Hello community,
here is the log from the commit of package mksusecd for openSUSE:Factory
checked in at 2020-06-25 15:08:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mksusecd (Old)
and /work/SRC/openSUSE:Factory/.mksusecd.new.3060 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mksusecd"
Thu Jun 25 15:08:09 2020 rev:62 rq:816868 version:1.74
Changes:
--------
--- /work/SRC/openSUSE:Factory/mksusecd/mksusecd.changes 2020-06-23
21:07:56.286490371 +0200
+++ /work/SRC/openSUSE:Factory/.mksusecd.new.3060/mksusecd.changes
2020-06-25 15:09:16.189712028 +0200
@@ -1,0 +2,7 @@
+Wed Jun 24 16:05:31 UTC 2020 - wfe...@opensuse.org
+
+- merge gh#openSUSE/mksusecd#49
+- add --sign-key-id option to allow specifying a gpg signing key by id
+- 1.74
+
+--------------------------------------------------------------------
Old:
----
mksusecd-1.73.tar.xz
New:
----
mksusecd-1.74.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mksusecd.spec ++++++
--- /var/tmp/diff_new_pack.RW3DeI/_old 2020-06-25 15:09:18.325718731 +0200
+++ /var/tmp/diff_new_pack.RW3DeI/_new 2020-06-25 15:09:18.329718744 +0200
@@ -18,7 +18,7 @@
Name: mksusecd
-Version: 1.73
+Version: 1.74
Release: 0
Summary: Tool to create SUSE Linux installation ISOs
License: GPL-3.0+
++++++ mksusecd-1.73.tar.xz -> mksusecd-1.74.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mksusecd-1.73/VERSION new/mksusecd-1.74/VERSION
--- old/mksusecd-1.73/VERSION 2020-06-23 15:32:51.000000000 +0200
+++ new/mksusecd-1.74/VERSION 2020-06-24 18:05:31.000000000 +0200
@@ -1 +1 @@
-1.73
+1.74
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mksusecd-1.73/changelog new/mksusecd-1.74/changelog
--- old/mksusecd-1.73/changelog 2020-06-23 15:32:51.000000000 +0200
+++ new/mksusecd-1.74/changelog 2020-06-24 18:05:31.000000000 +0200
@@ -1,3 +1,7 @@
+2020-06-24: 1.74
+ - merge gh#openSUSE/mksusecd#49
+ - add --sign-key-id option to allow specifying a gpg signing key by id
+
2020-06-23: 1.73
- merge gh#openSUSE/mksusecd#48
- do not include excluded products (bsc#1173263)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/mksusecd-1.73/mksusecd new/mksusecd-1.74/mksusecd
--- old/mksusecd-1.73/mksusecd 2020-06-23 15:32:51.000000000 +0200
+++ new/mksusecd-1.74/mksusecd 2020-06-24 18:05:31.000000000 +0200
@@ -238,6 +238,7 @@
my $opt_loader;
my $opt_sign = 1;
my $opt_sign_key;
+my $opt_sign_key_id;
my $opt_sign_image;
my @opt_kernel_rpms;
my @opt_kernel_modules;
@@ -282,6 +283,7 @@
'sign-image' => \$opt_sign_image,
'no-sign-image' => sub { $opt_sign_image = 0 },
'sign-key=s' => \$opt_sign_key,
+ 'sign-key-id=s' => \$opt_sign_key_id,
'gpt' => sub { $opt_hybrid = 1; $opt_hybrid_gpt = 1 },
'mbr' => sub { $opt_hybrid = 1; $opt_hybrid_mbr = 1 },
'hybrid' => \$opt_hybrid,
@@ -372,6 +374,7 @@
}
$opt_sign_key ||= $config{'sign-key'};
+$opt_sign_key_id ||= $config{'sign-key-id'};
my $tmp = Tmp::new($opt_save_temp);
@@ -401,6 +404,7 @@
my $has_el_torito = 0;
my $sign_key_pub;
my $sign_key_dir;
+my $sign_key_id;
my $initrd_installkeys;
my $initrd_format;
my $rebuild_initrd;
@@ -591,11 +595,12 @@
system "tagmedia $chk --digest '$opt_digest' --pad 150 '$iso_file'
>/dev/null";
print "\n";
if($opt_sign && $sign_key_dir && $opt_sign_image) {
- system "tagmedia --export-tags $sign_key_dir/tags $iso_file >/dev/null
2>&1";
- if(-s "$sign_key_dir/tags") {
+ my $tmp_dir = $tmp->dir();
+ system "tagmedia --export-tags $tmp_dir/tags $iso_file >/dev/null 2>&1";
+ if(-s "$tmp_dir/tags") {
print "signing $iso_file\n" if $opt_verbose >= 1;
- system "gpg --homedir=$sign_key_dir --batch --yes --armor
--detach-sign $sign_key_dir/tags";
- system "tagmedia --import-signature $sign_key_dir/tags.asc $iso_file";
+ system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id'
--batch --yes --armor --detach-sign $tmp_dir/tags";
+ system "tagmedia --import-signature $tmp_dir/tags.asc $iso_file";
}
}
}
@@ -640,7 +645,11 @@
--no-sign Don't re-sign '/content'.
--sign-image Embed signature for whole image. See Signing
notes.
--no-sign-image Don't embed signature for whole image.
(default)
- --sign-key KEY_FILE Use this key instead of generating a transient
key.
+ --sign-key KEY_FILE Use this key file instead of generating a
transient key.
+ See Signing notes below.
+ --sign-key-id KEY_ID Use this key id instead of generating a
transient key.
+ Note: gpg might show an interactive dialog
asking for a
+ password to unlock the key.
See Signing notes below.
--gpt Add GPT when in isohybrid mode.
--mbr Add MBR when in isohybrid mode (default).
@@ -795,12 +804,15 @@
up. For this, mksusecd will re-sign the file and add the public part of
the signing key to the initrd.
- You can specify the key to use with the 'sign-key' option. The option
- must point to a private key file.
-
- If there's no 'sign-key' option, a transient key is created. The public
- part is added to the initrd and the root directory of the image and the
- key is deleted.
+ You can specify the key to use with either the 'sign-key' or 'sign-key-id'
+ option. 'sign-key' must point to a private key file, 'sign-key-id' is a
+ key id recognized by gpg.
+
+ If both '--sign-key' and '--sign-key-id' are specified, '--sign-key-id' wins.
+
+ If there's neither a 'sign-key' nor a 'sign-key-id' option, a transient
+ key is created. The public part is added to the initrd and the root
+ directory of the image and the key is deleted.
The key file is named 'gpg-pubkey-xxxxxxxx-xxxxxxxx.asc'.
@@ -929,6 +941,9 @@
sign-key: File name of the private key file with the signing key. The
same as the 'sign-key' option. See Signing notes above.
+ sign-key-id: Key id of the signing key. The same as the --sign-key-id
+ option. See Signing notes above.
+
Examples:
# create foo.iso from /foo_dir
@@ -1851,7 +1866,7 @@
print "signing '$name'\n" if $opt_verbose >= 1;
- system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign
$name";
+ system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch
--yes --armor --detach-sign $name";
}
@@ -3273,6 +3288,43 @@
%commit
= = = = = = = =
+ if($opt_sign_key_id) {
+ # step 1: export the public key, using the supplied id - this also ensures
+ # the key exists
+ # step 2: get the canonical key id and creation date from the exported blob
+
+ $sign_key_dir = $gpg_dir = "$ENV{HOME}/.gnupg";
+ die "$sign_key_dir: no such gpg directory\n" unless -d $sign_key_dir;
+
+ my $tmp_dir = $tmp->dir();
+ system "gpg --homedir=$gpg_dir --export --armor --output $tmp_dir/key.pub
'$opt_sign_key_id' >/dev/null 2>&1";
+
+ my $keyid;
+ my $date;
+
+ if(-f "$tmp_dir/key.pub" && open(my $p, "gpg -v -v $tmp_dir/key.pub 2>&1
|")) {
+ while(<$p>) {
+ $keyid = $1 if !$keyid && /^:signature
packet:.*keyid\s+([0-9a-zA-Z]+)/;
+ $date = $1, last if !$date && $keyid && /created\s+(\d+)/;
+ }
+ close $p;
+ }
+
+ if(!$keyid || !$date) {
+ die "$opt_sign_key_id: failed to extract public key\n";
+ }
+
+ my $cname = sprintf "gpg-pubkey-%08x-%08x.asc", hex($keyid) & 0xffffffff,
$date;
+ $sign_key_pub = "$tmp_dir/$cname";
+ rename "$tmp_dir/key.pub", $sign_key_pub;
+
+ $sign_key_id = $keyid;
+
+ print "using signing key, keyid = $sign_key_id\n";
+
+ return;
+ }
+
my $key;
my $is_gpg21;
@@ -3317,11 +3369,13 @@
$sign_key_pub = "$gpg_dir/$cname";
system "gpg --homedir=$gpg_dir --export --armor --output $sign_key_pub
>/dev/null 2>&1";
+ $sign_key_id = $keyid;
+
if($opt_sign_key) {
- print "using signing key, keyid = $keyid\n" if $opt_verbose >= 1;
+ print "using signing key, keyid = $sign_key_id\n";
}
else {
- print "transient signing key created, keyid = $keyid\n" if $opt_verbose
>= 1;
+ print "transient signing key created, keyid = $sign_key_id\n";
}
}
else {
@@ -3392,7 +3446,7 @@
print "re-signing '/$name'\n" if $opt_verbose >= 1;
- system "gpg --homedir=$sign_key_dir --batch --yes --armor --detach-sign $c";
+ system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch
--yes --armor --detach-sign $c";
}
