[arch-projects] [PATCH] [devtools] Have signature checking work in chroots
Adjust the mount options for /dev/pts to allow signature checking with gpgme to work. Adjust the various pacman.confs to use "SigLevel = Optional TrustAll" which is the best that can be done automatically with Arch repos at the moment. Signed-off-by: Allan McRae <allan@archlinux.org> --- I'm not sure exactly what other consequences there are from removing "newinstance" from the /dev/pts mount options but this appears to work... mkarchroot.in | 2 +- pacman-extra.conf | 2 -- pacman-multilib-testing.conf | 4 +--- pacman-multilib.conf | 4 +--- pacman-staging.conf | 4 +--- pacman-testing.conf | 4 +--- 6 files changed, 5 insertions(+), 15 deletions(-) diff --git a/mkarchroot.in b/mkarchroot.in index 0debb13..4db3032 100644 --- a/mkarchroot.in +++ b/mkarchroot.in @@ -110,7 +110,7 @@ chroot_mount() { mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M [ -e "${working_dir}/dev/pts" ] || mkdir "${working_dir}/dev/pts" - mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666 + mount -t devpts devpts "${working_dir}/dev/pts" -o ptmxmode=666 ln -s pts/ptmx "${working_dir}/dev/ptmx" [ -e "${cache_dir}" ] || mkdir -p "${cache_dir}" diff --git a/pacman-extra.conf b/pacman-extra.conf index cdad265..898f9ba 100644 --- a/pacman-extra.conf +++ b/pacman-extra.conf @@ -47,8 +47,6 @@ Architecture = auto # the following line. This will treat any key imported into pacman's keyring as # trusted. SigLevel = Optional TrustAll -# Disable signature checks for now -SigLevel = Never # # REPOSITORIES diff --git a/pacman-multilib-testing.conf b/pacman-multilib-testing.conf index b7e59f6..e2591cf 100644 --- a/pacman-multilib-testing.conf +++ b/pacman-multilib-testing.conf @@ -46,9 +46,7 @@ Architecture = auto # If you wish to check signatures but avoid local sign and trust issues, use # the following line. This will treat any key imported into pacman's keyring as # trusted. -#SigLevel = Optional TrustAll -# Disable signature checks for now -SigLevel = Never +SigLevel = Optional TrustAll # # REPOSITORIES diff --git a/pacman-multilib.conf b/pacman-multilib.conf index 709361e..e0dae7b 100644 --- a/pacman-multilib.conf +++ b/pacman-multilib.conf @@ -46,9 +46,7 @@ Architecture = auto # If you wish to check signatures but avoid local sign and trust issues, use # the following line. This will treat any key imported into pacman's keyring as # trusted. -#SigLevel = Optional TrustAll -# Disable signature checks for now -SigLevel = Never +SigLevel = Optional TrustAll # # REPOSITORIES diff --git a/pacman-staging.conf b/pacman-staging.conf index 9d8e23e..ae497d1 100644 --- a/pacman-staging.conf +++ b/pacman-staging.conf @@ -46,9 +46,7 @@ Architecture = auto # If you wish to check signatures but avoid local sign and trust issues, use # the following line. This will treat any key imported into pacman's keyring as # trusted. -#SigLevel = Optional TrustAll -# Disable signature checks for now -SigLevel = Never +SigLevel = Optional TrustAll # # REPOSITORIES diff --git a/pacman-testing.conf b/pacman-testing.conf index 70b0249..8d1b6c5 100644 --- a/pacman-testing.conf +++ b/pacman-testing.conf @@ -46,9 +46,7 @@ Architecture = auto # If you wish to check signatures but avoid local sign and trust issues, use # the following line. This will treat any key imported into pacman's keyring as # trusted. -#SigLevel = Optional TrustAll -# Disable signature checks for now -SigLevel = Never +SigLevel = Optional TrustAll # # REPOSITORIES -- 1.7.7
On 15/10/11 20:56, Allan McRae wrote:
Adjust the mount options for /dev/pts to allow signature checking with gpgme to work.
Adjust the various pacman.confs to use "SigLevel = Optional TrustAll" which is the best that can be done automatically with Arch repos at the moment.
Signed-off-by: Allan McRae<allan@archlinux.org> ---
I'm not sure exactly what other consequences there are from removing "newinstance" from the /dev/pts mount options but this appears to work...
mkarchroot.in | 2 +- pacman-extra.conf | 2 -- pacman-multilib-testing.conf | 4 +--- pacman-multilib.conf | 4 +--- pacman-staging.conf | 4 +--- pacman-testing.conf | 4 +--- 6 files changed, 5 insertions(+), 15 deletions(-)
diff --git a/mkarchroot.in b/mkarchroot.in index 0debb13..4db3032 100644 --- a/mkarchroot.in +++ b/mkarchroot.in @@ -110,7 +110,7 @@ chroot_mount() { mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M
[ -e "${working_dir}/dev/pts" ] || mkdir "${working_dir}/dev/pts" - mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666 + mount -t devpts devpts "${working_dir}/dev/pts" -o ptmxmode=666 ln -s pts/ptmx "${working_dir}/dev/ptmx"
[ -e "${cache_dir}" ] || mkdir -p "${cache_dir}"
So this broke the gcc testsuite (and probably the binutils one too...). Instead, mounting /dev/pts with: mount --bind /dev/pts "${working_dir}/dev/pts" allows both the signature checking with pacman to work and the gcc testsuite to run. Allan
Am 27.10.2011 13:57, schrieb Allan McRae:
On 15/10/11 20:56, Allan McRae wrote:
Adjust the mount options for /dev/pts to allow signature checking with gpgme to work.
Adjust the various pacman.confs to use "SigLevel = Optional TrustAll" which is the best that can be done automatically with Arch repos at the moment. So this broke the gcc testsuite (and probably the binutils one too...). Instead, mounting /dev/pts with:
mount --bind /dev/pts "${working_dir}/dev/pts"
allows both the signature checking with pacman to work and the gcc testsuite to run.
I don' like this at first sight. In general I would avoid binding anything from the host into the chroot. Especially since we want to support having several build process run in parallel. On the other side I am no export on the pts device; so my concerns might be just invalid. -- Pierre Schmitz, https://users.archlinux.de/~pierre
participants (2)
-
Allan McRae
-
Pierre Schmitz