final checkin for the night
This commit is contained in:
parent
39e037c08a
commit
77590ef0a0
@ -25,6 +25,15 @@ def genGPG(conf):
|
|||||||
gpghome = build['dlpath'] + '/.gnupg'
|
gpghome = build['dlpath'] + '/.gnupg'
|
||||||
os.environ['GNUPGHOME'] = gpghome
|
os.environ['GNUPGHOME'] = gpghome
|
||||||
gpg = gpgme.Context()
|
gpg = gpgme.Context()
|
||||||
|
# do we need to add a keyserver?
|
||||||
|
if build['gpgkeyserver'] != '':
|
||||||
|
dirmgr = '{0}/dirmngr.conf'.format(gpghome)
|
||||||
|
if os.path.isfile(dirmgr):
|
||||||
|
with open(dirmgr, 'r+') as f:
|
||||||
|
findme = any(gpgmirror in line for line in f)
|
||||||
|
if not findme:
|
||||||
|
f.seek(0, os.SEEK_END)
|
||||||
|
f.write("\n# Added by {0}.\nkeyserver {1}\n")
|
||||||
if mykey:
|
if mykey:
|
||||||
try:
|
try:
|
||||||
privkey = gpg.get_key(mykey, True)
|
privkey = gpg.get_key(mykey, True)
|
||||||
@ -37,9 +46,6 @@ def genGPG(conf):
|
|||||||
if key.can_sign:
|
if key.can_sign:
|
||||||
pkeys.append(key)
|
pkeys.append(key)
|
||||||
break
|
break
|
||||||
#for subkey in key.subkeys: # for parsing each and every subkey- this should be unnecessary
|
|
||||||
#if subkey.can_sign:
|
|
||||||
#pkeys.append(gpg.get_key(subkey.fpr))
|
|
||||||
if len(pkeys) == 0:
|
if len(pkeys) == 0:
|
||||||
print("{0}: [GPG] Generating a GPG key...".format(datetime.datetime.now()))
|
print("{0}: [GPG] Generating a GPG key...".format(datetime.datetime.now()))
|
||||||
loader = jinja2.FileSystemLoader(templates_dir)
|
loader = jinja2.FileSystemLoader(templates_dir)
|
||||||
@ -48,6 +54,15 @@ def genGPG(conf):
|
|||||||
tpl_out = tpl.render(build = build, bdisk = bdisk)
|
tpl_out = tpl.render(build = build, bdisk = bdisk)
|
||||||
privkey = gpg.get_key(gpg.genkey(tpl_out).fpr, True)
|
privkey = gpg.get_key(gpg.genkey(tpl_out).fpr, True)
|
||||||
pkeys.append(privkey)
|
pkeys.append(privkey)
|
||||||
|
# do we need to add a keyserver? this is for the freshly-generated GNUPGHOME
|
||||||
|
if build['gpgkeyserver'] != '':
|
||||||
|
dirmgr = '{0}/dirmngr.conf'.format(gpghome)
|
||||||
|
with open(dirmgr, 'r+') as f:
|
||||||
|
findme = any(gpgmirror in line for line in f)
|
||||||
|
if not findme:
|
||||||
|
f.seek(0, os.SEEK_END)
|
||||||
|
f.write("\n# Added by {0}.\nkeyserver {1}\n"
|
||||||
|
gpg.signers = pkeys
|
||||||
# Now we try to find and add the key for the base image.
|
# Now we try to find and add the key for the base image.
|
||||||
gpg.keylist_mode = 2 # remote (keyserver)
|
gpg.keylist_mode = 2 # remote (keyserver)
|
||||||
try:
|
try:
|
||||||
@ -67,22 +82,27 @@ def genGPG(conf):
|
|||||||
subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT)
|
subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT)
|
||||||
sigkeys = []
|
sigkeys = []
|
||||||
for k in gpg.get_key(importkey).subkeys:
|
for k in gpg.get_key(importkey).subkeys:
|
||||||
signkeys.append(k.fpr)
|
sigkeys.append(k.fpr)
|
||||||
|
cmd = ['/usr/bin/gpg',
|
||||||
|
'--batch',
|
||||||
|
'--yes',
|
||||||
|
'--lsign-key',
|
||||||
|
'0x{0}'.format(importkey)]
|
||||||
|
subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT)
|
||||||
|
return(gpg)
|
||||||
|
|
||||||
|
def killStaleAgent(conf):
|
||||||
# RETURNS:
|
|
||||||
# our private/signing keys: privkey (is a list)
|
|
||||||
|
|
||||||
|
|
||||||
def killStaleAgent():
|
|
||||||
# Kill off any stale GPG agents running.
|
# Kill off any stale GPG agents running.
|
||||||
# Probably not even needed, but good to have.
|
# Probably not even needed, but good to have.
|
||||||
|
chrootdir = conf['build']['chrootdir']
|
||||||
|
dlpath = conf['build']['dlpath']
|
||||||
procs = psutil.process_iter()
|
procs = psutil.process_iter()
|
||||||
plst = []
|
plst = []
|
||||||
for p in procs:
|
for p in procs:
|
||||||
if (p.name() == 'gpg-agent' and p.uids()[0] == os.getuid()):
|
if (p.name() in ('gpg-agent', 'dirmngr') and p.uids()[0] == os.getuid()):
|
||||||
pd = psutil.Process(p.pid).as_dict()
|
pd = psutil.Process(p.pid).as_dict()
|
||||||
if pd['cwd'] != '/':
|
for d in (chrootdir, dlpath):
|
||||||
|
if pd['cwd'].startswith('{0}'.format(d)):
|
||||||
plst.append(p.pid)
|
plst.append(p.pid)
|
||||||
if len(plst) >= 1:
|
if len(plst) >= 1:
|
||||||
for p in plst:
|
for p in plst:
|
||||||
@ -132,3 +152,7 @@ def signIMG(path, conf):
|
|||||||
|
|
||||||
def gpgVerify(sigfile, datafile, conf):
|
def gpgVerify(sigfile, datafile, conf):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
def delTempKeys(conf):
|
||||||
|
pass
|
||||||
|
killStaleAgent(conf)
|
||||||
|
@ -7,6 +7,7 @@ import datetime
|
|||||||
import bSSL
|
import bSSL
|
||||||
import ipxe
|
import ipxe
|
||||||
import bsync
|
import bsync
|
||||||
|
import bGPG
|
||||||
|
|
||||||
# we need to:
|
# we need to:
|
||||||
# we also need to figure out how to implement "mentos" (old bdisk) like functionality, letting us reuse an existing chroot install if possible to save time for future builds.
|
# we also need to figure out how to implement "mentos" (old bdisk) like functionality, letting us reuse an existing chroot install if possible to save time for future builds.
|
||||||
@ -16,6 +17,7 @@ if __name__ == '__main__':
|
|||||||
print('{0}: Starting.'.format(datetime.datetime.now()))
|
print('{0}: Starting.'.format(datetime.datetime.now()))
|
||||||
conf = host.parseConfig(host.getConfig())[1]
|
conf = host.parseConfig(host.getConfig())[1]
|
||||||
prep.dirChk(conf)
|
prep.dirChk(conf)
|
||||||
|
conf['gpgobj'] = bGPG.genGPG(conf)
|
||||||
prep.buildChroot(conf['build'], keep = False)
|
prep.buildChroot(conf['build'], keep = False)
|
||||||
prep.prepChroot(conf['build'], conf['bdisk'], conf['user'])
|
prep.prepChroot(conf['build'], conf['bdisk'], conf['user'])
|
||||||
arch = conf['build']['arch']
|
arch = conf['build']['arch']
|
||||||
|
@ -195,8 +195,11 @@ gpgkey = 7F2D434B9741E8AC
|
|||||||
; What is a valid keyserver we should use
|
; What is a valid keyserver we should use
|
||||||
; to fetch gpgkey?
|
; to fetch gpgkey?
|
||||||
; 0.) Only used if mirrorgpgsig is set
|
; 0.) Only used if mirrorgpgsig is set
|
||||||
; 1.) The default is probably fine.
|
; 1.) The default (blank) is probably fine.
|
||||||
gpgkeyserver = pgp.mit.edu
|
; If you don't specify a personal GPG config
|
||||||
|
; (under the gpg section), then you'll definitely probably
|
||||||
|
; want to leave this blank.
|
||||||
|
gpgkeyserver =
|
||||||
|
|
||||||
; Should we sign our release files? (See the GPG section)
|
; Should we sign our release files? (See the GPG section)
|
||||||
; 0.) Only accepts (case-insensitive):
|
; 0.) Only accepts (case-insensitive):
|
||||||
|
Loading…
Reference in New Issue
Block a user