Hello community,
here is the log from the commit of package mksusecd for openSUSE:Factory
checked in at 2019-07-17 14:27:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mksusecd (Old)
and /work/SRC/openSUSE:Factory/.mksusecd.new.1887 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mksusecd"
Wed Jul 17 14:27:04 2019 rev:57 rq:715717 version:1.69
Changes:
--------
--- /work/SRC/openSUSE:Factory/mksusecd/mksusecd.changes 2019-04-12
09:15:53.477731773 +0200
+++ /work/SRC/openSUSE:Factory/.mksusecd.new.1887/mksusecd.changes
2019-07-17 14:27:05.551376183 +0200
@@ -1,0 +2,8 @@
+Tue Jul 16 14:42:02 UTC 2019 - wfe...@opensuse.org
+
+- merge gh#openSUSE/mksusecd#42
+- embed gpg signature of checksum metadata into image (bsc#1139561)
+- make unsigned images the default
+- 1.69
+
+--------------------------------------------------------------------
Old:
----
mksusecd-1.68.tar.xz
New:
----
mksusecd-1.69.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mksusecd.spec ++++++
--- /var/tmp/diff_new_pack.KGF6bY/_old 2019-07-17 14:27:06.019374729 +0200
+++ /var/tmp/diff_new_pack.KGF6bY/_new 2019-07-17 14:27:06.023374717 +0200
@@ -18,7 +18,7 @@
Name: mksusecd
-Version: 1.68
+Version: 1.69
Release: 0
Summary: Tool to create SUSE Linux installation ISOs
License: GPL-3.0+
++++++ mksusecd-1.68.tar.xz -> mksusecd-1.69.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mksusecd-1.68/VERSION new/mksusecd-1.69/VERSION
--- old/mksusecd-1.68/VERSION 2019-04-11 15:53:46.000000000 +0200
+++ new/mksusecd-1.69/VERSION 2019-07-16 16:42:02.000000000 +0200
@@ -1 +1 @@
-1.68
+1.69
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mksusecd-1.68/changelog new/mksusecd-1.69/changelog
--- old/mksusecd-1.68/changelog 2019-04-11 15:53:46.000000000 +0200
+++ new/mksusecd-1.69/changelog 2019-07-16 16:42:02.000000000 +0200
@@ -1,3 +1,8 @@
+2019-07-16: 1.69
+ - merge gh#openSUSE/mksusecd#42
+ - embed gpg signature of checksum metadata into image (bsc#1139561)
+ - make unsigned images the default
+
2019-04-11: 1.68
- merge gh#openSUSE/mksusecd#41
- add --enable-repos option
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mksusecd-1.68/mksusecd new/mksusecd-1.69/mksusecd
--- old/mksusecd-1.68/mksusecd 2019-04-11 15:53:46.000000000 +0200
+++ new/mksusecd-1.69/mksusecd 2019-07-16 16:42:02.000000000 +0200
@@ -238,6 +238,7 @@
my $opt_loader;
my $opt_sign = 1;
my $opt_sign_key;
+my $opt_sign_image;
my @opt_kernel_rpms;
my @opt_kernel_modules;
my $opt_arch;
@@ -278,6 +279,8 @@
'no-digest' => sub { $opt_digest = undef },
'sign' => \$opt_sign,
'no-sign' => sub { $opt_sign = 0 },
+ 'sign-image' => \$opt_sign_image,
+ 'no-sign-image' => sub { $opt_sign_image = 0 },
'sign-key=s' => \$opt_sign_key,
'gpt' => sub { $opt_hybrid = 1; $opt_hybrid_gpt = 1 },
'mbr' => sub { $opt_hybrid = 1; $opt_hybrid_mbr = 1 },
@@ -585,6 +588,14 @@
print "calculating $opt_digest...";
system "tagmedia $chk --digest '$opt_digest' --pad 150 '$iso_file'
>/dev/null";
print "\n";
+ if($opt_sign && $sign_key_dir && $opt_sign_image) {
+ system "tagmedia --export-tags $sign_key_dir/tags $iso_file >/dev/null
2>&1";
+ if(-s "$sign_key_dir/tags") {
+ print "signing $iso_file\n" if $opt_verbose >= 1;
+ system "gpg --homedir=$sign_key_dir --batch --yes --armor
--detach-sign $sign_key_dir/tags";
+ system "tagmedia --import-signature $sign_key_dir/tags.asc $iso_file";
+ }
+ }
}
}
@@ -625,6 +636,8 @@
--sign Re-sign '/content' if it has changed. The
public part of
the sign key is added to the initrd. (default)
--no-sign Don't re-sign '/content'.
+ --sign-image Embed signature for whole image. See Signing
notes.
+ --no-sign-image Don't embed signature for whole image.
(default)
--sign-key KEY_FILE Use this key instead of generating a transient
key.
See Signing notes below.
--gpt Add GPT when in isohybrid mode.
@@ -784,7 +797,17 @@
must point to a private key file.
If there's no 'sign-key' option, a transient key is created. The public
- part is added to the initrd and the key is deleted.
+ part is added to the initrd and the root directory of the image and the
+ key is deleted.
+
+ The key file is named 'gpg-pubkey-xxxxxxxx-xxxxxxxx.asc'.
+
+ mksusecd can also embed a signature of the checksum metadata into the image.
+ This can be used by the checkmedia tool to verify the integrity of the
+ image.
+
+ As older versions (checkmedia < version 4.2) cannot handle this, it is not
+ the default and you have to explicitly request it with '--sign-image'.
Add-on notes:
@@ -3313,9 +3336,15 @@
system "cp $sign_key_pub $tmp_dir/usr/lib/rpm/gnupg/keys";
}
- print "signing key added to initrd\n" if $opt_verbose >= 1;
-
push @opt_initrds, $tmp_dir;
+
+ my $name = $sign_key_pub;
+ $name =~ s#.*/##;
+
+ my $k = copy_or_new_file "$name";
+ system "cp $sign_key_pub $k";
+
+ print "signing key added to image and initrd\n" if $opt_verbose >= 1;
}
