diff --git a/.gitlab/ci/build_archiso.sh b/.gitlab/ci/build_archiso.sh index 8a6f92f..5250b51 100755 --- a/.gitlab/ci/build_archiso.sh +++ b/.gitlab/ci/build_archiso.sh @@ -199,6 +199,8 @@ EOF | awk -F':' '{if($1 ~ /sec/){ print $5 }}' )" + pgp_sender="Arch Linux Release Engineering (Ephemeral Signing Key) " + print_section_end "ephemeral_pgp_key" } @@ -240,6 +242,7 @@ run_mkarchiso() { -D "${install_dir}" \ -c "${codesigning_cert} ${codesigning_key}" \ -g "${pgp_key_id}" \ + -G "${pgp_sender}" \ -o "${output}/" \ -w "${tmpdir}/" \ -m "${buildmode}" \ diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 267804a..a77d3d9 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -19,6 +19,7 @@ quiet="" work_dir="" out_dir="" gpg_key="" +gpg_sender="" iso_name="" iso_label="" iso_publisher="" @@ -88,7 +89,10 @@ usage: ${app_name} [options] Multiple files are provided as quoted, space delimited list. The first file is considered as the signing certificate, the second as the key. - -g Set the PGP key ID to be used for signing the rootfs image + -g Set the PGP key ID to be used for signing the rootfs image. + Passed to gpg as the value for --default-key + -G Set the PGP signer (must include an email address) + Passed to gpg as the value for --sender -h This message -m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot'). Multiple build modes are provided as quoted, space delimited list. @@ -119,6 +123,7 @@ _show_config() { _msg_info " Current build mode: ${buildmode}" _msg_info " Build modes: ${buildmodes[*]}" _msg_info " GPG key: ${gpg_key:-None}" + _msg_info " GPG signer: ${gpg_sender:-None}" _msg_info "Code signing certificates: ${cert_list[*]}" _msg_info " Profile: ${profile}" _msg_info "Pacman configuration file: ${pacman_conf}" @@ -238,15 +243,19 @@ _mkchecksum() { # GPG sign the root file system image. _mksignature() { + local airootfs_image_filename gpg_options=() _msg_info "Signing rootfs image..." - cd -- "${isofs_dir}/${install_dir}/${arch}" - # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then - gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs + airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then - gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs + airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" fi - cd -- "${OLDPWD}" + rm -f -- "${airootfs_image_filename}.sig" + # Add gpg sender option if the value is provided + [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}") + # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect + gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \ + --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}" _msg_info "Done!" } @@ -1109,6 +1118,7 @@ _set_overrides() { install_dir="${app_name}" fi [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key" + [[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender" if [[ -v override_cert_list ]]; then sign_netboot_artifacts="y" fi @@ -1126,7 +1136,8 @@ _set_overrides() { } _export_gpg_publickey() { - gpg --batch --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" + rm -f -- "${work_dir}/pubkey.gpg" + gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" } _make_version() { @@ -1258,7 +1269,7 @@ _build() { done } -while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do +while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do case "${arg}" in p) read -r -a override_pkg_list <<< "${OPTARG}" ;; C) override_pacman_conf="${OPTARG}" ;; @@ -1271,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do m) read -r -a override_buildmodes <<< "${OPTARG}" ;; o) override_out_dir="${OPTARG}" ;; g) override_gpg_key="${OPTARG}" ;; + G) override_gpg_sender="${OPTARG}" ;; v) override_quiet="n" ;; h|?) _usage 0 ;; *)