "${isofs_dir}/${install_dir}/${arch}"
- # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
- gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs
+ airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
- gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs
+ airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
fi
- cd -- "${OLDPWD}"
+ rm -f -- "${airootfs_image_filename}.sig"
+ # Add gpg sender option if the value is provided
+ [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
+ # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
+ gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \
+ --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}"
_msg_info "Done!"
}
@@ -1109,6 +1118,7 @@ _set_overrides() {
install_dir="${app_name}"
fi
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
+ [[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender"
if [[ -v override_cert_list ]]; then
sign_netboot_artifacts="y"
fi
@@ -1126,7 +1136,8 @@ _set_overrides() {
}
_export_gpg_publickey() {
- gpg --batch --output "${work_dir}/pubkey.gpg" --export "${gpg_key}"
+ rm -f -- "${work_dir}/pubkey.gpg"
+ gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}"
}
_make_version() {
@@ -1258,7 +1269,7 @@ _build() {
done
}
-while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
+while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do
case "${arg}" in
p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
C) override_pacman_conf="${OPTARG}" ;;
@@ -1271,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
o) override_out_dir="${OPTARG}" ;;
g) override_gpg_key="${OPTARG}" ;;
+ G) override_gpg_sender="${OPTARG}" ;;
v) override_quiet="n" ;;
h|?) _usage 0 ;;
*)