Re: [arch-projects] [devtools] makechrootpkg: respect GNUPGHOME
On Tue, Feb 27, 2018 at 03:44:07PM +0100, Eli Schwartz via arch-projects wrote: > On 02/27/2018 05:41 AM, Emiel Wiedijk via arch-projects wrote: > > Correct, but makepkg --verifysource is run with sudo -u $myuser, and sudo > > resets the environment. And the code that copies ~/.gnupg to the chroot > > apparantly hasn't been removed yet (as of > > 38c7a391b043547b946a99731a56a233458ba7a2). > > I just assumed (apparantly wrongly) that it was for GnuPG related tasks in > > the > > PKGBUILD, and adjusted the code to copy the correct directory. > > My point is that there is really no point in trying to preserve it in > the chroot, since that section is dead code to begin with, and if you do > anyways then your patch may clash with other pending patches. So of the > three changes your patch made, you should probably only make the second > and third. > > I don't blame you for actually thinking dead code did something. :D > > -- > Eli Schwartz > Bug Wrangler and Trusted User > Fair enough, I sent an updated patch :-). Emiel Wiedijk
[arch-projects] [devtools] [PATCH v2] makechrootpkg: respect GNUPGHOME
Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user uses a custom GPG home directory, the siganture checking would fail. Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. Signed-off-by: Emiel Wiedijk --- makechrootpkg.in | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index afcd121..653847f 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -252,7 +252,8 @@ download_sources() { chmod 1777 "$builddir" # Ensure sources are downloaded - sudo -u "$makepkg_user" env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \ + sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ + env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \ makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o || die "Could not download sources." @@ -341,7 +342,7 @@ main() { [[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.' makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}} - check_root SOURCE_DATE_EPOCH + check_root SOURCE_DATE_EPOCH,GNUPGHOME # Canonicalize chrootdir, getting rid of trailing / chrootdir=$(readlink -e "$passeddir") -- 2.16.2
Re: [arch-projects] [devtools] makechrootpkg: respect GNUPGHOME
> On 02/26/2018 02:03 PM, Emiel Wiedijk via arch-projects wrote: > > > Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user > > > > uses a custom GPG home directory, the siganture checking would fail. > > > > Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. > > There is no signature checking in the chroot, see > > https://lists.archlinux.org/pipermail/arch-projects/2018-January/004709.html > > > --- > > Eli Schwartz > > Bug Wrangler and Trusted User Correct, but makepkg --verifysource is run with sudo -u $myuser, and sudo resets the environment. And the code that copies ~/.gnupg to the chroot apparantly hasn't been removed yet (as of 38c7a391b043547b946a99731a56a233458ba7a2). I just assumed (apparantly wrongly) that it was for GnuPG related tasks in the PKGBUILD, and adjusted the code to copy the correct directory. Emiel Wiedijk
[arch-projects] [devtools] makechrootpkg: respect GNUPGHOME
Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user uses a custom GPG home directory, the siganture checking would fail. Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. Signed-off-by: Emiel Wiedijk --- makechrootpkg.in | 12 +++- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/makechrootpkg.in b/makechrootpkg.in index afcd121..5a79dc0 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -182,9 +182,10 @@ prepare_chroot() { $install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest} - for x in .gnupg/pubring.{kbx,gpg}; do - [[ -r $USER_HOME/$x ]] || continue - $install -m 644 "$USER_HOME/$x" "$copydir/build/$x" + for x in pubring.{kbx,gpg}; do + local pubring="${GNUPGHOME:-$USER_HOME/.gnupg}/$x" + [[ -r "$pubring" ]] || continue + $install -m 644 "$pubring" "$copydir/build/.gnupg/$x" done sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf" @@ -252,7 +253,8 @@ download_sources() { chmod 1777 "$builddir" # Ensure sources are downloaded - sudo -u "$makepkg_user" env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \ + sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ + env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \ makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o || die "Could not download sources." @@ -341,7 +343,7 @@ main() { [[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.' makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}} - check_root SOURCE_DATE_EPOCH + check_root SOURCE_DATE_EPOCH,GNUPGHOME # Canonicalize chrootdir, getting rid of trailing / chrootdir=$(readlink -e "$passeddir") -- 2.16.2