diff options
| author | Eli Schwartz <eschwartz@archlinux.org> | 2018-12-01 19:36:23 -0500 |
|---|---|---|
| committer | Erich Eckner <git@eckner.net> | 2019-04-04 10:07:35 +0200 |
| commit | 31c65331207291dbe504f49b54370a26cf25c463 (patch) | |
| tree | 9e669a2b88a3d308dfb08a6ce5f31231e361a767 | |
| parent | ea1874ac2098e029ded3665c68363f077380d32f (diff) | |
| download | devtools32-31c65331207291dbe504f49b54370a26cf25c463.tar.xz | |
arch-nspawn: don't delete the guest gpg configuration
It's important to ensure the guest has up to date data because updating
a chroot after quite some time can potentially rely on updated
archlinux-keyring, something which the host machine either kept up to
date on or manually fixed, but it kills automation to mess around with
chroot configs like that. Alternatively, signed packages added with -I
need to work, and we assume the host is configured to accept these.
That is *not* a good reason to completely nuke whatever is in the guest,
though. A guest might have been manually configured to accept keys which
aren't accepted by the host; one example of this happening in practice,
is archlinux32 when building 32-bit packages from an archlinux host.
A simple solution is to use pacman-key's native facility to dump the
known keys and trust status from one gpg configuration, and import it
into another. Use this to append to, rather than overwrite, the chrooted
guest's pacman keyring.
While we are at it, fix a bug where we didn't respect the host's
pacman.conf settings for the GpgDir. While it isn't wildly likely a user
will choose to customize this, it is a valid and supported use case and
we must think about this ourselves.
| -rw-r--r-- | arch-nspawn.in | 2 | ||||
| -rw-r--r-- | makechrootpkg.in | 3 | ||||
| -rw-r--r-- | mkarchroot.in | 2 |
3 files changed, 7 insertions, 0 deletions
diff --git a/arch-nspawn.in b/arch-nspawn.in index bc2215a..1dd0e49 100644 --- a/arch-nspawn.in +++ b/arch-nspawn.in @@ -87,6 +87,8 @@ copy_hostconf () { printf 'Server = %s\n' "${host_mirrors[@]}" | \ tee "$working_dir/etc/pacman.d/mirrorlist" > \ "$working_dir/etc/pacman.d/mirrorlist32" + gpg --homedir "$working_dir"/etc/pacman.d/gnupg/ --no-permission-warning --quiet --batch --import --import-options import-local-sigs "$(pacman-conf GpgDir)"/pubring.gpg >/dev/null 2>&1 + pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import-trustdb "$(pacman-conf GpgDir)" >/dev/null 2>&1 [[ -n $pac_conf ]] && cp "$pac_conf" "$working_dir/etc/pacman.conf" [[ -n $makepkg_conf ]] && cp "$makepkg_conf" "$working_dir/etc/makepkg.conf" diff --git a/makechrootpkg.in b/makechrootpkg.in index cf9b965..4d8ca42 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -221,6 +221,9 @@ _chrootbuild() { # shellcheck source=/dev/null . /etc/profile + # otherwise we might have missing keys + pacman-key --populate + # Beware, there are some stupid arbitrary rules on how you can # use "$" in arguments to commands with "sudo -i". ${foo} or # ${1} is OK, but $foo or $1 isn't. diff --git a/mkarchroot.in b/mkarchroot.in index a916f2a..df995a8 100644 --- a/mkarchroot.in +++ b/mkarchroot.in @@ -93,6 +93,8 @@ echo "$CHROOT_VERSION" > "$working_dir/.arch-chroot" systemd-machine-id-setup --root="$working_dir" +pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg --init + exec arch-nspawn \ ${nosetarch:+-s} \ ${pac_conf:+-C "$pac_conf"} \ |