From bb528d9f195becdb3b7739171e99db9cfbebe916 Mon Sep 17 00:00:00 2001 From: Chris Lamb Date: Sat, 5 Jul 2008 00:40:20 +0100 Subject: Use a temporary apt key when installing local packages (Closes: #488257) This patch also allows preferring locally provided packages by preferencing repositories with the label 'local-packages' in chroot_apt/preferences. --- helpers/lh_chroot_sources | 78 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 76 insertions(+), 2 deletions(-) diff --git a/helpers/lh_chroot_sources b/helpers/lh_chroot_sources index 42b92ea..d0fc816 100755 --- a/helpers/lh_chroot_sources +++ b/helpers/lh_chroot_sources @@ -31,6 +31,8 @@ Set_defaults # Requiring stage file Require_stagefile .stage/bootstrap +_LH_DUMMY_KEY_EMAIL="live-helper-local-key@dummy" + case "${1}" in install) Echo_message "Configuring file /etc/apt/sources.list" @@ -105,9 +107,75 @@ case "${1}" in # Installing depends Install_package - # Generate Packages.gz + # Generate Packages and Packages.gz echo "cd /root/local-packages && apt-ftparchive packages . > Packages" | Chroot sh - gzip -9 chroot/root/local-packages/Packages + gzip -9 -c chroot/root/local-packages/Packages > chroot/root/local-packages/Packages.gz + + if [ "${LH_APT_SECURE}" = "enabled" ] + then + # Generate Release + echo "cd /root/local-packages && apt-ftparchive \ + -o APT::FTPArchive::Release::Label=local-packages \ + release . > Release" | Chroot sh + + _LH_DOTGNUPG_EXISTED=0 + if [ -d chroot/root/.gnupg ] + then + _LH_DOTGNUPG_EXISTED=1 + fi + + if ls cache/local-package-keyring.* >/dev/null 2>&1 + then + cp cache/local-package-keyring.* chroot/root + else + # Generate temporary key + echo "Key-Type: RSA + Key-Length: 1024 + Subkey-Type: ELG-E + Subkey-Length: 1024 + Name-Real: live-helper local packages key + Name-Email: ${_LH_DUMMY_KEY_EMAIL} + Expire-Date: 0 + %secring /root/local-package-keyring.sec + %pubring /root/local-package-keyring.pub + %commit" | Chroot "gpg --batch --gen-key" || _LH_RET=${?} + + case "${_LH_RET}" in + ""|2) + # Gnupg sometimes seems to return with a status of 2 when there was not + # enough entropy (and key creation blocks temporarily) even if the + # operation was ultimately successful. + ;; + *) + Echo_error "GPG exited with error status ${_LH_RET}" + exit ${_LH_RET} + ;; + esac + + # Save keyrings to avoid regeneration + cp chroot/root/local-package-keyring.* cache/ + fi + + # Sign release + Chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \ + --keyring /root/local-package-keyring.pub -abs -o \ + /root/local-packages/Release.gpg /root/local-packages/Release" + + # Import key + Chroot "gpg --no-default-keyring --secret-keyring /root/local-package-keyring.sec \ + --keyring /root/local-package-keyring.pub --armor \ + --export ${_LH_DUMMY_KEY_EMAIL}" | Chroot "apt-key add -" + + # Remove temporary keyrings + rm chroot/root/local-package-keyring.pub + rm chroot/root/local-package-keyring.sec + + # Remove /root/.gnupg if we created it during the signing process + if [ "${_LH_DOTGNUPG_EXISTED}" -eq 0 ] + then + rm -rf chroot/root/.gnupg + fi + fi # Add to sources.list echo "" >> chroot/etc/apt/sources.list @@ -317,6 +385,12 @@ case "${1}" in # Remove local package repository rm -rf chroot/root/local-packages + # Remove local packages key if it exists + if apt-key list | grep -q ${_LH_DUMMY_KEY_EMAIL} + then + apt-key del ${_LH_DUMMY_KEY_EMAIL} + fi + # Removing stage file rm -f .stage/chroot_sources ;; -- cgit v1.0