[arch-releng] [RFC 0/4] Add gpg signature verification for the squashfs image
I have recently been working on a better and more robust netboot setup. One change is that booting via netboot needs to be secure, i.e. all files need to be verified. One crucial step in this setup is that the squashfs image is verified before the archiso initramfs tries to mount it. This patchset adds a new verify=y option that forces archiso to verify the signature of the squashfs image. In order to build an image with squashfs signatures: 1) Make sure gpg-agent is running for your user before starting the build process. 2) Run su -c "GNUPGHOME=/home/youruser/.gnupg /path/to/build.sh -g yourkeyid"
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..715120b 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p $BUILDROOT$dest/gpg + eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import + fi } # vim: set ft=sh ts=4 sw=4 et: -- 2.6.3
On Sat, Feb 13, 2016 at 01:08:48AM +0100, Thomas Bächler wrote:
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..715120b 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p $BUILDROOT$dest/gpg
quote "$BUILDROOT$dest/gpg"
+ eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import
why not just: gpg --homedir "$BUILDROOT$dest/gpg" --import <&$ARCHISO_GNUPG_FD This is run by bash, so order of evaluation is sane. As is, your eval is not safe, and will under a variety of circumstances (the simplest of which is whitespace in the $BUILDROOT).
+ fi }
# vim: set ft=sh ts=4 sw=4 et: -- 2.6.3
Am 13.02.2016 um 02:24 schrieb Dave Reisner:
On Sat, Feb 13, 2016 at 01:08:48AM +0100, Thomas Bächler wrote:
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..715120b 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p $BUILDROOT$dest/gpg
quote "$BUILDROOT$dest/gpg"
Ok.
+ eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import
why not just:
gpg --homedir "$BUILDROOT$dest/gpg" --import <&$ARCHISO_GNUPG_FD
This is run by bash, so order of evaluation is sane. As is, your eval is not safe, and will under a variety of circumstances (the simplest of which is whitespace in the $BUILDROOT).
The exec calls to open and close file descriptors don't seem to work without eval, but this one seems fine. I don't quite understand what the difference is though.
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..90bb9bc 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p "$BUILDROOT$dest"/gpg + gpg --homedir "$BUILDROOT$dest"/gpg --import <&$ARCHISO_GNUPG_FD + fi } # vim: set ft=sh ts=4 sw=4 et: -- 2.6.3
A new option -g <keyid> is added to build.sh set the key id. If it is set, the squashfs files will be signed by gpg and the gpg key will be added to archiso.img. In order to use this option, a gpg agent must be running. Since build.sh is executed as root, it may be necessary to set the GNUPGHOME environment variable, for example $ su -c "GNUPGHOME=/home/youruser/.gnupg /path/to/build.sh -g yourkeyid" --- configs/releng/build.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/configs/releng/build.sh b/configs/releng/build.sh index b0306cc..ad2f994 100755 --- a/configs/releng/build.sh +++ b/configs/releng/build.sh @@ -79,7 +79,15 @@ make_setup_mkinitcpio() { cp /usr/lib/initcpio/install/archiso_kms ${work_dir}/${arch}/airootfs/etc/initcpio/install cp /usr/lib/initcpio/archiso_shutdown ${work_dir}/${arch}/airootfs/etc/initcpio cp ${script_path}/mkinitcpio.conf ${work_dir}/${arch}/airootfs/etc/mkinitcpio-archiso.conf - setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run + gnupg_fd= + if [[ ${gpg_key} ]]; then + gpg --export ${gpg_key} >${work_dir}/gpgkey + exec 17<>${work_dir}/gpgkey + fi + ARCHISO_GNUPG_FD=${gpg_key:+17} setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run + if [[ ${gpg_key} ]]; then + exec 17<&- + fi } # Customize installation (airootfs) @@ -197,7 +205,7 @@ make_efiboot() { make_prepare() { cp -a -l -f ${work_dir}/${arch}/airootfs ${work_dir} setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" pkglist - setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" prepare + setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" ${gpg_key:+-g ${gpg_key}} prepare rm -rf ${work_dir}/airootfs # rm -rf ${work_dir}/${arch}/airootfs (if low space, this helps) } @@ -217,7 +225,7 @@ if [[ ${arch} != x86_64 ]]; then _usage 1 fi -while getopts 'N:V:L:D:w:o:vh' arg; do +while getopts 'N:V:L:D:w:o:g:vh' arg; do case "${arg}" in N) iso_name="${OPTARG}" ;; V) iso_version="${OPTARG}" ;; @@ -225,6 +233,7 @@ while getopts 'N:V:L:D:w:o:vh' arg; do D) install_dir="${OPTARG}" ;; w) work_dir="${OPTARG}" ;; o) out_dir="${OPTARG}" ;; + g) gpg_key="${OPTARG}" ;; v) verbose="-v" ;; h) _usage 0 ;; *) -- 2.6.3
On 02/12/16 21:08, Thomas Bächler wrote:
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..715120b 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p $BUILDROOT$dest/gpg + eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import + fi }
# vim: set ft=sh ts=4 sw=4 et:
Not directly related with this: We are getting closer to fill up the "efiboot.img" (used to El Torito in EFI), inside this FAT-FS image (31M) is archiso.img. Last time I checked (1/Feb) was around 1M free.
Am 15.02.2016 um 14:14 schrieb Gerardo Exequiel Pozzi:
On 02/12/16 21:08, Thomas Bächler wrote:
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..715120b 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p $BUILDROOT$dest/gpg + eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import + fi }
# vim: set ft=sh ts=4 sw=4 et:
Not directly related with this: We are getting closer to fill up the "efiboot.img" (used to El Torito in EFI), inside this FAT-FS image (31M) is archiso.img. Last time I checked (1/Feb) was around 1M free.
Is Eltorito the only way to boot from CD? Can't we access the CD drive directly in EFI? In any case, I consider CD booting irrelevant with EFI, since USB ports are more common than CD drives and making a bootable USB only means copying the files onto it. About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
On 02/15/16 15:08, Thomas Bächler wrote:
Am 15.02.2016 um 14:14 schrieb Gerardo Exequiel Pozzi:
On 02/12/16 21:08, Thomas Bächler wrote:
If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file descriptor and its contents will be used to create a keyring in the initramfs in /gpg. --- archiso/initcpio/install/archiso | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 300dfef..715120b 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -14,11 +14,16 @@ build() { add_binary losetup add_binary mountpoint add_binary truncate + add_binary gpg
add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules add_file /usr/lib/udev/rules.d/95-dm-notify.rules add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules + if [[ $ARCHISO_GNUPG_FD ]]; then + mkdir -p $BUILDROOT$dest/gpg + eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import + fi }
# vim: set ft=sh ts=4 sw=4 et:
Not directly related with this: We are getting closer to fill up the "efiboot.img" (used to El Torito in EFI), inside this FAT-FS image (31M) is archiso.img. Last time I checked (1/Feb) was around 1M free.
Is Eltorito the only way to boot from CD? Can't we access the CD drive directly in EFI? In any case, I consider CD booting irrelevant with EFI, since USB ports are more common than CD drives and making a bootable USB only means copying the files onto it.
The standard way, yes. Some firmwares provides an extension to read ISO9660-FS directly. Sure, personally I did not use any DVD/CD in years!
About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
I will look on this in next weekend. Why is the signature stored inside initramfs file? why not outside like the checksum file?
Am 15.02.2016 um 19:40 schrieb Gerardo Exequiel Pozzi:
About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
I will look on this in next weekend.
Why is the signature stored inside initramfs file? why not outside like the checksum file?
It is not, it is stored with the squashfs image.
Am 15.02.2016 um 22:21 schrieb Thomas Bächler:
Am 15.02.2016 um 19:40 schrieb Gerardo Exequiel Pozzi:
About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
I will look on this in next weekend.
Why is the signature stored inside initramfs file? why not outside like the checksum file?
It is not, it is stored with the squashfs image.
Gerardo, what about pulling these changes so we can get the verification into the March image?
On 02/27/16 11:14, Thomas Bächler wrote:
Am 15.02.2016 um 22:21 schrieb Thomas Bächler:
Am 15.02.2016 um 19:40 schrieb Gerardo Exequiel Pozzi:
About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
I will look on this in next weekend.
Why is the signature stored inside initramfs file? why not outside like the checksum file?
It is not, it is stored with the squashfs image.
Gerardo, what about pulling these changes so we can get the verification into the March image?
OK Thomas, I did not have time to test this in these days, personally busy (UPS dead, debit card blocked by security, too much!) Looks like is not valid https://han.bchlr.de/git/public/archiso any other place to pull? Thanks.
Am 27.02.2016 um 16:31 schrieb Gerardo Exequiel Pozzi:
On 02/27/16 11:14, Thomas Bächler wrote:
Am 15.02.2016 um 22:21 schrieb Thomas Bächler:
Am 15.02.2016 um 19:40 schrieb Gerardo Exequiel Pozzi:
About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
I will look on this in next weekend.
Why is the signature stored inside initramfs file? why not outside like the checksum file?
It is not, it is stored with the squashfs image.
Gerardo, what about pulling these changes so we can get the verification into the March image?
OK Thomas,
I did not have time to test this in these days, personally busy (UPS dead, debit card blocked by security, too much!)
Looks like is not valid https://han.bchlr.de/git/public/archiso any other place to pull?
Works just fine. You just need to use git to access it, not a web browser. Anyway, I uploaded it here as well: https://github.com/brain0/archiso/commits/verify
On 02/28/16 18:46, Thomas Bächler wrote:
Am 27.02.2016 um 16:31 schrieb Gerardo Exequiel Pozzi:
On 02/27/16 11:14, Thomas Bächler wrote:
Am 15.02.2016 um 22:21 schrieb Thomas Bächler:
Am 15.02.2016 um 19:40 schrieb Gerardo Exequiel Pozzi:
About the patches themselves, any comments? You can pull them via git directly from https://han.bchlr.de/git/public/archiso, branch verify.
I will look on this in next weekend.
Why is the signature stored inside initramfs file? why not outside like the checksum file?
It is not, it is stored with the squashfs image.
Gerardo, what about pulling these changes so we can get the verification into the March image?
OK Thomas,
I did not have time to test this in these days, personally busy (UPS dead, debit card blocked by security, too much!)
Looks like is not valid https://han.bchlr.de/git/public/archiso any other place to pull?
Works just fine. You just need to use git to access it, not a web browser. Anyway, I uploaded it here as well:
Thanks, Anyways, I merged from emails. I build it, tested signed .sfs, and works fine. Now archiso-24 is ready on repos for next 2016.03 ;) Nice job.
--- archiso/initcpio/hooks/archiso | 24 ++++++++++++++++++++++++ archiso/initcpio/hooks/archiso_pxe_http | 3 +++ archiso/initcpio/install/archiso | 1 + 3 files changed, 28 insertions(+) diff --git a/archiso/initcpio/hooks/archiso b/archiso/initcpio/hooks/archiso index fb76327..b78f4db 100644 --- a/archiso/initcpio/hooks/archiso +++ b/archiso/initcpio/hooks/archiso @@ -105,6 +105,15 @@ _verify_checksum() { return ${_status} } +_verify_signature() { + local _status + cd "/run/archiso/bootmnt/${archisobasedir}/${arch}" + gpg --homedir /gpg --status-fd 1 --verify airootfs.sfs.sig 2>/dev/null | grep -qE '^\[GNUPG:\] GOODSIG' + _status=$? + cd "${OLDPWD}" + return ${_status} +} + run_hook() { [[ -z "${arch}" ]] && arch="$(uname -m)" [[ -z "${copytoram_size}" ]] && copytoram_size="75%" @@ -159,6 +168,21 @@ archiso_mount_handler() { fi fi + if [[ "${verify}" == "y" ]]; then + if [[ -f "/run/archiso/bootmnt/${archisobasedir}/${arch}/airootfs.sfs.sig" ]]; then + msg -n ":: Signature verification requested, please wait..." + if _verify_signature; then + msg "done. Signature is OK, continue booting." + else + echo "ERROR: one or more files are corrupted" + launch_interactive_shell + fi + else + echo "ERROR: verify=y option specified but ${archisobasedir}/${arch}/airootfs.sfs.sig not found" + launch_interactive_shell + fi + fi + if [[ "${copytoram}" == "y" ]]; then msg ":: Mounting /run/archiso/copytoram (tmpfs) filesystem, size=${copytoram_size}" mkdir -p /run/archiso/copytoram diff --git a/archiso/initcpio/hooks/archiso_pxe_http b/archiso/initcpio/hooks/archiso_pxe_http index e36fa21..909ac78 100644 --- a/archiso/initcpio/hooks/archiso_pxe_http +++ b/archiso/initcpio/hooks/archiso_pxe_http @@ -39,6 +39,9 @@ archiso_pxe_http_mount_handler () { if [[ "${checksum}" == "y" ]]; then _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.md5" "/${arch}" fi + if [[ "${verify}" == "y" ]]; then + _curl_get "${archiso_http_srv}${archisobasedir}/${arch}/airootfs.sfs.sig" "/${arch}" + fi mkdir -p "/run/archiso/bootmnt" mount -o bind /run/archiso/httpspace /run/archiso/bootmnt diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso index 715120b..b955dee 100644 --- a/archiso/initcpio/install/archiso +++ b/archiso/initcpio/install/archiso @@ -15,6 +15,7 @@ build() { add_binary mountpoint add_binary truncate add_binary gpg + add_binary grep add_file /usr/lib/udev/rules.d/60-cdrom_id.rules add_file /usr/lib/udev/rules.d/10-dm.rules -- 2.6.3
A new option -g <keyid> is added to set the key id. The squashfs files are only signed if this option is set. --- archiso/mkarchiso | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 44f0c4a..a183d34 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -18,6 +18,7 @@ work_dir="work" out_dir="out" sfs_mode="sfs" sfs_comp="xz" +gpg_key= # Show an INFO message # $1: message string @@ -253,6 +254,14 @@ _mkchecksum () { _msg_info "Done!" } +_mksignature () { + _msg_info "Creating signature file..." + cd "${work_dir}/iso/${install_dir}/${arch}" + gpg --detach-sign --default-key ${gpg_key} airootfs.sfs + cd ${OLDPWD} + _msg_info "Done!" +} + command_pkglist () { _show_config pkglist @@ -319,6 +328,7 @@ command_prepare () { _mkairootfs_img fi _mkchecksum + [[ ${gpg_key} ]] && _mksignature } # Install packages on airootfs. @@ -355,7 +365,7 @@ if [[ ${EUID} -ne 0 ]]; then _msg_error "This script must be run as root." 1 fi -while getopts 'p:r:C:L:P:A:D:w:o:s:c:vh' arg; do +while getopts 'p:r:C:L:P:A:D:w:o:s:c:g:vh' arg; do case "${arg}" in p) pkg_list="${pkg_list} ${OPTARG}" ;; r) run_cmd="${OPTARG}" ;; @@ -368,6 +378,7 @@ while getopts 'p:r:C:L:P:A:D:w:o:s:c:vh' arg; do o) out_dir="${OPTARG}" ;; s) sfs_mode="${OPTARG}" ;; c) sfs_comp="${OPTARG}" ;; + g) gpg_key="${OPTARG}" ;; v) quiet="n" ;; h|?) _usage 0 ;; *) -- 2.6.3
A new option -g <keyid> is added to build.sh set the key id. If it is set, the squashfs files will be signed by gpg and the gpg key will be added to archiso.img. In order to use this option, a gpg agent must be running. Since build.sh is executed as root, it may be necessary to set the GNUPGHOME environment variable, for example $ su -c "GNUPGHOME=/home/youruser/.gnupg /path/to/build.sh -g yourkeyid" --- configs/releng/build.sh | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/configs/releng/build.sh b/configs/releng/build.sh index b0306cc..3d699b5 100755 --- a/configs/releng/build.sh +++ b/configs/releng/build.sh @@ -79,7 +79,14 @@ make_setup_mkinitcpio() { cp /usr/lib/initcpio/install/archiso_kms ${work_dir}/${arch}/airootfs/etc/initcpio/install cp /usr/lib/initcpio/archiso_shutdown ${work_dir}/${arch}/airootfs/etc/initcpio cp ${script_path}/mkinitcpio.conf ${work_dir}/${arch}/airootfs/etc/mkinitcpio-archiso.conf - setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run + gnupg_fd= + if [[ ${gpg_key} ]]; then + gpg --export ${gpg_key} >${work_dir}/gpgkey + exec 17<>${work_dir}/gpgkey + gnupg_fd=17 + fi + ARCHISO_GNUPG_FD=${gnupg_fd} setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run + [[ ${gnupg_fd} ]] && eval "exec ${gnupg_fd}<&-" } # Customize installation (airootfs) @@ -197,7 +204,7 @@ make_efiboot() { make_prepare() { cp -a -l -f ${work_dir}/${arch}/airootfs ${work_dir} setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" pkglist - setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" prepare + setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" ${gpg_key:+-g ${gpg_key}} prepare rm -rf ${work_dir}/airootfs # rm -rf ${work_dir}/${arch}/airootfs (if low space, this helps) } @@ -217,7 +224,7 @@ if [[ ${arch} != x86_64 ]]; then _usage 1 fi -while getopts 'N:V:L:D:w:o:vh' arg; do +while getopts 'N:V:L:D:w:o:g:vh' arg; do case "${arg}" in N) iso_name="${OPTARG}" ;; V) iso_version="${OPTARG}" ;; @@ -225,6 +232,7 @@ while getopts 'N:V:L:D:w:o:vh' arg; do D) install_dir="${OPTARG}" ;; w) work_dir="${OPTARG}" ;; o) out_dir="${OPTARG}" ;; + g) gpg_key="${OPTARG}" ;; v) verbose="-v" ;; h) _usage 0 ;; *) -- 2.6.3
participants (3)
-
Dave Reisner
-
Gerardo Exequiel Pozzi
-
Thomas Bächler