[arch-projects] [devtools] [PATCH 0/2] makechrootpkg: Allow signing packages inside chroot
This pair of patches works to allow makepkg to sign packages inside makechrootpkg; something that while perhaps not useful for the Arch packaging toolchain itself, is immensely helpful to getting all of us unofficial packagers in the community doing both signed packages and clean builds. The first patch adds an option to makechrootpkg that translates into --setenv on systemd-nspawn; the second passes necessary variables through sudo over to makepkg and thus to gpg. To make it all work, call makechrootpkg (or the appropriate archbuild alias) with the following arguments: -d "$HOME/.gnupg/S.gpg-agent:/build/.gnupg/S.gpg-agent" -e "DISPLAY=$DISPLAY" -e "GPG_TTY=$(tty)" This will pass the agent socket into the chroot, tell gpg where to tell the agent to start the pinentry, and works quite well both in X and on the terminal. --- Patrick Burroughs (Celti) (2): allow passing --setenv to nspawn let sudo pass DISPLAY and GPG_TTY to builduser makechrootpkg.in | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) -- 2.8.2
--- makechrootpkg.in | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index 9cb25fc..1ef89a4 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -26,6 +26,7 @@ declare -i ret=0 bindmounts_ro=() bindmounts_rw=() +setenv=() copy=$USER [[ -n $SUDO_USER ]] && copy=$SUDO_USER @@ -53,6 +54,7 @@ usage() { echo '-c Clean the chroot before building' echo '-d <dir> Bind directory into build chroot as read-write' echo '-D <dir> Bind directory into build chroot as read-only' + echo '-e <var> Set an environment variable inside the chroot' echo '-u Update the working copy of the chroot before building' echo ' This is useful for rebuilds without dirtying the pristine' echo ' chroot' @@ -134,7 +136,7 @@ install_packages() { cp "$install_pkg" "$copydir/$pkgname" arch-nspawn "$copydir" \ - "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ + "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" "${setenv[@]}" \ pacman -U /$pkgname --noconfirm (( ret += !! $? )) @@ -313,11 +315,12 @@ move_products() { orig_argv=("$@") -while getopts 'hcur:I:l:nTD:d:' arg; do +while getopts 'hcur:I:l:nTD:d:e:' arg; do case "$arg" in c) clean_first=true ;; D) bindmounts_ro+=(--bind-ro="$OPTARG") ;; d) bindmounts_rw+=(--bind="$OPTARG") ;; + e) setenv+=(--setenv="$OPTARG") ;; u) update_first=true ;; r) passeddir="$OPTARG" ;; I) install_pkgs+=("$OPTARG") ;; @@ -379,7 +382,7 @@ load_vars /etc/makepkg.conf create_chroot $update_first && arch-nspawn "$copydir" \ - "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ + "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" "${setenv[@]}" \ pacman -Syu --noconfirm [[ -n ${install_pkgs[*]} ]] && install_packages @@ -391,7 +394,7 @@ prepare_chroot if arch-nspawn "$copydir" \ --bind-ro="$PWD:/startdir_host" \ --bind-ro="$SRCDEST:/srcdest_host" \ - "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" \ + "${bindmounts_ro[@]}" "${bindmounts_rw[@]}" "${setenv[@]}" \ /chrootbuild then move_products -- 2.8.2
This requires the previous patch to enable -e/--setenv to work, and allows with the appropriate flags to sign packages within the chroot. --- makechrootpkg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index 1ef89a4..5acc6d4 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -206,7 +206,7 @@ prepare_chroot() { if [[ ! -f $copydir/etc/sudoers.d/builduser-pacman ]]; then cat > "$copydir/etc/sudoers.d/builduser-pacman" <<EOF -Defaults env_keep += "HOME" +Defaults env_keep += "HOME DISPLAY GPG_TTY" builduser ALL = NOPASSWD: /usr/bin/pacman EOF chmod 440 "$copydir/etc/sudoers.d/builduser-pacman" -- 2.8.2
participants (1)
-
Patrick Burroughs (Celti)