[linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

Dimitri John Ledkov
As per apt-key manpage one can ship armored keys with .asc extension
since apt 1.4 (bionic and up). For prior releases, gpg1 exported
binary .gpg keys are supported. No need to install gnupg, run
gnupg-agent, or execute apt-key.

Signed-off-by: Dimitri John Ledkov <[hidden email]>
---
 Sample build with this change in place is shown at:
 https://launchpad.net/~xnox/+snap/pc-kernel-bionic/+build/633218

 Makefile | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/Makefile b/Makefile
index b2c5ea5..00d3b25 100644
--- a/Makefile
+++ b/Makefile
@@ -93,14 +93,7 @@ all:
 
  # Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
  # public signing key to apt:
- # - gnugpg is required by apt-key
- # - gnugpg 2.x requires gpg-agent to be running
- # - procfs must be bind-mounted for gpg-agent
- # - running apt-key as a child process of gpg-agent --daemon stops the
- #   agent shortly after apt-key executes
- $(ENV) chroot chroot apt-get -y install gnupg
- mkdir --mode=0600 chroot/tmp/gnupg-home
- cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
+ cp snappy-dev-image.asc chroot/etc/apt/trusted.gpg.d/
  # Copy in the sources.list just before modifying it (on build envs this already
  # seems to be present, otherwise those would not fail).
  cp /etc/apt/sources.list chroot/etc/apt/sources.list
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

NACK: [linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

Stefan Bader-2
On 01.08.19 05:01, Dimitri John Ledkov wrote:
> As per apt-key manpage one can ship armored keys with .asc extension
> since apt 1.4 (bionic and up). For prior releases, gpg1 exported
> binary .gpg keys are supported. No need to install gnupg, run
> gnupg-agent, or execute apt-key.
>
> Signed-off-by: Dimitri John Ledkov <[hidden email]>
> ---

Though maybe more complicated than it needs to but why change a running system?
If we remember till then, this is something for doing better in core20

-Stefan

>  Sample build with this change in place is shown at:
>  https://launchpad.net/~xnox/+snap/pc-kernel-bionic/+build/633218
>
>  Makefile | 9 +--------
>  1 file changed, 1 insertion(+), 8 deletions(-)
>
> diff --git a/Makefile b/Makefile
> index b2c5ea5..00d3b25 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -93,14 +93,7 @@ all:
>  
>   # Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
>   # public signing key to apt:
> - # - gnugpg is required by apt-key
> - # - gnugpg 2.x requires gpg-agent to be running
> - # - procfs must be bind-mounted for gpg-agent
> - # - running apt-key as a child process of gpg-agent --daemon stops the
> - #   agent shortly after apt-key executes
> - $(ENV) chroot chroot apt-get -y install gnupg
> - mkdir --mode=0600 chroot/tmp/gnupg-home
> - cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
> + cp snappy-dev-image.asc chroot/etc/apt/trusted.gpg.d/
>   # Copy in the sources.list just before modifying it (on build envs this already
>   # seems to be present, otherwise those would not fail).
>   cp /etc/apt/sources.list chroot/etc/apt/sources.list
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: NACK: [linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

Dimitri John Ledkov
On Mon, 12 Aug 2019 at 14:05, Stefan Bader <[hidden email]> wrote:

>
> On 01.08.19 05:01, Dimitri John Ledkov wrote:
> > As per apt-key manpage one can ship armored keys with .asc extension
> > since apt 1.4 (bionic and up). For prior releases, gpg1 exported
> > binary .gpg keys are supported. No need to install gnupg, run
> > gnupg-agent, or execute apt-key.
> >
> > Signed-off-by: Dimitri John Ledkov <[hidden email]>
> > ---
>
> Though maybe more complicated than it needs to but why change a running system?
> If we remember till then, this is something for doing better in core20
>

because installing and removing packages clobbers things.

It also shows lack of knowledge of apt snippets support which has been
around since xenial, and it means this will be copied over again
elsewhere.

This should not have been done like this in the first place, and is
poor engineering.


> -Stefan
>
> >  Sample build with this change in place is shown at:
> >  https://launchpad.net/~xnox/+snap/pc-kernel-bionic/+build/633218
> >
> >  Makefile | 9 +--------
> >  1 file changed, 1 insertion(+), 8 deletions(-)
> >
> > diff --git a/Makefile b/Makefile
> > index b2c5ea5..00d3b25 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -93,14 +93,7 @@ all:
> >
> >       # Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
> >       # public signing key to apt:
> > -     # - gnugpg is required by apt-key
> > -     # - gnugpg 2.x requires gpg-agent to be running
> > -     # - procfs must be bind-mounted for gpg-agent
> > -     # - running apt-key as a child process of gpg-agent --daemon stops the
> > -     #   agent shortly after apt-key executes
> > -     $(ENV) chroot chroot apt-get -y install gnupg
> > -     mkdir --mode=0600 chroot/tmp/gnupg-home
> > -     cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
> > +     cp snappy-dev-image.asc chroot/etc/apt/trusted.gpg.d/
> >       # Copy in the sources.list just before modifying it (on build envs this already
> >       # seems to be present, otherwise those would not fail).
> >       cp /etc/apt/sources.list chroot/etc/apt/sources.list
> >
>
>


--
Regards,

Dimitri.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: NACK: [linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

Dimitri John Ledkov
In reply to this post by Stefan Bader-2
On Mon, 12 Aug 2019 at 14:05, Stefan Bader <[hidden email]> wrote:
>
> If we remember till then, this is something for doing better in core20
>

Speaking of core20, where are the unstable repos for all kernel snaps
building out of $devel series?

I do not see any repositories but bionic, hence targetted the only
place that appears to accept commits for linux-snap....

> >  Sample build with this change in place is shown at:
> >  https://launchpad.net/~xnox/+snap/pc-kernel-bionic/+build/633218
> >
> >  Makefile | 9 +--------
> >  1 file changed, 1 insertion(+), 8 deletions(-)
> >
> > diff --git a/Makefile b/Makefile
> > index b2c5ea5..00d3b25 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -93,14 +93,7 @@ all:
> >
> >       # Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
> >       # public signing key to apt:
> > -     # - gnugpg is required by apt-key
> > -     # - gnugpg 2.x requires gpg-agent to be running
> > -     # - procfs must be bind-mounted for gpg-agent
> > -     # - running apt-key as a child process of gpg-agent --daemon stops the
> > -     #   agent shortly after apt-key executes
> > -     $(ENV) chroot chroot apt-get -y install gnupg
> > -     mkdir --mode=0600 chroot/tmp/gnupg-home
> > -     cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
> > +     cp snappy-dev-image.asc chroot/etc/apt/trusted.gpg.d/
> >       # Copy in the sources.list just before modifying it (on build envs this already
> >       # seems to be present, otherwise those would not fail).
> >       cp /etc/apt/sources.list chroot/etc/apt/sources.list
> >
>
>


--
Regards,

Dimitri.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: NACK: [linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.

Andy Whitcroft-3
On Tue, Aug 13, 2019 at 01:56:33PM +0100, Dimitri John Ledkov wrote:

> On Mon, 12 Aug 2019 at 14:05, Stefan Bader <[hidden email]> wrote:
> >
> > If we remember till then, this is something for doing better in core20
> >
>
> Speaking of core20, where are the unstable repos for all kernel snaps
> building out of $devel series?
>
> I do not see any repositories but bionic, hence targetted the only
> place that appears to accept commits for linux-snap....

So far we do not.  Until very recently we have had nowhere to publish them
even if we wanted to.  In principle since the uc18 case was made to not
have separate store 'sections' and to use tracks instead it might well
be possible to grovel for more tracks to publish something like this to.
But we currently do not do so.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team