Message ID | 20180226190317.2760-1-me@aimileus.nl |
---|---|
State | Superseded |
Headers | show |
On 02/26/2018 02:03 PM, Emiel Wiedijk via arch-projects wrote: > Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user > uses a custom GPG home directory, the siganture checking would fail. > Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. There is no signature checking in the chroot, see https://lists.archlinux.org/pipermail/arch-projects/2018-January/004709.html
> On 02/26/2018 02:03 PM, Emiel Wiedijk via arch-projects wrote: > > > Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user > > > > uses a custom GPG home directory, the siganture checking would fail. > > > > Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. > > There is no signature checking in the chroot, see > > https://lists.archlinux.org/pipermail/arch-projects/2018-January/004709.html > > > ----------------------------------------------------------------------------------------------------------------------------------- > > Eli Schwartz > > Bug Wrangler and Trusted User Correct, but makepkg --verifysource is run with sudo -u $myuser, and sudo resets the environment. And the code that copies ~/.gnupg to the chroot apparantly hasn't been removed yet (as of 38c7a391b043547b946a99731a56a233458ba7a2). I just assumed (apparantly wrongly) that it was for GnuPG related tasks in the PKGBUILD, and adjusted the code to copy the correct directory. Emiel Wiedijk
On 02/27/2018 05:41 AM, Emiel Wiedijk via arch-projects wrote: > Correct, but makepkg --verifysource is run with sudo -u $myuser, and sudo > resets the environment. And the code that copies ~/.gnupg to the chroot > apparantly hasn't been removed yet (as of 38c7a391b043547b946a99731a56a233458ba7a2). > I just assumed (apparantly wrongly) that it was for GnuPG related tasks in the > PKGBUILD, and adjusted the code to copy the correct directory. My point is that there is really no point in trying to preserve it in the chroot, since that section is dead code to begin with, and if you do anyways then your patch may clash with other pending patches. So of the three changes your patch made, you should probably only make the second and third. I don't blame you for actually thinking dead code did something. :D
diff --git a/makechrootpkg.in b/makechrootpkg.in index afcd121..5a79dc0 100644 --- a/makechrootpkg.in +++ b/makechrootpkg.in @@ -182,9 +182,10 @@ prepare_chroot() { $install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest} - for x in .gnupg/pubring.{kbx,gpg}; do - [[ -r $USER_HOME/$x ]] || continue - $install -m 644 "$USER_HOME/$x" "$copydir/build/$x" + for x in pubring.{kbx,gpg}; do + local pubring="${GNUPGHOME:-$USER_HOME/.gnupg}/$x" + [[ -r "$pubring" ]] || continue + $install -m 644 "$pubring" "$copydir/build/.gnupg/$x" done sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf" @@ -252,7 +253,8 @@ download_sources() { chmod 1777 "$builddir" # Ensure sources are downloaded - sudo -u "$makepkg_user" env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \ + sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \ + env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \ makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o || die "Could not download sources." @@ -341,7 +343,7 @@ main() { [[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.' makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}} - check_root SOURCE_DATE_EPOCH + check_root SOURCE_DATE_EPOCH,GNUPGHOME # Canonicalize chrootdir, getting rid of trailing / chrootdir=$(readlink -e "$passeddir")
Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user uses a custom GPG home directory, the siganture checking would fail. Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg. Signed-off-by: Emiel Wiedijk <me@aimileus.nl> --- makechrootpkg.in | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-)