From ea9572b98e7648bc090e240798244656662e2a09 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 7 Aug 2021 12:48:23 +0300 Subject: [PATCH 1/3] mkarchiso: add some sane gpg options to override those set in user's gpg.conf * Add --batch, since gpg is run in a script. * Add --no-armor (this is the default). Armored output provides no benifit here. * Add --no-include-key-block (this is the default). There is no need to have the gpg key in the signature. The mkinitcpio hook will verify the signature against the included keyring. Remove the output files before running gpg. Otherwise gpg --batch will fail if they exist. --- archiso/mkarchiso | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 267804a..0a46fd6 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -238,15 +238,17 @@ _mkchecksum() { # GPG sign the root file system image. _mksignature() { + local airootfs_image_filename _msg_info "Signing rootfs image..." - cd -- "${isofs_dir}/${install_dir}/${arch}" - # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then - gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs + airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then - gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs + airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" fi - cd -- "${OLDPWD}" + rm -f -- "${airootfs_image_filename}.sig" + # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect + gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \ + --default-key "${gpg_key}" "${airootfs_image_filename}" _msg_info "Done!" } @@ -1126,7 +1128,8 @@ _set_overrides() { } _export_gpg_publickey() { - gpg --batch --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" + rm -f -- "${work_dir}/pubkey.gpg" + gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}" } _make_version() { From 59dffcf11a3e7d55e4d9171ba2b4a2d0bd262368 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Tue, 3 Aug 2021 21:12:25 +0300 Subject: [PATCH 2/3] mkarchiso: support setting gpg sender Add new -G option to set gpg's --sender. This allows to see who signed the rootfs image without needing to import the gpg key from the keyring in initramfs. --- archiso/mkarchiso | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/archiso/mkarchiso b/archiso/mkarchiso index 0a46fd6..a77d3d9 100755 --- a/archiso/mkarchiso +++ b/archiso/mkarchiso @@ -19,6 +19,7 @@ quiet="" work_dir="" out_dir="" gpg_key="" +gpg_sender="" iso_name="" iso_label="" iso_publisher="" @@ -88,7 +89,10 @@ usage: ${app_name} [options] Multiple files are provided as quoted, space delimited list. The first file is considered as the signing certificate, the second as the key. - -g Set the PGP key ID to be used for signing the rootfs image + -g Set the PGP key ID to be used for signing the rootfs image. + Passed to gpg as the value for --default-key + -G Set the PGP signer (must include an email address) + Passed to gpg as the value for --sender -h This message -m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot'). Multiple build modes are provided as quoted, space delimited list. @@ -119,6 +123,7 @@ _show_config() { _msg_info " Current build mode: ${buildmode}" _msg_info " Build modes: ${buildmodes[*]}" _msg_info " GPG key: ${gpg_key:-None}" + _msg_info " GPG signer: ${gpg_sender:-None}" _msg_info "Code signing certificates: ${cert_list[*]}" _msg_info " Profile: ${profile}" _msg_info "Pacman configuration file: ${pacman_conf}" @@ -238,7 +243,7 @@ _mkchecksum() { # GPG sign the root file system image. _mksignature() { - local airootfs_image_filename + local airootfs_image_filename gpg_options=() _msg_info "Signing rootfs image..." if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" @@ -246,9 +251,11 @@ _mksignature() { airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" fi rm -f -- "${airootfs_image_filename}.sig" + # Add gpg sender option if the value is provided + [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}") # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \ - --default-key "${gpg_key}" "${airootfs_image_filename}" + --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}" _msg_info "Done!" } @@ -1111,6 +1118,7 @@ _set_overrides() { install_dir="${app_name}" fi [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key" + [[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender" if [[ -v override_cert_list ]]; then sign_netboot_artifacts="y" fi @@ -1261,7 +1269,7 @@ _build() { done } -while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do +while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do case "${arg}" in p) read -r -a override_pkg_list <<< "${OPTARG}" ;; C) override_pacman_conf="${OPTARG}" ;; @@ -1274,6 +1282,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do m) read -r -a override_buildmodes <<< "${OPTARG}" ;; o) override_out_dir="${OPTARG}" ;; g) override_gpg_key="${OPTARG}" ;; + G) override_gpg_sender="${OPTARG}" ;; v) override_quiet="n" ;; h|?) _usage 0 ;; *) From 3c6cdb1469dddbb617fe29b14c57e1fff6a43240 Mon Sep 17 00:00:00 2001 From: nl6720 Date: Sat, 7 Aug 2021 13:03:01 +0300 Subject: [PATCH 3/3] .gitlab/ci/build_archiso.sh: use mkarchiso's -G option Set gpg's --sender. --- .gitlab/ci/build_archiso.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab/ci/build_archiso.sh b/.gitlab/ci/build_archiso.sh index 8a6f92f..5250b51 100755 --- a/.gitlab/ci/build_archiso.sh +++ b/.gitlab/ci/build_archiso.sh @@ -199,6 +199,8 @@ EOF | awk -F':' '{if($1 ~ /sec/){ print $5 }}' )" + pgp_sender="Arch Linux Release Engineering (Ephemeral Signing Key) " + print_section_end "ephemeral_pgp_key" } @@ -240,6 +242,7 @@ run_mkarchiso() { -D "${install_dir}" \ -c "${codesigning_cert} ${codesigning_key}" \ -g "${pgp_key_id}" \ + -G "${pgp_sender}" \ -o "${output}/" \ -w "${tmpdir}/" \ -m "${buildmode}" \