Verified Commit 59dffcf1 authored by nl6720's avatar nl6720
Browse files

mkarchiso: support setting gpg sender

Add new -G option to set gpg's --sender. This allows to see who signed the rootfs image without needing to import the gpg key from the keyring in initramfs.
parent ea9572b9
...@@ -19,6 +19,7 @@ quiet="" ...@@ -19,6 +19,7 @@ quiet=""
work_dir="" work_dir=""
out_dir="" out_dir=""
gpg_key="" gpg_key=""
gpg_sender=""
iso_name="" iso_name=""
iso_label="" iso_label=""
iso_publisher="" iso_publisher=""
...@@ -88,7 +89,10 @@ usage: ${app_name} [options] <profile_dir> ...@@ -88,7 +89,10 @@ usage: ${app_name} [options] <profile_dir>
Multiple files are provided as quoted, space delimited list. Multiple files are provided as quoted, space delimited list.
The first file is considered as the signing certificate, The first file is considered as the signing certificate,
the second as the key. the second as the key.
-g <gpg_key> Set the PGP key ID to be used for signing the rootfs image -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image.
Passed to gpg as the value for --default-key
-G <mbox> Set the PGP signer (must include an email address)
Passed to gpg as the value for --sender
-h This message -h This message
-m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot'). -m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot').
Multiple build modes are provided as quoted, space delimited list. Multiple build modes are provided as quoted, space delimited list.
...@@ -119,6 +123,7 @@ _show_config() { ...@@ -119,6 +123,7 @@ _show_config() {
_msg_info " Current build mode: ${buildmode}" _msg_info " Current build mode: ${buildmode}"
_msg_info " Build modes: ${buildmodes[*]}" _msg_info " Build modes: ${buildmodes[*]}"
_msg_info " GPG key: ${gpg_key:-None}" _msg_info " GPG key: ${gpg_key:-None}"
_msg_info " GPG signer: ${gpg_sender:-None}"
_msg_info "Code signing certificates: ${cert_list[*]}" _msg_info "Code signing certificates: ${cert_list[*]}"
_msg_info " Profile: ${profile}" _msg_info " Profile: ${profile}"
_msg_info "Pacman configuration file: ${pacman_conf}" _msg_info "Pacman configuration file: ${pacman_conf}"
...@@ -238,7 +243,7 @@ _mkchecksum() { ...@@ -238,7 +243,7 @@ _mkchecksum() {
# GPG sign the root file system image. # GPG sign the root file system image.
_mksignature() { _mksignature() {
local airootfs_image_filename local airootfs_image_filename gpg_options=()
_msg_info "Signing rootfs image..." _msg_info "Signing rootfs image..."
if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
...@@ -246,9 +251,11 @@ _mksignature() { ...@@ -246,9 +251,11 @@ _mksignature() {
airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
fi fi
rm -f -- "${airootfs_image_filename}.sig" rm -f -- "${airootfs_image_filename}.sig"
# Add gpg sender option if the value is provided
[[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
# always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \ gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \
--default-key "${gpg_key}" "${airootfs_image_filename}" --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}"
_msg_info "Done!" _msg_info "Done!"
} }
...@@ -1111,6 +1118,7 @@ _set_overrides() { ...@@ -1111,6 +1118,7 @@ _set_overrides() {
install_dir="${app_name}" install_dir="${app_name}"
fi fi
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key" [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
[[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender"
if [[ -v override_cert_list ]]; then if [[ -v override_cert_list ]]; then
sign_netboot_artifacts="y" sign_netboot_artifacts="y"
fi fi
...@@ -1261,7 +1269,7 @@ _build() { ...@@ -1261,7 +1269,7 @@ _build() {
done done
} }
while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do
case "${arg}" in case "${arg}" in
p) read -r -a override_pkg_list <<< "${OPTARG}" ;; p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
C) override_pacman_conf="${OPTARG}" ;; C) override_pacman_conf="${OPTARG}" ;;
...@@ -1274,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do ...@@ -1274,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
m) read -r -a override_buildmodes <<< "${OPTARG}" ;; m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
o) override_out_dir="${OPTARG}" ;; o) override_out_dir="${OPTARG}" ;;
g) override_gpg_key="${OPTARG}" ;; g) override_gpg_key="${OPTARG}" ;;
G) override_gpg_sender="${OPTARG}" ;;
v) override_quiet="n" ;; v) override_quiet="n" ;;
h|?) _usage 0 ;; h|?) _usage 0 ;;
*) *)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment