Allow custom signify key in install.sub

Wed, 06 Jan 2016 20:17:42 -0800 

Hello tech,

The attached patch adds an autoinstall question to install.sub that lets
the user specify a custom signify key for the SHA256.sig file. 

I like to track -stable for a bunch of my servers, and it's convenient
to make a release and use autoinstall with bsd.rd to keep up to date.
I already use a personal signify key for packages, and it would be
handy to be able to use the same key to sign my patched sets.

I understand if this is an unwanted feature, and the preferred solution
is to just add 'Continue without verification = yes' to
auto_upgrade.conf. But if this might be a useful feature for more than
just me, this patch might be of interest. 

Thank you,
Todd



Index: distrib/miniroot/install.sub
===================================================================
RCS file: /cvs/src/distrib/miniroot/install.sub,v
retrieving revision 1.867
diff -u -p -u -p -r1.867 install.sub
--- distrib/miniroot/install.sub        27 Dec 2015 18:42:11 -0000      1.867
+++ distrib/miniroot/install.sub        7 Jan 2016 03:55:23 -0000
@@ -1224,7 +1224,8 @@ __EOT
 # user will know to try again.
 install_files() {
        local _src=$1 _files=$2 _f _sets _get_sets _n _col=$COLUMNS \
-               _tmpfs _tmpsrc _cfile _fsrc _unver _t _issue _srclocal
+               _tmpfs _tmpsrc _cfile _fsrc _unver _t _issue _srclocal \
+               _signifykey
 
        # Initialize _sets to the list of sets found in _src, and initialize
        # _get_sets to the intersection of _sets and DEFAULTSETS.
@@ -1308,8 +1309,10 @@ install_files() {
                        _issue="Cannot fetch SHA256.sig" && break
 
                # Verify signature file with public keys.
-               ! signify -Vep /etc/signify/openbsd-${VERSION}-base.pub \
-                       -x "$_cfile.sig" -m "$_cfile" &&
+               _signifykey="/etc/signify/openbsd-${VERSION}-base.pub"
+               $AUTO && ask "Location of signify key" "$_signifykey" &&
+                       [[ $resp != none ]] && _signifykey=$resp
+               ! signify -Vep "$_signifykey" -x "$_cfile.sig" -m "$_cfile" &&
                        _issue="Signature check of SHA256.sig failed" && break
 
                for _f in $_get_sets; do
Index: share/man/man8/autoinstall.8
===================================================================
RCS file: /cvs/src/share/man/man8/autoinstall.8,v
retrieving revision 1.16
diff -u -p -u -p -r1.16 autoinstall.8
--- share/man/man8/autoinstall.8        15 May 2015 18:53:05 -0000      1.16
+++ share/man/man8/autoinstall.8        7 Jan 2016 03:55:26 -0000
@@ -180,6 +180,10 @@ A template file for
 autopartitioning is fetched from
 .Ar url
 allowing a custom partition layout for the root disk.
+.It Location of signify key = Ar path
+A path to the
+.Xr signify 1
+public key used to verify the release distribution files.
 .El
 .Sh FILES
 .Bl -tag -width "/etc/dhcpd.confXXX" -compact

Reply via email to