diff mbox

[devtools] makechrootpkg: respect GNUPGHOME

Message ID 20180226190317.2760-1-me@aimileus.nl
State Superseded
Headers show

Commit Message

Emil Velikov via arch-projects Feb. 26, 2018, 7:03 p.m. UTC
Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user
uses a custom GPG home directory, the siganture checking would fail.
Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg.

Signed-off-by: Emiel Wiedijk <me@aimileus.nl>
---
 makechrootpkg.in | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

Comments

Emil Velikov via arch-projects Feb. 26, 2018, 7:51 p.m. UTC | #1
On 02/26/2018 02:03 PM, Emiel Wiedijk via arch-projects wrote:
> Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user
> uses a custom GPG home directory, the siganture checking would fail.
> Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg.

There is no signature checking in the chroot, see
https://lists.archlinux.org/pipermail/arch-projects/2018-January/004709.html
Emil Velikov via arch-projects Feb. 27, 2018, 10:41 a.m. UTC | #2
‚Äč> On 02/26/2018 02:03 PM, Emiel Wiedijk via arch-projects wrote:
> 
> > Previously, makechrootpkg hardcoded ~/.gnupg. Therefore, if a user
> > 
> > uses a custom GPG home directory, the siganture checking would fail.
> > 
> > Now makechrootpkg uses $GNUPGHOME, with a fallback to ~/.gnupg.
> 
> There is no signature checking in the chroot, see
> 
> https://lists.archlinux.org/pipermail/arch-projects/2018-January/004709.html
> 
> 
> -----------------------------------------------------------------------------------------------------------------------------------
> 
> Eli Schwartz
> 
> Bug Wrangler and Trusted User

Correct, but makepkg --verifysource is run with sudo -u $myuser, and sudo
resets the environment. And the code that copies ~/.gnupg to the chroot 
apparantly hasn't been removed yet (as of 38c7a391b043547b946a99731a56a233458ba7a2).
I just assumed (apparantly wrongly) that it was for GnuPG related tasks in the
PKGBUILD, and adjusted the code to copy the correct directory.

Emiel Wiedijk
Emil Velikov via arch-projects Feb. 27, 2018, 2:44 p.m. UTC | #3
On 02/27/2018 05:41 AM, Emiel Wiedijk via arch-projects wrote:
> Correct, but makepkg --verifysource is run with sudo -u $myuser, and sudo
> resets the environment. And the code that copies ~/.gnupg to the chroot 
> apparantly hasn't been removed yet (as of 38c7a391b043547b946a99731a56a233458ba7a2).
> I just assumed (apparantly wrongly) that it was for GnuPG related tasks in the
> PKGBUILD, and adjusted the code to copy the correct directory.

My point is that there is really no point in trying to preserve it in
the chroot, since that section is dead code to begin with, and if you do
anyways then your patch may clash with other pending patches. So of the
three changes your patch made, you should probably only make the second
and third.

I don't blame you for actually thinking dead code did something. :D
diff mbox

Patch

diff --git a/makechrootpkg.in b/makechrootpkg.in
index afcd121..5a79dc0 100644
--- a/makechrootpkg.in
+++ b/makechrootpkg.in
@@ -182,9 +182,10 @@  prepare_chroot() {
 
 	$install -d "$copydir"/{build,build/.gnupg,startdir,{pkg,srcpkg,src,log}dest}
 
-	for x in .gnupg/pubring.{kbx,gpg}; do
-		[[ -r $USER_HOME/$x ]] || continue
-		$install -m 644 "$USER_HOME/$x" "$copydir/build/$x"
+	for x in pubring.{kbx,gpg}; do
+		local pubring="${GNUPGHOME:-$USER_HOME/.gnupg}/$x"
+		[[ -r "$pubring" ]] || continue
+		$install -m 644 "$pubring" "$copydir/build/.gnupg/$x"
 	done
 
 	sed -e '/^MAKEFLAGS=/d' -e '/^PACKAGER=/d' -i "$copydir/etc/makepkg.conf"
@@ -252,7 +253,8 @@  download_sources() {
 	chmod 1777 "$builddir"
 
 	# Ensure sources are downloaded
-	sudo -u "$makepkg_user" env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \
+	sudo -u "$makepkg_user" --preserve-env=GNUPGHOME \
+		env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \
 		makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o ||
 		die "Could not download sources."
 
@@ -341,7 +343,7 @@  main() {
 	[[ -n $makepkg_user && -z $(id -u "$makepkg_user") ]] && die 'Invalid makepkg user.'
 	makepkg_user=${makepkg_user:-${SUDO_USER:-$USER}}
 
-	check_root SOURCE_DATE_EPOCH
+	check_root SOURCE_DATE_EPOCH,GNUPGHOME
 
 	# Canonicalize chrootdir, getting rid of trailing /
 	chrootdir=$(readlink -e "$passeddir")