diff options
| author | Ayush Ranjan <ayushranjan@google.com> | 2020-09-07 21:16:22 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2020-09-07 21:18:22 -0700 |
| commit | fada564c83b397d2e6c4213067ba3db2335445b4 (patch) | |
| tree | 156787d0b4f46b4c06e611ce5598d808a6499bf8 | |
| parent | 2202812e074afd4248b64c651b50fb743f3ea250 (diff) | |
Fix make_apt script.
This change makes the following fixes:
- When creating a test repo.key, create a secret keyring as other workflows
also use secret keyrings only.
- We should not be using both --keyring and --secret-keyring options. Just use
--secret-keyring.
- Pass homedir to all gpg commands. dpkg-sig takes an arg -g which stands for
gpgopts. So we need to pass the homedir there too.
PiperOrigin-RevId: 330443280
| -rw-r--r-- | Makefile | 4 | ||||
| -rwxr-xr-x | tools/make_apt.sh | 12 |
2 files changed, 9 insertions, 7 deletions
@@ -294,8 +294,8 @@ $(RELEASE_KEY): echo Name-Email: test@example.com >> $$C && \ echo Expire-Date: 0 >> $$C && \ echo %commit >> $$C && \ - gpg --batch $(GPG_TEST_OPTIONS) --passphrase '' --no-default-keyring --keyring $$T --no-tty --gen-key $$C && \ - gpg --batch $(GPG_TEST_OPTIONS) --export-secret-keys --no-default-keyring --keyring $$T --secret-keyring $$T > $@; \ + gpg --batch $(GPG_TEST_OPTIONS) --passphrase '' --no-default-keyring --secret-keyring $$T --no-tty --gen-key $$C && \ + gpg --batch $(GPG_TEST_OPTIONS) --export-secret-keys --no-default-keyring --secret-keyring $$T > $@; \ rc=$$?; rm -f $$T $$C; exit $$rc release: $(RELEASE_KEY) ## Builds a release. diff --git a/tools/make_apt.sh b/tools/make_apt.sh index fdc5e9192..13c5edd76 100755 --- a/tools/make_apt.sh +++ b/tools/make_apt.sh @@ -58,6 +58,7 @@ mkdir -p "${release}" # using the same key. This is a limitation in GnuPG pre-2.1. declare -r keyring=$(mktemp /tmp/keyringXXXXXX.gpg) declare -r homedir=$(mktemp -d /tmp/homedirXXXXXX) +declare -r gpg_opts=("--no-default-keyring" "--secret-keyring" "${keyring}" "--homedir" "${homedir}") cleanup() { rm -rf "${keyring}" "${homedir}" } @@ -67,8 +68,8 @@ trap cleanup EXIT # is not found. This isn't actually a failure for us, because we don't require # the public key (this may be stored separately). The second import will succeed # because, in reality, the first import succeeded and it's a no-op. -gpg --no-default-keyring --keyring "${keyring}" --homedir "${homedir}" --import "${private_key}" || \ - gpg --no-default-keyring --keyring "${keyring}" --homedir "${homedir}" --import "${private_key}" +gpg "${gpg_opts[@]}" --import "${private_key}" || \ + gpg "${gpg_opts[@]}" --import "${private_key}" # Copy the packages into the root. for pkg in "$@"; do @@ -103,7 +104,8 @@ for pkg in "$@"; do cp -a "${pkg}" "${target}" chmod 0644 "${target}" if [[ "${ext}" == "deb" ]]; then - dpkg-sig -g "--no-default-keyring --keyring ${keyring}" --sign builder "${target}" + # We use [*] here to expand the gpg_opts array into a single shell-word. + dpkg-sig -g "${gpg_opts[*]}" --sign builder "${target}" fi done @@ -138,5 +140,5 @@ rm "${release}"/apt.conf # Sign the release. declare -r digest_opts=("--digest-algo" "SHA512" "--cert-digest-algo" "SHA512") (cd "${release}" && rm -f Release.gpg InRelease) -(cd "${release}" && gpg --no-default-keyring --keyring "${keyring}" --clearsign "${digest_opts[@]}" -o InRelease Release) -(cd "${release}" && gpg --no-default-keyring --keyring "${keyring}" -abs "${digest_opts[@]}" -o Release.gpg Release) +(cd "${release}" && gpg "${gpg_opts[@]}" --clearsign "${digest_opts[@]}" -o InRelease Release) +(cd "${release}" && gpg "${gpg_opts[@]}" -abs "${digest_opts[@]}" -o Release.gpg Release) |