Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring...
authorDaniel Baumann <daniel@debian.org>
Sun, 27 Jan 2013 10:16:25 +0000 (11:16 +0100)
committerDaniel Baumann <daniel@debian.org>
Fri, 8 Feb 2013 20:40:27 +0000 (21:40 +0100)
debian/control
scripts/build/bootstrap
scripts/build/bootstrap_archive-keys [new file with mode: 0755]
scripts/build/chroot_archives

index fc32657..d057ace 100644 (file)
@@ -16,8 +16,8 @@ Recommends:
  live-boot-doc, live-config-doc, live-manual-html | live-manual, cpio,
  gnu-fdisk
 Suggests:
- dosfstools, xorriso, git, loadlin, memtest86+ | memtest86, mtools, parted,
- squashfs-tools | mtd-tools, sudo | fakeroot, syslinux | grub,
+ dosfstools, debian-keyring, xorriso, git, gpgv, loadlin, memtest86+ | memtest86,
mtools, parted, squashfs-tools | mtd-tools, sudo | fakeroot, syslinux | grub,
  uuid-runtime, win32-loader
 Description: Live System Build Scripts
  live-build contains the scripts that build a live system from a configuration
index ba4f103..337e5cf 100755 (executable)
@@ -38,6 +38,7 @@ Setup_cleanup
 lb bootstrap_cache restore ${@}
 lb bootstrap_cdebootstrap ${@}
 lb bootstrap_debootstrap ${@}
+lb bootstrap_archive-keys ${@}
 lb bootstrap_cache save ${@}
 
 # Temporary hack for base-files wrt/ plymouth
diff --git a/scripts/build/bootstrap_archive-keys b/scripts/build/bootstrap_archive-keys
new file mode 100755 (executable)
index 0000000..2dc94b2
--- /dev/null
@@ -0,0 +1,77 @@
+#!/bin/sh
+
+## live-build(7) - System Build Scripts
+## Copyright (C) 2006-2013 Daniel Baumann <daniel@debian.org>
+##
+## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
+## This is free software, and you are welcome to redistribute it
+## under certain conditions; see COPYING for details.
+
+
+set -e
+
+# Including common functions
+[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh
+
+# Setting static variables
+DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')"
+HELP=""
+USAGE="${PROGRAM} [--force]"
+
+Arguments "${@}"
+
+# Reading configuration files
+Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
+Set_defaults
+
+# TODO: allow verification against user-specified keyring
+# For now, we'll only validate against debian-keyring
+
+# TODO2: use chrooted validation rather than host system based one
+
+case "${LB_MODE}" in
+       progress-linux)
+               case "${LB_DISTRIBUTION}" in
+                       artax*)
+                               _KEYS="1.0-artax 1.0-artax-packages"
+                               ;;
+
+                       baureo*)
+                               _KEYS="2.0-baureo 2.0-baureo-packages"
+                               ;;
+
+                       chairon*)
+                               _KEYS="3.0-chairon 3.0-chairon-packages"
+                               ;;
+               esac
+
+               _URL="${LB_MIRROR_CHROOT}/project/keys"
+               ;;
+esac
+
+for _KEY in ${_KEYS}
+do
+       Echo_message "Fetching archive-key ${_KEY}..."
+
+       wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
+       wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig
+
+       if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ]
+       then
+               Echo_message "Verifying archive-key ${_KEY} against debian-keyring..."
+
+               /usr/bin/gpgv --quiet --keyring /usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature."; return 1;}
+       else
+               Echo_warning "Skipping archive-key ${_KEY} verification, either gpgv or debian-keyring not available on host system..."
+       fi
+
+       Echo_message "Importing archive-key ${_KEY}..."
+
+       Chroot chroot "apt-key add key.asc"
+       rm -f chroot/key.asc chroot/key.asc.sig
+done
+
+Chroot chroot "apt-get update"
+
+# Creating stage file
+Create_stagefile .build/bootstrap_archive-keys
index 2e02c54..06e16fb 100755 (executable)
@@ -554,13 +554,7 @@ EOF
                        # Installing keyring packages
                        if [ -n "${LB_KEYRING_PACKAGES}" ]
                        then
-                               if [ "${LB_DERIVATIVE}" = "true" ]
-                               then
-                                       # Temporary hack (FIXME)
-                                       Chroot chroot "apt-get ${APT_OPTIONS} --force-yes install ${LB_KEYRING_PACKAGES}"
-                               else
-                                       Apt chroot "install ${LB_KEYRING_PACKAGES}"
-                               fi
+                               Apt chroot "install ${LB_KEYRING_PACKAGES}"
                        fi
 
                        rm -rf chroot/var/cache/apt/*.bin