[arch-releng] [RFC 4/4] [configs/releng] Optionally sign the squashfs files with gpg and add the gpg key to the initramfs

[Thomas Bächler]

A new option -g <keyid> is added to build.sh set the key id. If it is set, the squashfs files will be signed
by gpg and the gpg key will be added to archiso.img. In order to use this option, a gpg agent must be running.
Since build.sh is executed as root, it may be necessary to set the GNUPGHOME environment variable, for
example

$ su -c "GNUPGHOME=/home/youruser/.gnupg /path/to/build.sh -g yourkeyid"
---
 configs/releng/build.sh | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/configs/releng/build.sh b/configs/releng/build.sh
index b0306cc..3d699b5 100755
--- a/configs/releng/build.sh
+++ b/configs/releng/build.sh
@@ -79,7 +79,14 @@ make_setup_mkinitcpio() {
     cp /usr/lib/initcpio/install/archiso_kms ${work_dir}/${arch}/airootfs/etc/initcpio/install
     cp /usr/lib/initcpio/archiso_shutdown ${work_dir}/${arch}/airootfs/etc/initcpio
     cp ${script_path}/mkinitcpio.conf ${work_dir}/${arch}/airootfs/etc/mkinitcpio-archiso.conf
-    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run
+    gnupg_fd=
+    if [[ ${gpg_key} ]]; then
+      gpg --export ${gpg_key} >${work_dir}/gpgkey
+      exec 17<>${work_dir}/gpgkey
+      gnupg_fd=17
+    fi
+    ARCHISO_GNUPG_FD=${gnupg_fd} setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run
+    [[ ${gnupg_fd} ]] && eval "exec ${gnupg_fd}<&-"
 }
 
 # Customize installation (airootfs)
@@ -197,7 +204,7 @@ make_efiboot() {
 make_prepare() {
     cp -a -l -f ${work_dir}/${arch}/airootfs ${work_dir}
     setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" pkglist
-    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" prepare
+    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" ${gpg_key:+-g ${gpg_key}} prepare
     rm -rf ${work_dir}/airootfs
     # rm -rf ${work_dir}/${arch}/airootfs (if low space, this helps)
 }
@@ -217,7 +224,7 @@ if [[ ${arch} != x86_64 ]]; then
     _usage 1
 fi
 
-while getopts 'N:V:L:D:w:o:vh' arg; do
+while getopts 'N:V:L:D:w:o:g:vh' arg; do
     case "${arg}" in
         N) iso_name="${OPTARG}" ;;
         V) iso_version="${OPTARG}" ;;
@@ -225,6 +232,7 @@ while getopts 'N:V:L:D:w:o:vh' arg; do
         D) install_dir="${OPTARG}" ;;
         w) work_dir="${OPTARG}" ;;
         o) out_dir="${OPTARG}" ;;
+        g) gpg_key="${OPTARG}" ;;
         v) verbose="-v" ;;
         h) _usage 0 ;;
         *)
-- 
2.6.3