[elbe-devel] [PATCH 07/12] elbepack: elbeproject: add keyring to debootstrapopts when creating a pbuilder
Thomas Weißschuh
thomas.weissschuh at linutronix.de
Mon Nov 18 15:45:24 CET 2024
From: Stefan Kempf <stefan at kempfsn.de>
[thomas: rebase, align with project conventions]
Signed-off-by: Stefan Kempf <stefan at kempfsn.de>
Signed-off-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
---
elbepack/elbeproject.py | 9 +++++++--
elbepack/pbuilder.py | 27 +++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/elbepack/elbeproject.py b/elbepack/elbeproject.py
index 2eb4ac6a72e885e3f20cbf8dca4165a935276cd3..94c1e38401e83ad377beee9a56dac7eb604315ff 100644
--- a/elbepack/elbeproject.py
+++ b/elbepack/elbeproject.py
@@ -27,6 +27,7 @@ from elbepack.filesystem import size_to_int
from elbepack.finetuning import do_prj_finetuning
from elbepack.log import validation
from elbepack.pbuilder import (
+ pbuilder_get_debootstrap_key_path,
pbuilder_write_apt_conf,
pbuilder_write_config,
pbuilder_write_cross_config,
@@ -848,19 +849,23 @@ class ElbeProject:
# Run pbuilder --create
no_check_gpg = []
+ keyring = []
+ debootstrap_key_path = pbuilder_get_debootstrap_key_path(self.chrootpath, self.xml)
if self.xml.prj.has('noauth'):
no_check_gpg = ['--debootstrapopts', '--no-check-gpg']
+ elif debootstrap_key_path:
+ keyring = ['--debootstrapopts', '--keyring=' + debootstrap_key_path]
if cross:
do(['pbuilder', '--create',
'--buildplace', os.path.join(self.builddir, 'pbuilder_cross'),
'--configfile', os.path.join(self.builddir, 'cross_pbuilderrc'),
'--aptconfdir', os.path.join(self.builddir, 'aptconfdir'),
- '--debootstrapopts', '--include=git,gnupg', *no_check_gpg])
+ '--debootstrapopts', '--include=git,gnupg', *no_check_gpg, *keyring])
else:
do(['pbuilder', '--create',
'--configfile', os.path.join(self.builddir, 'pbuilderrc'),
'--aptconfdir', os.path.join(self.builddir, 'aptconfdir'),
- '--debootstrapopts', '--include=git,gnupg', *no_check_gpg])
+ '--debootstrapopts', '--include=git,gnupg', *no_check_gpg, *keyring])
def sync_xml_to_disk(self):
try:
diff --git a/elbepack/pbuilder.py b/elbepack/pbuilder.py
index 180faeb2b3b15809624d388f5401fcabdc150e8b..391584ab8526fa99c0153210dbade2de40a426ae 100644
--- a/elbepack/pbuilder.py
+++ b/elbepack/pbuilder.py
@@ -157,6 +157,29 @@ def pbuilder_write_repo_hook(builddir, xml, cross):
f.write('apt-get update\n')
+def get_debootstrap_key(xml):
+ if xml.prj.has('mirror/primary_host') and xml.prj.has('mirror/primary_key'):
+ m = xml.prj.node('mirror')
+
+ if m.has('options'):
+ options = '[%s]' % ' '.join([opt.et.text.strip(' \t\n')
+ for opt
+ in m.all('options/option')])
+ else:
+ options = ''
+
+ if 'trusted=yes' not in options:
+ return strip_leading_whitespace_from_lines(m.text('primary_key'))
+
+
+def pbuilder_get_debootstrap_key_path(chrootpath, xml):
+ # If we have a primary key for use with debootstrap, BuildEnv.debootstrap
+ # will have added the key. We use the same key for the pbuilder
+ # debootstrap options.
+ if get_debootstrap_key(xml):
+ return os.path.join(chrootpath, 'etc', 'apt', 'trusted.gpg.d', 'elbe-xml-primary-key.gpg')
+
+
def get_apt_keys(builddir, xml):
if xml.prj is None:
@@ -167,6 +190,10 @@ def get_apt_keys(builddir, xml):
keys = [('elbe-localrepo', pathlib.Path(builddir, 'repo', 'repo.pub').read_text())]
+ debootstrap_key = get_debootstrap_key(xml)
+ if debootstrap_key:
+ keys.append(('elbe-xml-primary-key', debootstrap_key))
+
if xml.prj.has('mirror/primary_host') and xml.prj.has('mirror/url-list'):
for i, url in enumerate(xml.prj.node('mirror/url-list')):
--
2.47.0
More information about the elbe-devel
mailing list