summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEli Schwartz <eschwartz@archlinux.org>2018-12-01 19:36:23 -0500
committerLevente Polyak <anthraxx@archlinux.org>2019-08-09 19:41:51 +0200
commit2180aabc816aae1fb4bb7c341fee53fe48ffa98e (patch)
treef9f22ed241f5b10e40d6285b7dc1e0e5729f02b6
parent2f929c961f5a7a22e681055987af05f096a067e0 (diff)
downloaddevtools-2180aabc816aae1fb4bb7c341fee53fe48ffa98e.tar.xz
arch-nspawn: don't delete the guest gpg configuration
It's important to ensure the guest has up to date data because updating a chroot after quite some time can potentially rely on updated archlinux-keyring, something which the host machine either kept up to date on or manually fixed, but it kills automation to mess around with chroot configs like that. Alternatively, signed packages added with -I need to work, and we assume the host is configured to accept these. That is *not* a good reason to completely nuke whatever is in the guest, though. A guest might have been manually configured to accept keys which aren't accepted by the host; one example of this happening in practice, is archlinux32 when building 32-bit packages from an archlinux host. The right solution is to append to, rather thna overwrite, the chrooted guest's pacman keyring. To do this, we will use gpg's native facility to dump the keyring from one GNUPGHOME and import it into another. We'd use pacman-key's --import option directly, but this doesn't support passing custom options like --import-options import-local-sigs Finally use pacman-key's native facility to import the trust status from the host. While we are at it, fix a bug where we didn't respect the host's pacman.conf settings for the GpgDir. While it isn't wildly likely a user will choose to customize this, it is a valid and supported use case and we must think about this ourselves. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
-rw-r--r--arch-nspawn.in3
1 files changed, 2 insertions, 1 deletions
diff --git a/arch-nspawn.in b/arch-nspawn.in
index 42f7779..a0e24dc 100644
--- a/arch-nspawn.in
+++ b/arch-nspawn.in
@@ -80,7 +80,8 @@ build_mount_args() {
}
copy_hostconf () {
- cp -a /etc/pacman.d/gnupg "$working_dir/etc/pacman.d"
+ gpg --homedir "$working_dir"/etc/pacman.d/gnupg/ --no-permission-warning --quiet --batch --import --import-options import-local-sigs "$(pacman-conf GpgDir)"/pubring.gpg >/dev/null 2>&1
+ pacman-key --gpgdir "$working_dir"/etc/pacman.d/gnupg/ --import-trustdb "$(pacman-conf GpgDir)" >/dev/null 2>&1
printf 'Server = %s\n' "${host_mirrors[@]}" >"$working_dir/etc/pacman.d/mirrorlist"
[[ -n $pac_conf ]] && cp "$pac_conf" "$working_dir/etc/pacman.conf"