feat(src/makechrootpkg.in): Download and verify in chroot
Downloading the sources and verifying them on the host system is easy and
straightforward, but does have some drawbacks.
Use of custom DLAGENTS for downloading might require additional tools such as
curl or wget to retrieve the source. Those have to be installed on the host
system; declaring them in makedepends only works when using makepkg directly.
This isn't much of an issue with curl as it happens to be part of base (i.e.
always installed), but wget isn't.
The same applies to VCS sources. This issue became apparent rather soon, since
it meant that non-git sources simply couldn't be downloaded if not installed
beforehand (when using makechrootpkg). The solution for that was to make
devtools depend on all VCS tools.
Another recent example is the introduction of the verify() function which
allows arbitrary signature verification (like minisign).
Making devtools depend on all VCS tools, all download clients and all
signature verifiers is hardly an appropriate solution.
Instead, put the downloading and verification into the chroot where the
build is sandboxed and can install all the programs it needs.
Conceptually, the idea is simple: Call download_sources from within the chroot.
Practically, it's more complicated because the chroot cannot directly access
devtools internal functions. However, this problem isn't new, so the solution
is similar to _chrootbuild.
Since we are in the chroot, we don't need the BUILDDIR - we don't build
anything anyhow. The config doesn't need $copydir and the die call is moved
outside the function. The function is also prefixed with an underscore to
show that is being used in the chroot.
We also don't preserve the environment, instead bind the GPG key directory and
SSH access keys to the readonly directory /verify (same name as the verify()
function). More on that below.
Lastly, move the function a bit further down since the chroot needs to be
ready and the nspawn_build_args defined.
The ad-hoc bash command is structured like this:
- Copy the function declaration (we can't call it directly)
- Copy
verifysource_argsliterally (we can't access the variable later) - Call
_download_sourcesto download and verify.
The call to makepkg also gets 3 new arguments:
--syncdeps: to download the necessary makedepends.
--noconfirm: to automatically do so.
--log: to keep the new log for the verify() function.
The biggest hurdle, and sortof the only drawback, is to make sure that
makepkg has access to the necessary keys for verification. In particular
GPG with its web of trust wants to ensure that the provided keys are
trustworthy. This is normally done by importing one or several keys into the
local keyring. While archlinux-keyring covers that aspect for official
packages, keys for other packagers or even the user themself need to be made
available within the chroot.
For that purpose, the SSH_AUTH_SOCK is bind-ro to /verify/ssh and the GPG
keyring to /verify/gnupg. The latter can be either set via GNUPGHOME or, as
default, located at $HOME/.gnupg. $HOME within makechrootpkg.in usually refers
to /root (because root user), when we need the $HOME for the makepkg user. It
is retrieved when calling load_makepkg_config, so also set DEVTOOLS_GNUPGHOME
to that. Unfortunately, there doesn't seem to be a unified way to get the location.
Drawback being that other keyrings will need the same treatment, whereas they
essentially just work right now.
This is not intended as a breaking change, and I don't believe it leads to
breakage. download_sources is only used in makechrootpkg.in, so renaming it
is fine.
Shellcheck found a few issues which I corrected. No new issues remain.
Tested with:
genymotion (requires wget for download)
libchewing (requires minisign for verify())
devtools (requires access to host GPG keys)
all Haskell packages (sanity check)
Closes #225
Closes #224
Closes archlinux/packaging/packages/devtools!1
All questions and feedback are welcome!
-- Vekhir