diff --git a/bdisk/bGPG.py b/bdisk/bGPG.py index 2900f94..21cb92d 100755 --- a/bdisk/bGPG.py +++ b/bdisk/bGPG.py @@ -25,6 +25,15 @@ def genGPG(conf): gpghome = build['dlpath'] + '/.gnupg' os.environ['GNUPGHOME'] = gpghome gpg = gpgme.Context() + # do we need to add a keyserver? + if build['gpgkeyserver'] != '': + dirmgr = '{0}/dirmngr.conf'.format(gpghome) + if os.path.isfile(dirmgr): + with open(dirmgr, 'r+') as f: + findme = any(gpgmirror in line for line in f) + if not findme: + f.seek(0, os.SEEK_END) + f.write("\n# Added by {0}.\nkeyserver {1}\n") if mykey: try: privkey = gpg.get_key(mykey, True) @@ -37,9 +46,6 @@ def genGPG(conf): if key.can_sign: pkeys.append(key) break - #for subkey in key.subkeys: # for parsing each and every subkey- this should be unnecessary - #if subkey.can_sign: - #pkeys.append(gpg.get_key(subkey.fpr)) if len(pkeys) == 0: print("{0}: [GPG] Generating a GPG key...".format(datetime.datetime.now())) loader = jinja2.FileSystemLoader(templates_dir) @@ -48,6 +54,15 @@ def genGPG(conf): tpl_out = tpl.render(build = build, bdisk = bdisk) privkey = gpg.get_key(gpg.genkey(tpl_out).fpr, True) pkeys.append(privkey) + # do we need to add a keyserver? this is for the freshly-generated GNUPGHOME + if build['gpgkeyserver'] != '': + dirmgr = '{0}/dirmngr.conf'.format(gpghome) + with open(dirmgr, 'r+') as f: + findme = any(gpgmirror in line for line in f) + if not findme: + f.seek(0, os.SEEK_END) + f.write("\n# Added by {0}.\nkeyserver {1}\n" + gpg.signers = pkeys # Now we try to find and add the key for the base image. gpg.keylist_mode = 2 # remote (keyserver) try: @@ -67,23 +82,28 @@ def genGPG(conf): subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT) sigkeys = [] for k in gpg.get_key(importkey).subkeys: - signkeys.append(k.fpr) + sigkeys.append(k.fpr) + cmd = ['/usr/bin/gpg', + '--batch', + '--yes', + '--lsign-key', + '0x{0}'.format(importkey)] + subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT) + return(gpg) - - # RETURNS: - # our private/signing keys: privkey (is a list) - - -def killStaleAgent(): +def killStaleAgent(conf): # Kill off any stale GPG agents running. # Probably not even needed, but good to have. + chrootdir = conf['build']['chrootdir'] + dlpath = conf['build']['dlpath'] procs = psutil.process_iter() plst = [] for p in procs: - if (p.name() == 'gpg-agent' and p.uids()[0] == os.getuid()): + if (p.name() in ('gpg-agent', 'dirmngr') and p.uids()[0] == os.getuid()): pd = psutil.Process(p.pid).as_dict() - if pd['cwd'] != '/': - plst.append(p.pid) + for d in (chrootdir, dlpath): + if pd['cwd'].startswith('{0}'.format(d)): + plst.append(p.pid) if len(plst) >= 1: for p in plst: psutil.Process(p).terminate() @@ -132,3 +152,7 @@ def signIMG(path, conf): def gpgVerify(sigfile, datafile, conf): pass + +def delTempKeys(conf): + pass + killStaleAgent(conf) diff --git a/bdisk/bdisk.py b/bdisk/bdisk.py index 9bbe53f..749a9b8 100755 --- a/bdisk/bdisk.py +++ b/bdisk/bdisk.py @@ -7,6 +7,7 @@ import datetime import bSSL import ipxe import bsync +import bGPG # we need to: # we also need to figure out how to implement "mentos" (old bdisk) like functionality, letting us reuse an existing chroot install if possible to save time for future builds. @@ -16,6 +17,7 @@ if __name__ == '__main__': print('{0}: Starting.'.format(datetime.datetime.now())) conf = host.parseConfig(host.getConfig())[1] prep.dirChk(conf) + conf['gpgobj'] = bGPG.genGPG(conf) prep.buildChroot(conf['build'], keep = False) prep.prepChroot(conf['build'], conf['bdisk'], conf['user']) arch = conf['build']['arch'] diff --git a/extra/dist.build.ini b/extra/dist.build.ini index a58c671..c83e5e4 100644 --- a/extra/dist.build.ini +++ b/extra/dist.build.ini @@ -195,8 +195,11 @@ gpgkey = 7F2D434B9741E8AC ; What is a valid keyserver we should use ; to fetch gpgkey? ; 0.) Only used if mirrorgpgsig is set -; 1.) The default is probably fine. -gpgkeyserver = pgp.mit.edu +; 1.) The default (blank) is probably fine. +; If you don't specify a personal GPG config +; (under the gpg section), then you'll definitely probably +; want to leave this blank. +gpgkeyserver = ; Should we sign our release files? (See the GPG section) ; 0.) Only accepts (case-insensitive):