[arch-dev-public] [PATCH 0/2] dbscripts patches for package signatures
These patches upload a detached gpg signature file with a package if available. I'd like comments on where the signature should be generated. I was thinking at the end of makechrootpkg, but before upload could also work. Note that the future makepkg implementation for automatic signing is probably not appropriate for use as that would require gpg and a keyring in the chroot. Allan McRae (2): Be less generic with package extension Upload package signature file if available commitpkg | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) -- 1.7.4.1
Arch only uses .gz and .xz packages so look for .pkg.tar.?z. This prevents matching potential detached signature files. Signed-off-by: Allan McRae <allan@archlinux.org> --- commitpkg | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/commitpkg b/commitpkg index ab57a61..390f99e 100755 --- a/commitpkg +++ b/commitpkg @@ -108,8 +108,8 @@ echo 'done' for _arch in ${arch[@]}; do for _pkgname in ${pkgname[@]}; do - pkgfile=$(getpkgfile "$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.* 2>/dev/null) - pkgdestfile=$(getpkgfile "$PKGDEST/$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.* 2>/dev/null) + pkgfile=$(getpkgfile "$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.?z 2>/dev/null) + pkgdestfile=$(getpkgfile "$PKGDEST/$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.?z 2>/dev/null) if [ ! -f "$pkgfile" -a -f "$pkgdestfile" ]; then pkgfile="$pkgdestfile" -- 1.7.4.1
On Sat, Mar 12, 2011 at 9:24 PM, Allan McRae <allan@archlinux.org> wrote:
Arch only uses .gz and .xz packages so look for .pkg.tar.?z. This prevents matching potential detached signature files.
Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
And might as well patch this one on right away, it has no ill effects.
--- commitpkg | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/commitpkg b/commitpkg index ab57a61..390f99e 100755 --- a/commitpkg +++ b/commitpkg @@ -108,8 +108,8 @@ echo 'done'
for _arch in ${arch[@]}; do for _pkgname in ${pkgname[@]}; do - pkgfile=$(getpkgfile "$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.* 2>/dev/null) - pkgdestfile=$(getpkgfile "$PKGDEST/$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.* 2>/dev/null) + pkgfile=$(getpkgfile "$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.?z 2>/dev/null) + pkgdestfile=$(getpkgfile "$PKGDEST/$_pkgname-$pkgver-$pkgrel-${_arch}".pkg.tar.?z 2>/dev/null)
if [ ! -f "$pkgfile" -a -f "$pkgdestfile" ]; then pkgfile="$pkgdestfile" -- 1.7.4.1
Signed-off-by: Allan McRae <allan@archlinux.org> --- commitpkg | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) diff --git a/commitpkg b/commitpkg index 390f99e..5bf8d65 100755 --- a/commitpkg +++ b/commitpkg @@ -117,9 +117,16 @@ for _arch in ${arch[@]}; do echo "skipping ${_arch}" continue 2 fi + + if [ ! -f "$pkgfile.sig" ]; then + echo "WARNING: No package signature found" + fi echo -n 'uploading ' rsync -p --chmod 'ug=rw,o=r' -c -h -L --progress $rsyncopts --partial "${pkgfile}" -e ssh "$server:staging/$repo/${pkgfile##*/}" || abort + if [ -f "$pkgfile.sig" ]; then + rsync -p --chmod 'ug=rw,o=r' -c -h -L --progress $rsyncopts --partial "${pkgfile}.sig" -e ssh "$server:staging/$repo/${pkgfile##*/}.sig" || abort + fi done archrelease $repo-${_arch} || abort done -- 1.7.4.1
On Sat, Mar 12, 2011 at 9:24 PM, Allan McRae <allan@archlinux.org> wrote:
Signed-off-by: Allan McRae <allan@archlinux.org> --- commitpkg | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/commitpkg b/commitpkg index 390f99e..5bf8d65 100755 --- a/commitpkg +++ b/commitpkg @@ -117,9 +117,16 @@ for _arch in ${arch[@]}; do echo "skipping ${_arch}" continue 2 fi + + if [ ! -f "$pkgfile.sig" ]; then + echo "WARNING: No package signature found" + fi
echo -n 'uploading ' rsync -p --chmod 'ug=rw,o=r' -c -h -L --progress $rsyncopts --partial "${pkgfile}" -e ssh "$server:staging/$repo/${pkgfile##*/}" || abort + if [ -f "$pkgfile.sig" ]; then + rsync -p --chmod 'ug=rw,o=r' -c -h -L --progress $rsyncopts --partial "${pkgfile}.sig" -e ssh "$server:staging/$repo/${pkgfile##*/}.sig" || abort + fi This is silly- rsync can take multiple SRC arguments (and why aren't our args all at the end?).
rsync ... ${pkgfile} ${sigfile} .... and define sigfile to the empty string or the sigfile filename above depending on whether it exists.
done archrelease $repo-${_arch} || abort done -- 1.7.4.1
On 13/03/11 13:24, Allan McRae wrote:
I'd like comments on where the signature should be generated. I was thinking at the end of makechrootpkg, but before upload could also work. Note that the future makepkg implementation for automatic signing is probably not appropriate for use as that would require gpg and a keyring in the chroot.
More thinking about this... the package signing probably can not be too linked to building (i.e. not in makechrootpkg) as that might be on an external build server (which should not have private keys on it). So I guess that it should be done at the time of upload. Allan
On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae <allan@archlinux.org> wrote:
On 13/03/11 13:24, Allan McRae wrote:
I'd like comments on where the signature should be generated. I was thinking at the end of makechrootpkg, but before upload could also work.
Note that the future makepkg implementation for automatic signing is probably not appropriate for use as that would require gpg and a keyring in the chroot. Is this a bad thing? Does it drag in a lot of deps?
More thinking about this... the package signing probably can not be too linked to building (i.e. not in makechrootpkg) as that might be on an external build server (which should not have private keys on it). So I guess that it should be done at the time of upload.
"probably can not be too linked" - someone is hedging their words. :) I agree that it shouldn't have to be linked, but making it easy to generate as part of the build process is something that we shouldn't forget. However, in the case of building it elsewhere, is it that bad, iff they are using a key protected by a passphrase? When someone builds remotely, and you say "done at time of upload", do you really copy it back locally before uploading it? Or how is pushing off the time of signing going to help here? -Dan
On 17/03/11 11:14, Dan McGee wrote:
On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan@archlinux.org> wrote:
On 13/03/11 13:24, Allan McRae wrote:
I'd like comments on where the signature should be generated. I was thinking at the end of makechrootpkg, but before upload could also work.
Note that the future makepkg implementation for automatic signing is probably not appropriate for use as that would require gpg and a keyring in the chroot. Is this a bad thing? Does it drag in a lot of deps?
Not a lot of deps given pacman will pull them in eventually for gpg support. It is more having to set-up your keyring in every chroot that I was concerned about.
More thinking about this... the package signing probably can not be too linked to building (i.e. not in makechrootpkg) as that might be on an external build server (which should not have private keys on it). So I guess that it should be done at the time of upload.
"probably can not be too linked" - someone is hedging their words. :)
I agree that it shouldn't have to be linked, but making it easy to generate as part of the build process is something that we shouldn't forget. However, in the case of building it elsewhere, is it that bad, iff they are using a key protected by a passphrase?
I am hedging ever so slightly... I would not be putting my gpg key on a server where other people have access, even with a strong passphrase.
When someone builds remotely, and you say "done at time of upload", do you really copy it back locally before uploading it? Or how is pushing off the time of signing going to help here?
Well, copying the package locally needs to be done to test the package anyway... Anyway, at this stage, I think we just need to get something that "works" happening. The entire process can be adjusted or added to later as real world usage dictates. Allan
On Wed, Mar 16, 2011 at 8:31 PM, Allan McRae <allan@archlinux.org> wrote:
On 17/03/11 11:14, Dan McGee wrote:
On Sat, Mar 12, 2011 at 9:57 PM, Allan McRae<allan@archlinux.org> wrote:
On 13/03/11 13:24, Allan McRae wrote:
I'd like comments on where the signature should be generated. I was thinking at the end of makechrootpkg, but before upload could also work.
Note that the future makepkg implementation for automatic signing is probably not appropriate for use as that would require gpg and a keyring in the chroot.
Is this a bad thing? Does it drag in a lot of deps?
Not a lot of deps given pacman will pull them in eventually for gpg support. It is more having to set-up your keyring in every chroot that I was concerned about.
I feel like this is something that can be done in makechrootpkg without too much hassle, no? Just a cp into the chroot.
More thinking about this... the package signing probably can not be too linked to building (i.e. not in makechrootpkg) as that might be on an external build server (which should not have private keys on it). So I guess that it should be done at the time of upload.
"probably can not be too linked" - someone is hedging their words. :)
I agree that it shouldn't have to be linked, but making it easy to generate as part of the build process is something that we shouldn't forget. However, in the case of building it elsewhere, is it that bad, iff they are using a key protected by a passphrase?
I am hedging ever so slightly... I would not be putting my gpg key on a server where other people have access, even with a strong passphrase.
OK. Let's operate on this assumption then and find a solution that works for it.
When someone builds remotely, and you say "done at time of upload", do you really copy it back locally before uploading it? Or how is pushing off the time of signing going to help here?
Well, copying the package locally needs to be done to test the package anyway...
Oh yeah....testing. Who does that? For something like xxx-data, I feel like this has the possibility of getting unweildy, although I see now good way around this.
Anyway, at this stage, I think we just need to get something that "works" happening. The entire process can be adjusted or added to later as real world usage dictates.
Agreed. We might want to take a look at this: http://packages.debian.org/lenny/devscripts Notably: cowpoke, debsign and see how they do things. -Dan
participants (2)
-
Allan McRae
-
Dan McGee