[elbe-devel] [PATCH v2] Fix bin-cdrom.iso signature validation in initvm-create

Torben Hohn torben.hohn at linutronix.de
Tue Jul 21 12:19:24 CEST 2020 

On Thu, Jul 16, 2020 at 10:38:48AM -0400, Olivier Dion wrote:
> The public signature of the cdrom is exported in repomanager.py using the
> export_key() call, to the bin-cdrom.iso.
> 
> This public key is then extracted in init.py and added to the list of
> raw keys to generate elbe-keyring.gpg that is used by the installer.
> 
> Signed-off-by: Olivier Dion <dion at linutronix.de>

Reviewed-by: Torben Hohn <torben.hohn at linutronix.de>

> ---
>  elbepack/commands/init.py | 44 ++++++++++++++++++++-------------------
>  elbepack/egpg.py          |  1 -
>  elbepack/repomanager.py   |  4 +---
>  3 files changed, 24 insertions(+), 25 deletions(-)
> 
> diff --git a/elbepack/commands/init.py b/elbepack/commands/init.py
> index 834cdfd7..fa63916a 100644
> --- a/elbepack/commands/init.py
> +++ b/elbepack/commands/init.py
> @@ -22,7 +22,7 @@ from elbepack.version import elbe_version
>  from elbepack.templates import write_template, get_initvm_preseed
>  from elbepack.directories import init_template_dir, elbe_dir
>  from elbepack.config import cfg
> -from elbepack.shellhelper import command_out, system, do
> +from elbepack.shellhelper import command_out, system, do, system_out
>  from elbepack.log import elbe_logging
>  from elbepack.filesystem import Filesystem
>  
> @@ -225,32 +225,34 @@ def run_command(argv):
>          shutil.copyfile(args[0],
>                          os.path.join(out_path, "source.xml"))
>  
> +
> +        keys = []
> +        for key in xml.all(".//initvm/mirror/url-list/url/raw-key"):
> +            keys.append(key.et.text)
> +
>          if opt.cdrom:
> -            system('7z x -o%s "%s" elbe-keyring.gpg' % (out_path, opt.cdrom))
> -        else:
> -            keys = []
> -            for key in xml.all(".//initvm/mirror/url-list/url/raw-key"):
> -                keys.append(key.et.text)
> +            cmd = '7z x -so "%s" repo.pub' % opt.cdrom
> +            keys.append(system_out(cmd))
>  
> -            import_keyring = os.path.join(out_path, "elbe-keyring")
> +        import_keyring = os.path.join(out_path, "elbe-keyring")
>  
> -            do('gpg --no-options \
> -                    --no-default-keyring \
> -                    --keyring %s --import' % import_keyring,
> -               stdin="".join(keys).encode('ascii'),
> -               allow_fail=True,
> -               env_add={'GNUPGHOME': out_path})
> +        do('gpg --no-options \
> +                --no-default-keyring \
> +                --keyring %s --import' % import_keyring,
> +           stdin="".join(keys).encode('ascii'),
> +           allow_fail=True,
> +           env_add={'GNUPGHOME': out_path})
>  
> -            export_keyring = import_keyring + ".gpg"
> +        export_keyring = import_keyring + ".gpg"
>  
> -            # No need to set GNUPGHOME because both input and output
> -            # keyring files are specified.
> +        # No need to set GNUPGHOME because both input and output
> +        # keyring files are specified.
>  
> -            do('gpg --no-options \
> -                    --no-default-keyring \
> -                    --keyring %s \
> -                    --export \
> -                    --output %s' % (import_keyring, export_keyring))
> +        do('gpg --no-options \
> +                --no-default-keyring \
> +                --keyring %s \
> +                --export \
> +                --output %s' % (import_keyring, export_keyring))
>  
>          if opt.devel:
>              out_real = os.path.realpath(out_path)
> diff --git a/elbepack/egpg.py b/elbepack/egpg.py
> index 8b2807cd..8fd35b74 100644
> --- a/elbepack/egpg.py
> +++ b/elbepack/egpg.py
> @@ -278,4 +278,3 @@ def generate_elbe_internal_key():
>  def export_key(fingerprint, outfile):
>      system("/usr/bin/gpg -a -o %s --export %s" % (outfile, fingerprint),
>             env_add={"GNUPGHOME": "/var/cache/elbe/gnupg"})
> -    return '/var/cache/elbe/gnupg/pubring.kbx'
> diff --git a/elbepack/repomanager.py b/elbepack/repomanager.py
> index 53fb89e8..485b9c2b 100644
> --- a/elbepack/repomanager.py
> +++ b/elbepack/repomanager.py
> @@ -165,9 +165,7 @@ class RepoBase(object):
>              fp.write("\n")
>          fp.close()
>  
> -        keyring = export_key(self.keyid, self.fs.fname("/repo.pub"))
> -        if keyring:
> -            shutil.copyfile(keyring, self.fs.fname("/elbe-keyring.gpg"))
> +        export_key(self.keyid, self.fs.fname("/repo.pub"))
>  
>          if need_update:
>              cmd = 'reprepro --export=force --basedir "%s" update' % self.fs.path
> -- 
> 2.27.0
> 
> _______________________________________________
> elbe-devel mailing list
> elbe-devel at linutronix.de
> https://lists.linutronix.de/mailman/listinfo/elbe-devel

-- 
Torben Hohn
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 18; Fax.: +49 7556 25 999 99

Hinweise zum Datenschutz finden Sie hier (Informations on data privacy 
can be found here): https://linutronix.de/kontakt/Datenschutz.php

Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen | 
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700 
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner

More information about the elbe-devel mailing list