Hello community, here is the log from the commit of package mkdud for openSUSE:Factory checked in at 2016-01-13 22:46:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mkdud (Old) and /work/SRC/openSUSE:Factory/.mkdud.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mkdud" Changes: -------- --- /work/SRC/openSUSE:Factory/mkdud/mkdud.changes 2015-10-12 10:02:25.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mkdud.new/mkdud.changes 2016-01-13 22:46:25.000000000 +0100 @@ -1,0 +2,12 @@ +Wed Jan 13 13:56:12 UTC 2016 - [email protected] + +- use mkpath instead of make_path to be compatible with older perl versions +- 1.21 + +------------------------------------------------------------------- +Wed Jan 13 11:58:31 UTC 2016 - [email protected] + +- suppport adding public pgp keys for rpm verification +- 1.20 + +------------------------------------------------------------------- Old: ---- mkdud-1.19.tar.xz New: ---- mkdud-1.21.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mkdud.spec ++++++ --- /var/tmp/diff_new_pack.rMLFZO/_old 2016-01-13 22:46:26.000000000 +0100 +++ /var/tmp/diff_new_pack.rMLFZO/_new 2016-01-13 22:46:26.000000000 +0100 @@ -23,7 +23,7 @@ Summary: Create driver update from rpms License: GPL-3.0+ Group: Hardware/Other -Version: 1.19 +Version: 1.21 Release: 0 Source: %{name}-%{version}.tar.xz Url: https://github.com/wfeldt/mkdud ++++++ mkdud-1.19.tar.xz -> mkdud-1.21.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.19/README.md new/mkdud-1.21/README.md --- old/mkdud-1.19/README.md 2015-09-29 11:14:03.000000000 +0200 +++ new/mkdud-1.21/README.md 2016-01-13 14:51:37.000000000 +0100 @@ -63,6 +63,24 @@ # mkdud --install instsys --dist sle11 --create foo3.dud yast2-bootloader/binaries/* </pre> +There's still a catch: if you build the RPM yourself or in the openSUSE +Build Service and so the RPM is probably signed with a key that is not included on the +install media, you'll get a warning that the package could not be verified +during installation. + +For this, `mkdud` can handle public gpg keys. You just add them on the command +line. For example: + +<pre> + # mkdud -c foo.dud -d sle12 bar.rpm bar.pub +</pre> + +will integrate bar.pub into the RPM key database so it is used to verify +bar.rpm. + +Note that these keys are not copied into the target system. They are only +part of the installation environment. + ### Adding and running programs Sometimes you need to include and run a script to fix things. For example diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.19/VERSION new/mkdud-1.21/VERSION --- old/mkdud-1.19/VERSION 2015-09-29 11:14:03.000000000 +0200 +++ new/mkdud-1.21/VERSION 2016-01-13 14:51:37.000000000 +0100 @@ -1 +1 @@ -1.19 +1.21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.19/changelog new/mkdud-1.21/changelog --- old/mkdud-1.19/changelog 2015-09-29 11:14:03.000000000 +0200 +++ new/mkdud-1.21/changelog 2016-01-13 14:51:37.000000000 +0100 @@ -1,3 +1,9 @@ +2016-01-13: 1.21 + - use mkpath instead of make_path to be compatible with older perl versions + +2016-01-13: 1.20 + - suppport adding public pgp keys for rpm verification + 2015-09-28: 1.19 - Add information about openSUSE development - Convert README to Markdown diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/mkdud-1.19/mkdud new/mkdud-1.21/mkdud --- old/mkdud-1.19/mkdud 2015-09-29 11:14:03.000000000 +0200 +++ new/mkdud-1.21/mkdud 2016-01-13 14:51:37.000000000 +0100 @@ -113,6 +113,7 @@ sub get_service_pack; sub set_format; sub import_sign_key; +sub get_sign_key_name; sub sign_file; my %config; @@ -398,6 +399,10 @@ - RPMs. The packages are used according to the value of the --install option. + - PGP pubic key files (ASCII). The files are added to the rpm key database for verifying + RPMs during the installation process. Note that the keys are not copied + into the target system (the installed system). + - kernel modules. - 'module.order' files. See driver update documentation. @@ -513,7 +518,8 @@ my $f = `rpm --nosignature -qp --qf '%{NAME}-%{VERSION}-%{RELEASE}.%{ARCH}' $_[0] 2>$tmp_err`; if($f eq "") { print STDERR "failed to read rpm: $_[0]\n"; - open my $x, $tmp_err; + my $x; + open $x, $tmp_err; print STDERR $_ while (<$x>); close $x; exit 1; @@ -641,6 +647,10 @@ push @files, { type => 'bin', file => $_[0] } if -x $_[0]; return; } + elsif($l =~ /^-----BEGIN PGP PUBLIC KEY BLOCK-----/) { + push @files, { type => 'pubkey', file => $_[0] }; + return; + } else { push @files, { type => 'doc', file => $_[0] }; return; @@ -828,6 +838,8 @@ mkdir "$tmp_dud/linux", 0755; mkdir "$tmp_dud/linux/suse", 0755; + my $has_pubkeys; + # one id per update, not for every arch my $id; chomp($id = `uuidgen 2>/dev/null`); @@ -908,6 +920,15 @@ system "cp '$_->{file}' $base/install/"; } + if($_->{type} eq 'pubkey') { + $dud_ok = 1; + File::Path::mkpath("$base/inst-sys/usr/lib/rpm/gnupg/keys", { mode => 0755 }); + my $n = get_sign_key_name($_->{file}); + if($n) { + system "cp '$_->{file}' '$base/inst-sys/usr/lib/rpm/gnupg/keys/$n'"; + } + } + if($_->{type} eq 'module.order') { $dud_ok = 1; mkdir "$base/modules", 0755; @@ -934,7 +955,7 @@ else { $dud_ok = 1; my $d = "$base/y2update/$_->{location}"; - File::Path::make_path($d); + File::Path::mkpath($d); if(-d $d) { system "cp '$_->{file}' $d"; } @@ -953,6 +974,10 @@ rmdir "$base/inst-sys/usr/share"; rmdir "$base/inst-sys/usr"; } + + if(glob("$base/inst-sys/usr/lib/rpm/gnupg/keys/*.asc")) { + $has_pubkeys = 1; + } } if(!$opt_force) { @@ -1139,7 +1164,7 @@ push @{$scripts->{'update.pre'}}, $c; - my $c = <<'= = = = = = = ='; + $c = <<'= = = = = = = ='; #! /bin/bash # script generated by mkdud <version> @@ -1159,6 +1184,26 @@ push @{$scripts->{'update.post2'}}, $c; } + if($has_pubkeys) { + my $c = <<'= = = = = = = ='; +#! /bin/bash + +# script generated by mkdud <version> + +dir=${0%/*/*} +dir=${dir#/*/} + +repo="baseurl=dir:///$dir/repo" + +touch /installkey.gpg +gpg --batch --homedir /root/.gnupg --no-default-keyring --ignore-time-conflict --ignore-valid-from --keyring /installkey.gpg --import /usr/lib/rpm/gnupg/keys/* += = = = = = = = + + $c =~ s#<version>#$VERSION#; + + push @{$scripts->{'update.pre'}}, $c; + } + for (@files) { if($_->{type} =~ /^update\.(pre|post|post2)/) { my $s = `cat $_->{file}`; @@ -1210,7 +1255,7 @@ if($use_all_archs) { my @a = @all_archs; - unshift @a; + shift @a; for my $arch (@a) { for ($dist, @dists) { @@ -1743,7 +1788,8 @@ my $type; for my $fn (glob("$dir/install/*update.pre")) { - open my $f, $fn; + my $f; + open $f, $fn; my @f = (<$f>); close $f; next unless grep { /^# script generated by mkdud / } @f; @@ -1804,6 +1850,7 @@ chomp(my @f = `cd $dir/inst-sys; find . -type f`); @f = map { s#^\.##; $_ } sort @f; @f = grep { $_ ne "/.update.$id" } @f; + @f = grep { ! m#^/usr/lib/rpm/gnupg/keys/[^/]+.asc$# } @f; if(-e "$dir/inst-sys/sbin/yast") { $sect{instsys} .= " *** Warning: replaces /sbin/yast. ***\n"; @@ -1826,6 +1873,15 @@ # ---------------------------- # other files + for (glob("$dir/inst-sys/usr/lib/rpm/gnupg/keys/*")) { + s#^.*/##; + next unless /\.asc$/; + $sect{pubkeys} .= " $_\n"; + } + + # ---------------------------- + # other files + for (glob("$dir/install/*")) { s#^.*/##; next if /\.rpm$/; @@ -1867,6 +1923,10 @@ $log .= " YaST Update:\n$sect{y2update}"; } + if($sect{pubkeys}) { + $log .= " RPM Public Keys:\n$sect{pubkeys}"; + } + if($sect{instsys}) { $log .= " Installation System:\n$sect{instsys}"; } @@ -1984,6 +2044,39 @@ } +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +sub get_sign_key_name +{ + my $key = $_[0]; + + my $keyid; + my $date; + my $priv; + my $pub; + + local $_; + + if(open my $p, "gpg -v -v $key 2>&1 |") { + while(<$p>) { + $priv = 1 if /BEGIN PGP PRIVATE KEY BLOCK/; + $pub = 1 if /BEGIN PGP PUBLIC KEY BLOCK/; + $keyid = $1 if !$keyid && /^:signature packet:.*keyid\s+([0-9a-zA-Z]+)/; + $date = $1, last if !$date && $keyid && /created\s+(\d+)/; + } + close $p; + } + + if($pub && $date) { + return sprintf "gpg-pubkey-%08x-%08x.asc", hex($keyid) & 0xffffffff, $date; + } + else { + die "$key: signing key is not a public key\n"; + } + + return undef; +} + + # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - sub sign_file {
