GnuPG changed their default from RSA to ECC, so Key-Length not
a thing it supports. Instead it asks for the Key-Curve.
Avoid using the default and hardcode ed25519 (which is the current
GnuPG default).
Adjust subject name to more closely match what's used in create_ephemeral_pgp_key.
Reduce the certificate validity to two days. These are just temporary
certificates, they will not be used anywhere.
Fixes#196
(gitlab ci)
Added a CA structure to the codesigning certificates.
This to test the functionality of optional CA being in the signing message.
(mkarchiso)
Removed the ``sign_netboot_artifacts`` variable and instead
we'll now rely on ``if [[ -v cert_list ]]; then``.
Added ``ARCHISO_TLS_FD`` and ``ARCHISO_TLSCA_FD`` environment variables
to override the certificates used. This is so that third party CA's can
be used during building in a meaningful way without distrupting the
CA trust that is shipped by default.
_cms_sign_artifact() was added which signs the rootfs using OpenSSL CMS.
The files will be saved as "${artifact}.cms.sig". That would be for instance
"${isofs_dir}/${install_dir}/${arch}/airootfs.sfs.cms.sig".
.gitlab/ci/build-inside-vm.sh:
Change the build script to provide the build artifacts and metrics in the top-level output directory.
This goes in line with the soon to be used ci-scripts, allowing code sharing amongst several projects.
.gitlab/ci/build_archiso.sh:
Rename .gitlab/ci/build-inside-vm.sh to .gitlab/ci/build_archiso.sh.
.gitlab-ci.yml:
Rename BUILD_SCRIPT to build_archiso.sh.
.gitlab/ci/build-host.sh:
Change all script-local variables to lower-case and make some of them overridable using environment variables (by
providing defaults).
Break down overly long commands by splitting them into a list of strings.
Use local variables where possible.
Change `main()` to use rsync instead of cp to copy the project to the build location more generically.
Change `main()` to use rsync instead of cp to copy the build artifacts on the VM from the project's build directory to
the output.
Remove all unnecessary `function` keywords for function declarations.
Replace the dependency on libisoburn's `xorriso` with libarchive's `bsdtar` and util-linux's `blkid` in
`prepare_boot()`.
Add `print_section_start()` and `print_section_end()` to reduce code duplication and error potential when printing lines
for gitlab's collapsible sections (https://docs.gitlab.com/ee/ci/jobs/#custom-collapsible-sections).
Document the script's behavior and expectations.
Document the understood environment variables and add links to documentation on understood units (in case of size
units).
.gitlab/ci/build-inside-vm.sh:
Add `print_section_start()` and `print_section_end()` to remove code duplication when printing gitlab collapsible
sections (https://docs.gitlab.com/ee/ci/jobs/#custom-collapsible-sections).
Document further script dependencies.
Remove the temporary directory base (located in the project directory) instead of only the tempdir.
Simplify setting file and directory ownership when running with sudo, by only doing it once, recursively on the output
directory.
Make the script's output more verbose by using verbose flags for removal, ownership changes and zsyncmake actions and by
displaying e.g. created metrics and checksum files.
Change `create_metrics()` to output to a `metrics.txt` by default.
Change `create_checksums()` to create the checksums relative to the files.
.gitlab/ci/build-inside-vm.sh:
Expand the script to allow building based on mkarchiso's buildmodes.
Accept two parameters now: profile and buildmode.
Add gitlab collapsable sections by adding specific printfs for it to all functions.
Add extglob to be able to more specifically target files.
Change `create_checksums()` to also generate the legacy md5 and sha1 checksums.
Change `create_checksums()` and `create_zsync_delta()` to accept and process an unspecified amount of files as
parameters.
Change `create_zsync_delta()` to lower the blocksize when creating a file for the bootstrap image.
Change `create_metrics()` to create metrics depending on build mode.
Rename `create_temp_pgp_key()` to `create_ephemeral_pgp_key()`.
Add `create_ephemeral_codesigning_key()` to create a codesigning key, that is used to sign the netboot artifacts.
Change `run_mkarchiso()` to also create an ephemeral codesigning key before running mkarchiso and to run
`create_checksums()` and `create_zsync_delta()` with files depending on build mode.
.gitlab/ci/build-host.sh:
Call `build-inside-vm.sh` using the PROFILE and BUILDMODE environment variables as parameters.
.gitlab/ci/build-host.sh:
Change parameters to qemu's `-drive` option to make use of the explicit `read-only=on`, as the implicit `read-only` is
now obsolete.
.gitlab/ci/build-inside-vm.sh:
Create an ephemeral signing key for signing the rootfs image (e.g. squashfs or erofs) when building the profiles.
Implements #125
.gitlab/ci/build-host.sh:
Change the readonly TMPDIR variable to a global tmpdir variable and set it in the `init()` function.
.gitlab/ci/build-inside-vm.sh:
Change assigning the readonly tmpdir variable directly to assigning it after declaring it.
Change `cleanup()` and `create_zsync_delta()` to use bash-style statements and also check whether SUDO_GID is set before
using it.
.gitlab/ci/build-host.sh:
Set shebang to /usr/bin/env bash to be more portable/flexible.
Turn all posix statements ([]) to bash style statements ([[]]), as we are using bash.
Terminate the list of parameters to rm or cp with --.
Replace the implementation of finding a local ISO to use with one that relies on a sorted list of potential images.
Use virtio-net-pci for networking with qemu.
Set the cow_spacesize to 4G for the archiso environment.
Use --needed in the call to pacman to not re-install already up-to-date targets.
Attempt a full system upgrade (but ignore the kernel).
Increase the timeout for when installing packages to the archiso environment using pacman to 120s, as a system upgrade
is being done as well.
Use systemctl poweroff -i to shut down the virtual machine as it is more future proof and robust.
.gitlab/ci/build-host.sh:
Add script to be run in a container with access to qemu.
It is a slight modification of arch-boxes' build-host.sh script to cater to the specific archiso requirements.
.gitlab/ci/build-inside-vm.sh:
Add script to be run in virtualized environment, established by build-host.sh.
This script builds the actual archiso profiles and creates checksum for the resulting image files.