From 8cc08418d7e1fc55a04abfd8f51a359332ed21a0 Mon Sep 17 00:00:00 2001 From: Matthew Thode Date: Mon, 24 Aug 2020 19:55:01 -0500 Subject: [PATCH] Copy apt gpg keys directly into trusted.gpg.d This avoids having to have gnupg2/apt-key dependencies in the base, and is now well supported by modern Debuntu. Signed-off-by: Matthew Thode Change-Id: I7065b2fab6125d9635ef99ff65d374b8b6b4c3a2 --- .../dpkg/environment.d/10-debian-minimal.bash | 1 + .../dpkg/extra-data.d/01-copy-apt-keys | 39 ------------------- .../dpkg/pre-install.d/02-add-apt-keys | 37 ------------------ .../elements/dpkg/root.d/09-apt-keyring | 28 +++++++++++++ .../dpkg-copy-keys-578e16f7fedd823b.yaml | 6 +++ 5 files changed, 35 insertions(+), 76 deletions(-) create mode 100644 diskimage_builder/elements/dpkg/environment.d/10-debian-minimal.bash delete mode 100755 diskimage_builder/elements/dpkg/extra-data.d/01-copy-apt-keys delete mode 100755 diskimage_builder/elements/dpkg/pre-install.d/02-add-apt-keys create mode 100755 diskimage_builder/elements/dpkg/root.d/09-apt-keyring create mode 100644 releasenotes/notes/dpkg-copy-keys-578e16f7fedd823b.yaml diff --git a/diskimage_builder/elements/dpkg/environment.d/10-debian-minimal.bash b/diskimage_builder/elements/dpkg/environment.d/10-debian-minimal.bash new file mode 100644 index 000000000..3e595476e --- /dev/null +++ b/diskimage_builder/elements/dpkg/environment.d/10-debian-minimal.bash @@ -0,0 +1 @@ +export DIB_ADD_APT_KEYS=${DIB_ADD_APT_KEYS:-""} diff --git a/diskimage_builder/elements/dpkg/extra-data.d/01-copy-apt-keys b/diskimage_builder/elements/dpkg/extra-data.d/01-copy-apt-keys deleted file mode 100755 index 52f4ff790..000000000 --- a/diskimage_builder/elements/dpkg/extra-data.d/01-copy-apt-keys +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash -# -# Copyright 2014 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then - set -x -fi -set -eu -set -o pipefail - -DIB_ADD_APT_KEYS=${DIB_ADD_APT_KEYS:-""} -if [ -z "${DIB_ADD_APT_KEYS}" ]; then - echo "DIB_ADD_APT_KEYS is not set - not importing keys" - exit 0 -fi - -DIR=${TMP_MOUNT_PATH}/tmp/apt_keys -if [ -e ${DIR} ]; then - echo "${DIR} already exists!" - exit 1 -fi -sudo mkdir -p ${DIR} # dib-lint: safe_sudo - -# Copy to DIR -for KEY in $(find ${DIB_ADD_APT_KEYS} -type f); do - sudo cp -L ${KEY} ${DIR} # dib-lint: safe_sudo -done diff --git a/diskimage_builder/elements/dpkg/pre-install.d/02-add-apt-keys b/diskimage_builder/elements/dpkg/pre-install.d/02-add-apt-keys deleted file mode 100755 index a60f4c0ff..000000000 --- a/diskimage_builder/elements/dpkg/pre-install.d/02-add-apt-keys +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# -# Copyright 2014 Hewlett-Packard Development Company, L.P. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then - set -x -fi -set -eu -set -o pipefail - -KEY_DIRECTORY=/tmp/apt_keys -if [ ! -d "${KEY_DIRECTORY}" ]; then - exit 0 -fi - -for KEY in ${KEY_DIRECTORY}/*; do - if ! file -b "${KEY}" | grep -qE '(PGP public key block|GPG key public ring)'; then - echo "Skipping ${KEY}, not a valid GPG public key" - continue - fi - - apt-key add ${KEY} -done - -apt-get -y update diff --git a/diskimage_builder/elements/dpkg/root.d/09-apt-keyring b/diskimage_builder/elements/dpkg/root.d/09-apt-keyring new file mode 100755 index 000000000..3f545ac03 --- /dev/null +++ b/diskimage_builder/elements/dpkg/root.d/09-apt-keyring @@ -0,0 +1,28 @@ +#!/bin/bash +# Copyright (c) 2020 Matthew Thode (mthode@mthode.org) +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# +# See the License for the specific language governing permissions and +# limitations under the License. + +# dib-lint: disable=safe_sudo + +if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then + set -x +fi +set -eu +set -o pipefail + +if [ -n "${DIB_ADD_APT_KEYS}" ]; then + find "${DIB_ADD_APT_KEYS}" -type f -exec sudo cp -L {} "${TARGET_ROOT}/etc/apt/trusted.gpg.d/" \; +fi diff --git a/releasenotes/notes/dpkg-copy-keys-578e16f7fedd823b.yaml b/releasenotes/notes/dpkg-copy-keys-578e16f7fedd823b.yaml new file mode 100644 index 000000000..1c9cbbc3b --- /dev/null +++ b/releasenotes/notes/dpkg-copy-keys-578e16f7fedd823b.yaml @@ -0,0 +1,6 @@ +--- +upgrade: + - | + The ``DIB_ADD_APT_KEYS`` argument now copies keys into + ``/etc/apt/trusted.gpg.d``, rather than using ``apt-key`` to add + them.