[arch-releng] [RFC 1/4] [archiso] Add gpg to the image and optionally create a keyring

Dave Reisner d at falconindy.com
Sat Feb 13 01:24:25 UTC 2016


On Sat, Feb 13, 2016 at 01:08:48AM +0100, Thomas Bächler wrote:
> If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file
> descriptor and its contents will be used to create a keyring in the initramfs in /gpg.
> ---
>  archiso/initcpio/install/archiso | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso
> index 300dfef..715120b 100644
> --- a/archiso/initcpio/install/archiso
> +++ b/archiso/initcpio/install/archiso
> @@ -14,11 +14,16 @@ build() {
>      add_binary losetup
>      add_binary mountpoint
>      add_binary truncate
> +    add_binary gpg
>  
>      add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
>      add_file /usr/lib/udev/rules.d/10-dm.rules
>      add_file /usr/lib/udev/rules.d/95-dm-notify.rules
>      add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
> +    if [[ $ARCHISO_GNUPG_FD ]]; then
> +        mkdir -p $BUILDROOT$dest/gpg

quote "$BUILDROOT$dest/gpg"

> +        eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import

why not just:

  gpg --homedir "$BUILDROOT$dest/gpg" --import <&$ARCHISO_GNUPG_FD

This is run by bash, so order of evaluation is sane. As is, your eval is
not safe, and will under a variety of circumstances (the simplest of
which is whitespace in the $BUILDROOT).

> +    fi
>  }
>  
>  # vim: set ft=sh ts=4 sw=4 et:
> -- 
> 2.6.3


More information about the arch-releng mailing list