Optionally sign the squashfs files with gpg and add the gpg key to the initramfs

A new option -g <keyid> is added to build.sh set the key id. If it is set, the squashfs files will be signed by gpg and the gpg key will be added to archiso.img. In order to use this option, a gpg agent must be running. Since build.sh is executed as root, it may be necessary to set the GNUPGHOME environment variable, for example $ su -c "GNUPGHOME=/home/youruser/.gnupg /path/to/build.sh -g yourkeyid"

Optionally sign the squashfs files with gpg and add the gpg key to the initramfs
e36e63b8 · Thomas Bächler · Gerardo Pozzi · b644d3e9 · e36e63b8
Commit e36e63b8 authored 9 years ago by Thomas Bächler Committed by Gerardo Pozzi 9 years ago
--- a/configs/releng/build.sh
+++ b/configs/releng/build.sh
@@ -79,7 +79,15 @@ make_setup_mkinitcpio() {
    cp /usr/lib/initcpio/install/archiso_kms ${work_dir}/${arch}/airootfs/etc/initcpio/install
    cp /usr/lib/initcpio/archiso_shutdown ${work_dir}/${arch}/airootfs/etc/initcpio
    cp ${script_path}/mkinitcpio.conf ${work_dir}/${arch}/airootfs/etc/mkinitcpio-archiso.conf
-    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run
+    gnupg_fd=
+    if [[ ${gpg_key} ]]; then
+      gpg --export ${gpg_key} >${work_dir}/gpgkey
+      exec 17<>${work_dir}/gpgkey
+    fi
+    ARCHISO_GNUPG_FD=${gpg_key:+17} setarch ${arch} mkarchiso ${verbose} -w "${work_dir}/${arch}" -C "${work_dir}/pacman.conf" -D "${install_dir}" -r 'mkinitcpio -c /etc/mkinitcpio-archiso.conf -k /boot/vmlinuz-linux -g /boot/archiso.img' run
+    if [[ ${gpg_key} ]]; then
+      exec 17<&-
+    fi
 }

 # Customize installation (airootfs)
@@ -197,7 +205,7 @@ make_efiboot() {
 make_prepare() {
    cp -a -l -f ${work_dir}/${arch}/airootfs ${work_dir}
    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" pkglist
-    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" prepare
+    setarch ${arch} mkarchiso ${verbose} -w "${work_dir}" -D "${install_dir}" ${gpg_key:+-g ${gpg_key}} prepare
    rm -rf ${work_dir}/airootfs
    # rm -rf ${work_dir}/${arch}/airootfs (if low space, this helps)
 }
@@ -217,7 +225,7 @@ if [[ ${arch} != x86_64 ]]; then
    _usage 1
 fi

-while getopts 'N:V:L:D:w:o:vh' arg; do
+while getopts 'N:V:L:D:w:o:g:vh' arg; do
    case "${arg}" in
        N) iso_name="${OPTARG}" ;;
        V) iso_version="${OPTARG}" ;;
@@ -225,6 +233,7 @@ while getopts 'N:V:L:D:w:o:vh' arg; do
        D) install_dir="${OPTARG}" ;;
        w) work_dir="${OPTARG}" ;;
        o) out_dir="${OPTARG}" ;;
+        g) gpg_key="${OPTARG}" ;;
        v) verbose="-v" ;;
        h) _usage 0 ;;
        *)