Hello community, here is the log from the commit of package mksusecd for openSUSE:Factory checked in at 2020-07-27 17:49:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mksusecd (Old) and /work/SRC/openSUSE:Factory/.mksusecd.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mksusecd" Mon Jul 27 17:49:37 2020 rev:63 rq:822973 version:1.75 Changes: -------- --- /work/SRC/openSUSE:Factory/mksusecd/mksusecd.changes 2020-06-25 15:09:16.189712028 +0200 +++ /work/SRC/openSUSE:Factory/.mksusecd.new.3592/mksusecd.changes 2020-07-27 17:51:29.943661186 +0200 @@ -1,0 +2,21 @@ +Mon Jul 27 12:37:29 UTC 2020 - wfe...@opensuse.org + +- merge gh#openSUSE/mksusecd#50 +- added "--sign-pass-file" +- added option for recreating and signing the repo +- remove "all done" message +- additional passphrase options are not necessary at key creation +- set additional options only when a existing sign key is specified +- print message if --sign-pass-file and missing +- sign-key +- readded removed line +- removed sign_passwd_option on import +- changed if-else-logic when specifying a passphrasefile +- readded redirection to /dev/null +- removed a print +- removed trailing spaces +- remove a single space +- additional options +- 1.75 + +-------------------------------------------------------------------- Old: ---- mksusecd-1.74.tar.xz New: ---- mksusecd-1.75.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mksusecd.spec ++++++ --- /var/tmp/diff_new_pack.Z2Psce/_old 2020-07-27 17:51:32.063663522 +0200 +++ /var/tmp/diff_new_pack.Z2Psce/_new 2020-07-27 17:51:32.067663526 +0200 @@ -18,7 +18,7 @@ Name: mksusecd -Version: 1.74 +Version: 1.75 Release: 0 Summary: Tool to create SUSE Linux installation ISOs License: GPL-3.0+ ++++++ mksusecd-1.74.tar.xz -> mksusecd-1.75.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.74/VERSION new/mksusecd-1.75/VERSION --- old/mksusecd-1.74/VERSION 2020-06-24 18:05:31.000000000 +0200 +++ new/mksusecd-1.75/VERSION 2020-07-27 14:37:29.000000000 +0200 @@ -1 +1 @@ -1.74 +1.75 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.74/changelog new/mksusecd-1.75/changelog --- old/mksusecd-1.74/changelog 2020-06-24 18:05:31.000000000 +0200 +++ new/mksusecd-1.75/changelog 2020-07-27 14:37:29.000000000 +0200 @@ -1,3 +1,21 @@ +2020-07-27: 1.75 + - merge gh#openSUSE/mksusecd#50 + - added "--sign-pass-file" + - added option for recreating and signing the repo + - remove "all done" message + - additional passphrase options are not necessary at key creation + - set additional options only when a existing sign key is specified + - print message if --sign-pass-file and missing + - sign-key + - readded removed line + - removed sign_passwd_option on import + - changed if-else-logic when specifying a passphrasefile + - readded redirection to /dev/null + - removed a print + - removed trailing spaces + - remove a single space + - additional options + 2020-06-24: 1.74 - merge gh#openSUSE/mksusecd#49 - add --sign-key-id option to allow specifying a gpg signing key by id diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mksusecd-1.74/mksusecd new/mksusecd-1.75/mksusecd --- old/mksusecd-1.74/mksusecd 2020-06-24 18:05:31.000000000 +0200 +++ new/mksusecd-1.75/mksusecd 2020-07-27 14:37:29.000000000 +0200 @@ -239,6 +239,7 @@ my $opt_sign = 1; my $opt_sign_key; my $opt_sign_key_id; +my $opt_sign_pass_file; my $opt_sign_image; my @opt_kernel_rpms; my @opt_kernel_modules; @@ -264,10 +265,12 @@ my $opt_crypto_title; my $opt_crypto_top_dir; my $opt_instsys_in_repo = 1; +my $opt_create_repo; GetOptions( 'create|c=s' => sub { $opt_create = 1; $opt_dst = $_[1] }, + 'create_repo' => sub { $opt_create_repo = 1;}, 'joliet' => \$opt_joliet, 'no-joliet' => sub { $opt_joliet = 0 }, 'efi' => \$opt_efi, @@ -284,6 +287,7 @@ 'no-sign-image' => sub { $opt_sign_image = 0 }, 'sign-key=s' => \$opt_sign_key, 'sign-key-id=s' => \$opt_sign_key_id, + 'sign-pass-file=s' => \$opt_sign_pass_file, 'gpt' => sub { $opt_hybrid = 1; $opt_hybrid_gpt = 1 }, 'mbr' => sub { $opt_hybrid = 1; $opt_hybrid_mbr = 1 }, 'hybrid' => \$opt_hybrid, @@ -419,6 +423,7 @@ my $has_content; my $product_db; my $repomd_instsys_location; +my $sign_passwd_option; my $progress_start = 0; my $progress_end = 100; @@ -434,6 +439,18 @@ die "$opt_size: invalid size\n" unless $image_size; } +if ($opt_sign_pass_file) { + if ($opt_sign_key || $opt_sign_key_id) { + if (-e $opt_sign_pass_file) { + $sign_passwd_option = "--pinentry-mode loopback --passphrase-file $opt_sign_pass_file" + } else { + die "Passphrasefile $opt_sign_pass_file does not exist\n"; + } + } else { + print "--sign-pass-file ignored because of missing --sign-key or --sign-key-id\n" + } +} + if($opt_create || $opt_list_repos) { # if(@opt_kernel_rpms) { # die "Sorry, you must run mksusecd as root to replace kernel modules." if $>; @@ -536,6 +553,10 @@ update_kernel_initrd; update_boot_options; + if($opt_create_repo) { + run_createrepo $sources[0]{dir}; + } + prepare_addon; sign_content_or_checksums if update_content_or_checksums; @@ -599,14 +620,13 @@ system "tagmedia --export-tags $tmp_dir/tags $iso_file >/dev/null 2>&1"; if(-s "$tmp_dir/tags") { print "signing $iso_file\n" if $opt_verbose >= 1; - system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $tmp_dir/tags"; + system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $sign_passwd_option $tmp_dir/tags"; system "tagmedia --import-signature $tmp_dir/tags.asc $iso_file"; } } } } - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # usage(exit_code) # @@ -632,6 +652,7 @@ -c, --create FILE Create ISO image from SOURCES. SOURCES are either directories or existing ISO images. + --create_repo (Re)Create and sign the repository. --joliet Use Joliet extensions (default). --no-joliet Don't use Joliet extensions. --uefi Make ISO UEFI bootable (default). @@ -649,7 +670,10 @@ See Signing notes below. --sign-key-id KEY_ID Use this key id instead of generating a transient key. Note: gpg might show an interactive dialog asking for a - password to unlock the key. + password to unlock the key unless you use the 'sign-pass-file' + option. + See Signing notes below. + --sign-pass-file Use the password stored in this file to open the key. See Signing notes below. --gpt Add GPT when in isohybrid mode. --mbr Add MBR when in isohybrid mode (default). @@ -810,10 +834,14 @@ If both '--sign-key' and '--sign-key-id' are specified, '--sign-key-id' wins. + You can specify a file which contains the passphrase to the key specified with + '--sign-key' or '--sign-key-id' to avoid an interactive dialog to enter + the passphrase. + If there's neither a 'sign-key' nor a 'sign-key-id' option, a transient key is created. The public part is added to the initrd and the root directory of the image and the key is deleted. - + The key file is named 'gpg-pubkey-xxxxxxxx-xxxxxxxx.asc'. mksusecd can also embed a signature of the checksum metadata into the image. @@ -1205,7 +1233,7 @@ } } - # s390 also uses el-torito + # s390 also uses el-torito for (sort keys %$boot) { if($_ eq 's390x') { $opt_no_mbr_code = 1 if !defined $opt_no_mbr_code; @@ -1866,7 +1894,7 @@ print "signing '$name'\n" if $opt_verbose >= 1; - system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $name"; + system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $sign_passwd_option $name"; } @@ -1901,7 +1929,7 @@ push @$files, { name => "$dir$5", type => $type, start => $3 + 0, size => $x[4] }; } } - } + } close $fd; @@ -2056,7 +2084,7 @@ next unless $_->{type} eq 'd'; $fat_size++; } - + $fat_size += ($fat_size >> 8) + 4; # we want $fat_size to count 512 byte blocks, not 2k blocks as in iso fs @@ -2097,7 +2125,7 @@ next unless $_->{type} eq 'd'; system "mmd -i '$tmp_fat' -D o ::$_->{name}"; } - + # 2.: directory entries for (@$iso_files) { next unless $_->{type} eq ' '; @@ -2123,16 +2151,16 @@ system "mcopy -i '$tmp_fat' -D o $tmp ::padding$pad_cnt"; } show_progress 100 * $pr_cnt / $pr_size; - } - + } + system "mdel -i '$tmp_fat' '::padding*'" if $pad; # 4.: read file offsets for (@$iso_files) { - $_->{fat} = 0; + $_->{fat} = 0; $_->{fat} = $1 if `mshowfat -i '$tmp_fat' ::$_->{name}` =~ /<(\d+)/; } - + # 5.: verify file offsets my $dif; my $first; @@ -2142,7 +2170,7 @@ $dif = $_->{start} - $_->{fat}; last; } - + # for (@$iso_files) { # printf "%6d %6d [%4d] (%d)\t%s %8d %s\n", $_->{start}, $_->{fat}, $_->{start} - $_->{fat}, $_->{pad} ? $_->{pad} : 0, $_->{type}, $_->{size}, $_->{name}; # } @@ -3297,7 +3325,7 @@ die "$sign_key_dir: no such gpg directory\n" unless -d $sign_key_dir; my $tmp_dir = $tmp->dir(); - system "gpg --homedir=$gpg_dir --export --armor --output $tmp_dir/key.pub '$opt_sign_key_id' >/dev/null 2>&1"; + system "gpg --homedir=$gpg_dir --export --armor --output $tmp_dir/key.pub $sign_passwd_option '$opt_sign_key_id' >/dev/null 2>&1"; my $keyid; my $date; @@ -3362,12 +3390,11 @@ if(($priv || ($is_gpg21 && $pub)) && $date) { $sign_key_dir = $gpg_dir; - - system "gpg --homedir=$gpg_dir --import $key >/dev/null 2>&1"; + system "gpg --homedir=$gpg_dir $sign_passwd_option --import $key >/dev/null 2>&1"; my $cname = sprintf "gpg-pubkey-%08x-%08x.asc", hex($keyid) & 0xffffffff, $date; $sign_key_pub = "$gpg_dir/$cname"; - system "gpg --homedir=$gpg_dir --export --armor --output $sign_key_pub >/dev/null 2>&1"; + system "gpg --homedir=$gpg_dir $sign_passwd_option --export --armor --output $sign_key_pub >/dev/null 2>&1"; $sign_key_id = $keyid; @@ -3446,7 +3473,7 @@ print "re-signing '/$name'\n" if $opt_verbose >= 1; - system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $c"; + system "gpg --homedir=$sign_key_dir --local-user '$sign_key_id' --batch --yes --armor --detach-sign $sign_passwd_option $c"; }