[arch-releng] [RFC 1/4] [archiso] Add gpg to the image and optionally create a keyring
Dave Reisner
d at falconindy.com
Sat Feb 13 01:24:25 UTC 2016
On Sat, Feb 13, 2016 at 01:08:48AM +0100, Thomas Bächler wrote:
> If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file
> descriptor and its contents will be used to create a keyring in the initramfs in /gpg.
> ---
> archiso/initcpio/install/archiso | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso
> index 300dfef..715120b 100644
> --- a/archiso/initcpio/install/archiso
> +++ b/archiso/initcpio/install/archiso
> @@ -14,11 +14,16 @@ build() {
> add_binary losetup
> add_binary mountpoint
> add_binary truncate
> + add_binary gpg
>
> add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
> add_file /usr/lib/udev/rules.d/10-dm.rules
> add_file /usr/lib/udev/rules.d/95-dm-notify.rules
> add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
> + if [[ $ARCHISO_GNUPG_FD ]]; then
> + mkdir -p $BUILDROOT$dest/gpg
quote "$BUILDROOT$dest/gpg"
> + eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import
why not just:
gpg --homedir "$BUILDROOT$dest/gpg" --import <&$ARCHISO_GNUPG_FD
This is run by bash, so order of evaluation is sane. As is, your eval is
not safe, and will under a variety of circumstances (the simplest of
which is whitespace in the $BUILDROOT).
> + fi
> }
>
> # vim: set ft=sh ts=4 sw=4 et:
> --
> 2.6.3
More information about the arch-releng
mailing list