Hello community, here is the log from the commit of package mksusecd for openSUSE:Factory checked in at 2019-07-17 14:27:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mksusecd (Old) and /work/SRC/openSUSE:Factory/.mksusecd.new.1887 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mksusecd" Wed Jul 17 14:27:04 2019 rev:57 rq:715717 version:1.69 Changes: -------- --- /work/SRC/openSUSE:Factory/mksusecd/mksusecd.changes 2019-04-12 09:15:53.477731773 +0200 +++ /work/SRC/openSUSE:Factory/.mksusecd.new.1887/mksusecd.changes 2019-07-17 14:27:05.551376183 +0200 @@ -1,0 +2,8 @@ +Tue Jul 16 14:42:02 UTC 2019 - wfe...@opensuse.org + +- merge gh#openSUSE/mksusecd#42 +- embed gpg signature of checksum metadata into image (bsc#1139561) +- make unsigned images the default +- 1.69 + +-------------------------------------------------------------------- Old: ---- mksusecd-1.68.tar.xz New: ---- mksusecd-1.69.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mksusecd.spec ++++++ --- /var/tmp/diff_new_pack.KGF6bY/_old 2019-07-17 14:27:06.019374729 +0200 +++ /var/tmp/diff_new_pack.KGF6bY/_new 2019-07-17 14:27:06.023374717 +0200 @@ -18,7 +18,7 @@ Name: mksusecd -Version: 1.68 +Version: 1.69 Release: 0 Summary: Tool to create SUSE Linux installation ISOs License: GPL-3.0+ ++++++ mksusecd-1.68.tar.xz -> mksusecd-1.69.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.68/VERSION new/mksusecd-1.69/VERSION --- old/mksusecd-1.68/VERSION 2019-04-11 15:53:46.000000000 +0200 +++ new/mksusecd-1.69/VERSION 2019-07-16 16:42:02.000000000 +0200 @@ -1 +1 @@ -1.68 +1.69 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.68/changelog new/mksusecd-1.69/changelog --- old/mksusecd-1.68/changelog 2019-04-11 15:53:46.000000000 +0200 +++ new/mksusecd-1.69/changelog 2019-07-16 16:42:02.000000000 +0200 @@ -1,3 +1,8 @@ +2019-07-16: 1.69 + - merge gh#openSUSE/mksusecd#42 + - embed gpg signature of checksum metadata into image (bsc#1139561) + - make unsigned images the default + 2019-04-11: 1.68 - merge gh#openSUSE/mksusecd#41 - add --enable-repos option diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.68/mksusecd new/mksusecd-1.69/mksusecd --- old/mksusecd-1.68/mksusecd 2019-04-11 15:53:46.000000000 +0200 +++ new/mksusecd-1.69/mksusecd 2019-07-16 16:42:02.000000000 +0200 @@ -238,6 +238,7 @@ my $opt_loader; my $opt_sign = 1; my $opt_sign_key; +my $opt_sign_image; my @opt_kernel_rpms; my @opt_kernel_modules; my $opt_arch; @@ -278,6 +279,8 @@ 'no-digest' => sub { $opt_digest = undef }, 'sign' => \$opt_sign, 'no-sign' => sub { $opt_sign = 0 }, + 'sign-image' => \$opt_sign_image, + 'no-sign-image' => sub { $opt_sign_image = 0 }, 'sign-key=s' => \$opt_sign_key, 'gpt' => sub { $opt_hybrid = 1; $opt_hybrid_gpt = 1 }, 'mbr' => sub { $opt_hybrid = 1; $opt_hybrid_mbr = 1 }, @@ -585,6 +588,14 @@ print "calculating $opt_digest..."; system "tagmedia $chk --digest '$opt_digest' --pad 150 '$iso_file' >/dev/null"; print "\n"; + if($opt_sign && $sign_key_dir && $opt_sign_image) { + system "tagmedia --export-tags $sign_key_dir/tags $iso_file >/dev/null 2>&1"; + if(-s "$sign_key_dir/tags") { + print "signing $iso_file\n" if $opt_verbose >= 1; + system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign $sign_key_dir/tags"; + system "tagmedia --import-signature $sign_key_dir/tags.asc $iso_file"; + } + } } } @@ -625,6 +636,8 @@ --sign Re-sign '/content' if it has changed. The public part of the sign key is added to the initrd. (default) --no-sign Don't re-sign '/content'. + --sign-image Embed signature for whole image. See Signing notes. + --no-sign-image Don't embed signature for whole image. (default) --sign-key KEY_FILE Use this key instead of generating a transient key. See Signing notes below. --gpt Add GPT when in isohybrid mode. @@ -784,7 +797,17 @@ must point to a private key file. If there's no 'sign-key' option, a transient key is created. The public - part is added to the initrd and the key is deleted. + part is added to the initrd and the root directory of the image and the + key is deleted. + + The key file is named 'gpg-pubkey-xxxxxxxx-xxxxxxxx.asc'. + + mksusecd can also embed a signature of the checksum metadata into the image. + This can be used by the checkmedia tool to verify the integrity of the + image. + + As older versions (checkmedia < version 4.2) cannot handle this, it is not + the default and you have to explicitly request it with '--sign-image'. Add-on notes: @@ -3313,9 +3336,15 @@ system "cp $sign_key_pub $tmp_dir/usr/lib/rpm/gnupg/keys"; } - print "signing key added to initrd\n" if $opt_verbose >= 1; - push @opt_initrds, $tmp_dir; + + my $name = $sign_key_pub; + $name =~ s#.*/##; + + my $k = copy_or_new_file "$name"; + system "cp $sign_key_pub $k"; + + print "signing key added to image and initrd\n" if $opt_verbose >= 1; }