[arch-releng] [RFC 1/4] [archiso] Add gpg to the image and optionally create a keyring

Thomas Bächler thomas at archlinux.org
Sat Feb 13 08:37:18 UTC 2016


Am 13.02.2016 um 02:24 schrieb Dave Reisner:
> On Sat, Feb 13, 2016 at 01:08:48AM +0100, Thomas Bächler wrote:
>> If the ARCHISO_GNUPG_FD environment variable is set, its contents will be interpreted as an open file
>> descriptor and its contents will be used to create a keyring in the initramfs in /gpg.
>> ---
>>  archiso/initcpio/install/archiso | 5 +++++
>>  1 file changed, 5 insertions(+)
>>
>> diff --git a/archiso/initcpio/install/archiso b/archiso/initcpio/install/archiso
>> index 300dfef..715120b 100644
>> --- a/archiso/initcpio/install/archiso
>> +++ b/archiso/initcpio/install/archiso
>> @@ -14,11 +14,16 @@ build() {
>>      add_binary losetup
>>      add_binary mountpoint
>>      add_binary truncate
>> +    add_binary gpg
>>  
>>      add_file /usr/lib/udev/rules.d/60-cdrom_id.rules
>>      add_file /usr/lib/udev/rules.d/10-dm.rules
>>      add_file /usr/lib/udev/rules.d/95-dm-notify.rules
>>      add_file /usr/lib/initcpio/udev/11-dm-initramfs.rules /usr/lib/udev/rules.d/11-dm-initramfs.rules
>> +    if [[ $ARCHISO_GNUPG_FD ]]; then
>> +        mkdir -p $BUILDROOT$dest/gpg
> 
> quote "$BUILDROOT$dest/gpg"

Ok.

>> +        eval "cat <&$ARCHISO_GNUPG_FD" | gpg --homedir $BUILDROOT$dest/gpg --import
> 
> why not just:
> 
>   gpg --homedir "$BUILDROOT$dest/gpg" --import <&$ARCHISO_GNUPG_FD
> 
> This is run by bash, so order of evaluation is sane. As is, your eval is
> not safe, and will under a variety of circumstances (the simplest of
> which is whitespace in the $BUILDROOT).

The exec calls to open and close file descriptors don't seem to work
without eval, but this one seems fine. I don't quite understand what the
difference is though.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-releng/attachments/20160213/64476aee/attachment.asc>


More information about the arch-releng mailing list