[elbe-devel] [PATCH 09/12] elbepack: debinstaller: add primary key to trusted keys for fetching initvm installer files

[Thomas Weißschuh]

From: Stefan Kempf <stefan at kempfsn.de>

[thomas: rebase, align with project conventions]

Signed-off-by: Stefan Kempf <stefan at kempfsn.de>
Signed-off-by: Thomas Weißschuh <thomas.weissschuh at linutronix.de>
---
 elbepack/debinstaller.py | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/elbepack/debinstaller.py b/elbepack/debinstaller.py
index 631e9accffc562f713eedbd8727e75652f579bc7..5b192140e85e86cebdf1ff1b9e6ff4bb33738f72 100644
--- a/elbepack/debinstaller.py
+++ b/elbepack/debinstaller.py
@@ -7,15 +7,17 @@ import re
 import shutil
 import subprocess
 import sys
+import tempfile
 from shutil import copyfile
 from urllib.request import urlopen
 
 from gpg import core
 from gpg.constants import PROTOCOL_OpenPGP
 
-from elbepack.egpg import OverallStatus, check_signature
+from elbepack.egpg import OverallStatus, check_signature, unarmor_openpgp_keyring
 from elbepack.filesystem import TmpdirFilesystem
 from elbepack.hashes import HashValidationFailed, HashValidator
+from elbepack.treeutils import strip_leading_whitespace_from_lines
 
 
 class InvalidSignature(Exception):
@@ -73,7 +75,7 @@ class SHA256SUMSFile(HashValidator):
                                                m.group(1))
 
 
-def setup_apt_keyring(gpg_home, keyring_fname):
+def setup_apt_keyring(gpg_home, keyring_fname, primary_key):
     ring_path = os.path.join(gpg_home, keyring_fname)
     if not os.path.isdir('/etc/apt/trusted.gpg.d'):
         print("/etc/apt/trusted.gpg.d doesn't exist")
@@ -100,6 +102,15 @@ def setup_apt_keyring(gpg_home, keyring_fname):
             '--import', os.path.join('/etc/apt/trusted.gpg.d', key),
         ], check=True, capture_output=True)
 
+    if primary_key:
+        with tempfile.NamedTemporaryFile(buffering=0) as fp:
+            print('Import primary key')
+            fp.write(unarmor_openpgp_keyring(primary_key))
+            subprocess.run([
+                'gpg', *gpg_options,
+                '--import', fp.name,
+            ], check=True, capture_output=True)
+
 
 def verify_release(tmp, base_url):
 
@@ -137,11 +148,11 @@ def verify_release(tmp, base_url):
         sig.close()
 
 
-def download_kinitrd(tmp, suite, mirror, skip_signature=False):
+def download_kinitrd(tmp, suite, mirror, primary_key, skip_signature=False):
     base_url = f"{mirror.replace('LOCALMACHINE', 'localhost')}/dists/{suite}/"
     installer_path = 'main/installer-amd64/current/images/'
 
-    setup_apt_keyring(tmp.fname('/'), 'pubring.gpg')
+    setup_apt_keyring(tmp.fname('/'), 'pubring.gpg', primary_key)
 
     # download release file
     with urlopen(base_url + 'Release') as src, tmp.open('Release', 'wb') as dest:
@@ -196,6 +207,11 @@ def get_primary_mirror(prj):
     return mirror
 
 
+def get_primary_key(prj):
+    if prj.has('mirror/primary_key'):
+        return strip_leading_whitespace_from_lines(prj.text('mirror/primary_key'))
+
+
 def copy_kinitrd(prj, target_dir):
 
     suite = prj.text('suite')
@@ -214,7 +230,8 @@ def copy_kinitrd(prj, target_dir):
                      os.path.join(target_dir, 'initrd.gz'))
         else:
             mirror = get_primary_mirror(prj)
-            download_kinitrd(tmp, suite, mirror, prj.has('noauth'))
+            primary_key = get_primary_key(prj)
+            download_kinitrd(tmp, suite, mirror, primary_key, prj.has('noauth'))
 
             copyfile(tmp.fname('initrd.gz'),
                      os.path.join(target_dir, 'initrd.gz'))

-- 
2.47.0