Hello community, here is the log from the commit of package mksusecd for openSUSE:Factory checked in at 2015-02-10 20:24:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mksusecd (Old) and /work/SRC/openSUSE:Factory/.mksusecd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mksusecd" Changes: -------- --- /work/SRC/openSUSE:Factory/mksusecd/mksusecd.changes 2015-02-06 22:38:11.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mksusecd.new/mksusecd.changes 2015-02-10 20:24:11.000000000 +0100 @@ -1,0 +2,12 @@ +Tue Feb 10 10:06:07 CET 2015 - [email protected] + +- simplify key handling +- 1.12 + +------------------------------------------------------------------- +Mon Feb 9 12:06:10 CET 2015 - [email protected] + +- allow to use a user-supplied signing key +- 1.11 + +------------------------------------------------------------------- Old: ---- mksusecd-1.10.tar.xz New: ---- mksusecd-1.12.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mksusecd.spec ++++++ --- /var/tmp/diff_new_pack.GlNg1t/_old 2015-02-10 20:24:11.000000000 +0100 +++ /var/tmp/diff_new_pack.GlNg1t/_new 2015-02-10 20:24:11.000000000 +0100 @@ -29,7 +29,7 @@ Summary: Create SUSE Linux installation ISOs License: GPL-3.0+ Group: Hardware/Other -Version: 1.10 +Version: 1.12 Release: 0 Source: %{name}-%{version}.tar.xz Url: https://github.com/wfeldt/mksusecd ++++++ mksusecd-1.10.tar.xz -> mksusecd-1.12.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.10/VERSION new/mksusecd-1.12/VERSION --- old/mksusecd-1.10/VERSION 2015-02-06 15:13:24.000000000 +0100 +++ new/mksusecd-1.12/VERSION 2015-02-10 10:02:57.000000000 +0100 @@ -1 +1 @@ -1.10 +1.12 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.10/changelog new/mksusecd-1.12/changelog --- old/mksusecd-1.10/changelog 2015-02-06 15:13:24.000000000 +0100 +++ new/mksusecd-1.12/changelog 2015-02-10 10:02:57.000000000 +0100 @@ -1,3 +1,9 @@ +2015-02-10: 1.12 + - simplify key handling + +2015-02-09: 1.11 + - allow to use a user-supplied signing key + 2015-02-06: 1.10 - re-sign '/content' if necessary - fix git2log script diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.10/mksusecd new/mksusecd-1.12/mksusecd --- old/mksusecd-1.10/mksusecd 2015-02-06 15:13:24.000000000 +0100 +++ new/mksusecd-1.12/mksusecd 2015-02-10 10:02:57.000000000 +0100 @@ -138,10 +138,12 @@ sub usage; sub check_root; +sub show_progress; sub susystem; sub fname; sub analyze_boot; sub build_todo; +sub copy_file; sub prepare_mkisofs; sub build_filelist; sub run_mkisofs; @@ -196,6 +198,7 @@ my $opt_no_docs = 1; my $opt_loader; my $opt_sign = 1; +my $opt_sign_key; GetOptions( 'create|c=s' => sub { $opt_create = 1; $opt_dst = $_[1] }, @@ -211,6 +214,7 @@ 'no-digest' => sub { $opt_digest = undef }, 'sign' => \$opt_sign, 'no-sign' => sub { $opt_sign = 0 }, + 'sign-key=s' => \$opt_sign_key, 'gpt' => sub { $opt_hybrid = 1; $opt_hybrid_gpt = 1 }, 'mbr' => sub { $opt_hybrid = 1; $opt_hybrid_mbr = 1 }, 'hybrid' => \$opt_hybrid, @@ -241,8 +245,12 @@ if(open my $f, "$ENV{HOME}/.mksusecdrc") { while(<$f>) { - if(/^(\S+?)=\"(.*)\"\s*$/) { - $config{$1} = $2; + next if /^\s*#/; + if(/^\s*(\S+?)\s*=\s*(.*?)\s*$/) { + my $key = $1; + my $val = $2; + $val =~ s/^\"|\"$//g; + $config{$key} = $val; } } close $f; @@ -253,6 +261,8 @@ $sudo =~ s/\s*$/ /; } +$opt_sign_key ||= $config{'sign-key'}; + my $tmp = Tmp::new($opt_save_temp); # my $tmp_mnt = $tmp->mnt('mnt'); @@ -402,9 +412,11 @@ --no-check Don't tag ISO (default). --digest DIGEST Use DIGEST to verify ISO integrity (default: SHA1). --no-digest Don't calculate any digest. - --sign Re-sign '/content' with a generated transient key if it has - changed. The public key is added to the initrd. (default) + --sign Re-sign '/content' if it has changed. The public part of + the sign key is added to the initrd. (default) --no-sign Don't re-sign '/content'. + --sign-key KEY_FILE Use this key instead of generating a transient key. + See Signing notes below. --gpt Add GPT when in isohybrid mode. --mbr Add MBR when in isohybrid mode (default). Note that when both --mbr and --gpt are specified both @@ -470,15 +482,25 @@ If you modify any file mentioned there (e.g. replacing it or implicitly as a result of the --initrd or --boot options) '/content' is updated and must be re-signed. Otherwise the installer will complain when it starts - up. For this, mksusecd creates a transient key, re-signs the file, and - adds the public part to the initrd. The secret part is deleted. + up. For this, mksusecd will re-sign the file and add the public part of + the signing key to the initrd. + + You can specify the key to use with the 'sign-key' option. The option + must point to a private key file. + + If there's no 'sign-key' option, a transient key is created. The public + part is added to the initrd and the key is deleted. -Configuration files: +Configuration file: \$HOME/.mksusecdrc - To access existing ISO image files you will need root privileges. (It - will be mounted.) There's a 'sudo' config file entry that lets you - specify a command granting you root privileges. E.g. sudo="foo". + + sudo: To access existing ISO image files you will need root privileges. + (It will be mounted.) This entry lets you specify a command granting + you root privileges. E.g. sudo="foo". + + sign-key: File name of the private key file with the signing key. The + same as the 'sign-key' option. See Signing notes above. Examples: @@ -1761,32 +1783,59 @@ %commit = = = = = = = = - if(open my $p, "| cd $gpg_dir ; gpg --no-tty --batch --armor --debug-quick-random --gen-key - 2>/dev/null") { - print $p $c; - close $p; + my $key; + + if($opt_sign_key) { + $key = $opt_sign_key; + $key =~ s/^~/$ENV{HOME}/; + die "$key: no such key file\n" unless -f $key; + } + else { + if(open my $p, "| cd $gpg_dir ; gpg --no-tty --batch --armor --debug-quick-random --gen-key - 2>/dev/null") { + print $p $c; + close $p; + } + $key = "$gpg_dir/mksusecd.sec"; } my $keyid; my $date; + my $priv; + my $pub; - if(open my $p, "gpg -v -v $gpg_dir/mksusecd.pub 2>&1 |") { + if(open my $p, "gpg -v -v $key 2>&1 |") { while(<$p>) { + $priv = 1 if /BEGIN PGP PRIVATE KEY BLOCK/; + $pub = 1 if /BEGIN PGP PUBLIC KEY BLOCK/; $keyid = $1 if !$keyid && /^:signature packet:.*keyid\s+([0-9a-zA-Z]+)/; $date = $1, last if !$date && $keyid && /created\s+(\d+)/; } close $p; } - if($date) { - my $cname = sprintf "gpg-pubkey-%08x-%08x.asc", hex($keyid) & 0xffffffff, $date; - rename "$gpg_dir/mksusecd.pub", "$gpg_dir/$cname"; - $sign_key_pub = "$gpg_dir/$cname"; + if($priv && $date) { + $sign_key_dir = $gpg_dir; - system "gpg --homedir=$gpg_dir --import $gpg_dir/mksusecd.sec >/dev/null 2>&1"; + system "gpg --homedir=$gpg_dir --import $key >/dev/null 2>&1"; - $sign_key_dir = $gpg_dir; + my $cname = sprintf "gpg-pubkey-%08x-%08x.asc", hex($keyid) & 0xffffffff, $date; + $sign_key_pub = "$gpg_dir/$cname"; + system "gpg --homedir=$gpg_dir --export --armor --output $sign_key_pub >/dev/null 2>&1"; - print "transient signing key created, keyid = $keyid\n" if $opt_verbose >= 1; + if($opt_sign_key) { + print "using signing key, keyid = $keyid\n" if $opt_verbose >= 1; + } + else { + print "transient signing key created, keyid = $keyid\n" if $opt_verbose >= 1; + } + } + else { + if($pub) { + die "$key: signing key is not a private key\n"; + } + else { + die "$key: signing key not usable\n"; + } } } @@ -1801,7 +1850,7 @@ system "mkdir -p $tmp_dir/usr/lib/rpm/gnupg/keys"; system "cp $sign_key_pub $tmp_dir/usr/lib/rpm/gnupg/keys"; - print "transient signing key added to initrd\n" if $opt_verbose >= 1; + print "signing key added to initrd\n" if $opt_verbose >= 1; push @opt_initrds, $tmp_dir; } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
