Hello community, here is the log from the commit of package mksusecd for openSUSE:Factory checked in at 2020-06-25 15:08:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mksusecd (Old) and /work/SRC/openSUSE:Factory/.mksusecd.new.3060 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mksusecd" Thu Jun 25 15:08:09 2020 rev:62 rq:816868 version:1.74 Changes: -------- --- /work/SRC/openSUSE:Factory/mksusecd/mksusecd.changes 2020-06-23 21:07:56.286490371 +0200 +++ /work/SRC/openSUSE:Factory/.mksusecd.new.3060/mksusecd.changes 2020-06-25 15:09:16.189712028 +0200 @@ -1,0 +2,7 @@ +Wed Jun 24 16:05:31 UTC 2020 - wfe...@opensuse.org + +- merge gh#openSUSE/mksusecd#49 +- add --sign-key-id option to allow specifying a gpg signing key by id +- 1.74 + +-------------------------------------------------------------------- Old: ---- mksusecd-1.73.tar.xz New: ---- mksusecd-1.74.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mksusecd.spec ++++++ --- /var/tmp/diff_new_pack.RW3DeI/_old 2020-06-25 15:09:18.325718731 +0200 +++ /var/tmp/diff_new_pack.RW3DeI/_new 2020-06-25 15:09:18.329718744 +0200 @@ -18,7 +18,7 @@ Name: mksusecd -Version: 1.73 +Version: 1.74 Release: 0 Summary: Tool to create SUSE Linux installation ISOs License: GPL-3.0+ ++++++ mksusecd-1.73.tar.xz -> mksusecd-1.74.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.73/VERSION new/mksusecd-1.74/VERSION --- old/mksusecd-1.73/VERSION 2020-06-23 15:32:51.000000000 +0200 +++ new/mksusecd-1.74/VERSION 2020-06-24 18:05:31.000000000 +0200 @@ -1 +1 @@ -1.73 +1.74 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.73/changelog new/mksusecd-1.74/changelog --- old/mksusecd-1.73/changelog 2020-06-23 15:32:51.000000000 +0200 +++ new/mksusecd-1.74/changelog 2020-06-24 18:05:31.000000000 +0200 @@ -1,3 +1,7 @@ +2020-06-24: 1.74 + - merge gh#openSUSE/mksusecd#49 + - add --sign-key-id option to allow specifying a gpg signing key by id + 2020-06-23: 1.73 - merge gh#openSUSE/mksusecd#48 - do not include excluded products (bsc#1173263) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.73/mksusecd new/mksusecd-1.74/mksusecd --- old/mksusecd-1.73/mksusecd 2020-06-23 15:32:51.000000000 +0200 +++ new/mksusecd-1.74/mksusecd 2020-06-24 18:05:31.000000000 +0200 @@ -238,6 +238,7 @@ my $opt_loader; my $opt_sign = 1; my $opt_sign_key; +my $opt_sign_key_id; my $opt_sign_image; my @opt_kernel_rpms; my @opt_kernel_modules; @@ -282,6 +283,7 @@ 'sign-image' => \$opt_sign_image, 'no-sign-image' => sub { $opt_sign_image = 0 }, 'sign-key=s' => \$opt_sign_key, + 'sign-key-id=s' => \$opt_sign_key_id, 'gpt' => sub { $opt_hybrid = 1; $opt_hybrid_gpt = 1 }, 'mbr' => sub { $opt_hybrid = 1; $opt_hybrid_mbr = 1 }, 'hybrid' => \$opt_hybrid, @@ -372,6 +374,7 @@ } $opt_sign_key ||= $config{'sign-key'}; +$opt_sign_key_id ||= $config{'sign-key-id'}; my $tmp = Tmp::new($opt_save_temp); @@ -401,6 +404,7 @@ my $has_el_torito = 0; my $sign_key_pub; my $sign_key_dir; +my $sign_key_id; my $initrd_installkeys; my $initrd_format; my $rebuild_initrd; @@ -591,11 +595,12 @@ system "tagmedia $chk --digest '$opt_digest' --pad 150 '$iso_file' >/dev/null"; print "\n"; if($opt_sign && $sign_key_dir && $opt_sign_image) { - system "tagmedia --export-tags $sign_key_dir/tags $iso_file >/dev/null 2>&1"; - if(-s "$sign_key_dir/tags") { + my $tmp_dir = $tmp->dir(); + system "tagmedia --export-tags $tmp_dir/tags $iso_file >/dev/null 2>&1"; + if(-s "$tmp_dir/tags") { print "signing $iso_file\n" if $opt_verbose >= 1; - system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign $sign_key_dir/tags"; - system "tagmedia --import-signature $sign_key_dir/tags.asc $iso_file"; + system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $tmp_dir/tags"; + system "tagmedia --import-signature $tmp_dir/tags.asc $iso_file"; } } } @@ -640,7 +645,11 @@ --no-sign Don't re-sign '/content'. --sign-image Embed signature for whole image. See Signing notes. --no-sign-image Don't embed signature for whole image. (default) - --sign-key KEY_FILE Use this key instead of generating a transient key. + --sign-key KEY_FILE Use this key file instead of generating a transient key. + See Signing notes below. + --sign-key-id KEY_ID Use this key id instead of generating a transient key. + Note: gpg might show an interactive dialog asking for a + password to unlock the key. See Signing notes below. --gpt Add GPT when in isohybrid mode. --mbr Add MBR when in isohybrid mode (default). @@ -795,12 +804,15 @@ up. For this, mksusecd will re-sign the file and add the public part of the signing key to the initrd. - You can specify the key to use with the 'sign-key' option. The option - must point to a private key file. - - If there's no 'sign-key' option, a transient key is created. The public - part is added to the initrd and the root directory of the image and the - key is deleted. + You can specify the key to use with either the 'sign-key' or 'sign-key-id' + option. 'sign-key' must point to a private key file, 'sign-key-id' is a + key id recognized by gpg. + + If both '--sign-key' and '--sign-key-id' are specified, '--sign-key-id' wins. + + If there's neither a 'sign-key' nor a 'sign-key-id' option, a transient + key is created. The public part is added to the initrd and the root + directory of the image and the key is deleted. The key file is named 'gpg-pubkey-xxxxxxxx-xxxxxxxx.asc'. @@ -929,6 +941,9 @@ sign-key: File name of the private key file with the signing key. The same as the 'sign-key' option. See Signing notes above. + sign-key-id: Key id of the signing key. The same as the --sign-key-id + option. See Signing notes above. + Examples: # create foo.iso from /foo_dir @@ -1851,7 +1866,7 @@ print "signing '$name'\n" if $opt_verbose >= 1; - system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign $name"; + system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $name"; } @@ -3273,6 +3288,43 @@ %commit = = = = = = = = + if($opt_sign_key_id) { + # step 1: export the public key, using the supplied id - this also ensures + # the key exists + # step 2: get the canonical key id and creation date from the exported blob + + $sign_key_dir = $gpg_dir = "$ENV{HOME}/.gnupg"; + die "$sign_key_dir: no such gpg directory\n" unless -d $sign_key_dir; + + my $tmp_dir = $tmp->dir(); + system "gpg --homedir=$gpg_dir --export --armor --output $tmp_dir/key.pub '$opt_sign_key_id' >/dev/null 2>&1"; + + my $keyid; + my $date; + + if(-f "$tmp_dir/key.pub" && open(my $p, "gpg -v -v $tmp_dir/key.pub 2>&1 |")) { + while(<$p>) { + $keyid = $1 if !$keyid && /^:signature packet:.*keyid\s+([0-9a-zA-Z]+)/; + $date = $1, last if !$date && $keyid && /created\s+(\d+)/; + } + close $p; + } + + if(!$keyid || !$date) { + die "$opt_sign_key_id: failed to extract public key\n"; + } + + my $cname = sprintf "gpg-pubkey-%08x-%08x.asc", hex($keyid) & 0xffffffff, $date; + $sign_key_pub = "$tmp_dir/$cname"; + rename "$tmp_dir/key.pub", $sign_key_pub; + + $sign_key_id = $keyid; + + print "using signing key, keyid = $sign_key_id\n"; + + return; + } + my $key; my $is_gpg21; @@ -3317,11 +3369,13 @@ $sign_key_pub = "$gpg_dir/$cname"; system "gpg --homedir=$gpg_dir --export --armor --output $sign_key_pub >/dev/null 2>&1"; + $sign_key_id = $keyid; + if($opt_sign_key) { - print "using signing key, keyid = $keyid\n" if $opt_verbose >= 1; + print "using signing key, keyid = $sign_key_id\n"; } else { - print "transient signing key created, keyid = $keyid\n" if $opt_verbose >= 1; + print "transient signing key created, keyid = $sign_key_id\n"; } } else { @@ -3392,7 +3446,7 @@ print "re-signing '/$name'\n" if $opt_verbose >= 1; - system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign $c"; + system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $c"; }