[elbe-devel] [PATCH v2] Fix bin-cdrom.iso signature validation in initvm-create
Olivier Dion
dion at linutronix.de
Thu Jul 16 16:38:48 CEST 2020
The public signature of the cdrom is exported in repomanager.py using the
export_key() call, to the bin-cdrom.iso.
This public key is then extracted in init.py and added to the list of
raw keys to generate elbe-keyring.gpg that is used by the installer.
Signed-off-by: Olivier Dion <dion at linutronix.de>
---
elbepack/commands/init.py | 44 ++++++++++++++++++++-------------------
elbepack/egpg.py | 1 -
elbepack/repomanager.py | 4 +---
3 files changed, 24 insertions(+), 25 deletions(-)
diff --git a/elbepack/commands/init.py b/elbepack/commands/init.py
index 834cdfd7..fa63916a 100644
--- a/elbepack/commands/init.py
+++ b/elbepack/commands/init.py
@@ -22,7 +22,7 @@ from elbepack.version import elbe_version
from elbepack.templates import write_template, get_initvm_preseed
from elbepack.directories import init_template_dir, elbe_dir
from elbepack.config import cfg
-from elbepack.shellhelper import command_out, system, do
+from elbepack.shellhelper import command_out, system, do, system_out
from elbepack.log import elbe_logging
from elbepack.filesystem import Filesystem
@@ -225,32 +225,34 @@ def run_command(argv):
shutil.copyfile(args[0],
os.path.join(out_path, "source.xml"))
+
+ keys = []
+ for key in xml.all(".//initvm/mirror/url-list/url/raw-key"):
+ keys.append(key.et.text)
+
if opt.cdrom:
- system('7z x -o%s "%s" elbe-keyring.gpg' % (out_path, opt.cdrom))
- else:
- keys = []
- for key in xml.all(".//initvm/mirror/url-list/url/raw-key"):
- keys.append(key.et.text)
+ cmd = '7z x -so "%s" repo.pub' % opt.cdrom
+ keys.append(system_out(cmd))
- import_keyring = os.path.join(out_path, "elbe-keyring")
+ import_keyring = os.path.join(out_path, "elbe-keyring")
- do('gpg --no-options \
- --no-default-keyring \
- --keyring %s --import' % import_keyring,
- stdin="".join(keys).encode('ascii'),
- allow_fail=True,
- env_add={'GNUPGHOME': out_path})
+ do('gpg --no-options \
+ --no-default-keyring \
+ --keyring %s --import' % import_keyring,
+ stdin="".join(keys).encode('ascii'),
+ allow_fail=True,
+ env_add={'GNUPGHOME': out_path})
- export_keyring = import_keyring + ".gpg"
+ export_keyring = import_keyring + ".gpg"
- # No need to set GNUPGHOME because both input and output
- # keyring files are specified.
+ # No need to set GNUPGHOME because both input and output
+ # keyring files are specified.
- do('gpg --no-options \
- --no-default-keyring \
- --keyring %s \
- --export \
- --output %s' % (import_keyring, export_keyring))
+ do('gpg --no-options \
+ --no-default-keyring \
+ --keyring %s \
+ --export \
+ --output %s' % (import_keyring, export_keyring))
if opt.devel:
out_real = os.path.realpath(out_path)
diff --git a/elbepack/egpg.py b/elbepack/egpg.py
index 8b2807cd..8fd35b74 100644
--- a/elbepack/egpg.py
+++ b/elbepack/egpg.py
@@ -278,4 +278,3 @@ def generate_elbe_internal_key():
def export_key(fingerprint, outfile):
system("/usr/bin/gpg -a -o %s --export %s" % (outfile, fingerprint),
env_add={"GNUPGHOME": "/var/cache/elbe/gnupg"})
- return '/var/cache/elbe/gnupg/pubring.kbx'
diff --git a/elbepack/repomanager.py b/elbepack/repomanager.py
index 53fb89e8..485b9c2b 100644
--- a/elbepack/repomanager.py
+++ b/elbepack/repomanager.py
@@ -165,9 +165,7 @@ class RepoBase(object):
fp.write("\n")
fp.close()
- keyring = export_key(self.keyid, self.fs.fname("/repo.pub"))
- if keyring:
- shutil.copyfile(keyring, self.fs.fname("/elbe-keyring.gpg"))
+ export_key(self.keyid, self.fs.fname("/repo.pub"))
if need_update:
cmd = 'reprepro --export=force --basedir "%s" update' % self.fs.path
--
2.27.0
More information about the elbe-devel
mailing list