Moving bootstrapping of derivative archive-keys from config to init.

2013-11-05 12:32:59 +01:00 · 2013-11-05 12:32:59 +01:00 · 038b1fa8f6
parent 9f37451f92
commit 038b1fa8f6
2 changed files with 61 additions and 85 deletions
--- a/components/init
+++ b/components/init
@ -15,6 +15,7 @@ import os
 import shutil
 import subprocess
 import sys
+import urllib.request


 # TODO:
@ -50,6 +51,21 @@ def main():
 	# --project
 	project = args.project

+	## Setting defaults
+
+	if not project:
+		# FIXME: hardcoded project information
+		project = 'debian'
+
+	if not distribution:
+		# FIXME hardcoded release information
+		default_distribution = { 'debian' :         'wheezy',
+					 'progress-linux' : 'baureo',
+					 'ubuntu' :         'saucy',
+		}
+
+		distribution = default_distribution[project]
+
 	## Creating configuration directory

 	# stagefile
@ -57,9 +73,53 @@ def main():
 		if verbose:
 			print('I: configuration directory already initialized - nothing to do')

-		# Note: until further tests, we do not allow to re-run lb init on an already initialized directory.
+		# Notes:
+		#   * until further tests, we do not allow to re-run lb init on an already initialized directory.
 		sys.exit(0)

+	# Configuring default archive-keys
+	if (project == 'progress-linux'):
+		# dependencies
+		if not os.path.isfile('/usr/bin/gpgv'):
+			print('E: /usr/bin/gpgv - no such file', file=sys.stderr)
+
+			if verbose:
+				print('I: gnupg can be obtained from:\n'
+				      'I:   http://www.gnupg.org/\n'
+				      'I: On Debian based systems, gnupg can be installed with:\n'
+				      'I:   # sudo apt-get install gnupg')
+
+			sys.exit(1)
+
+		os.makedirs('config/archives', exist_ok=True)
+
+		# FIXME hardcoded release information
+		archive_keys_url = 'http://cdn.archive.progress-linux.org/packages/project/keys/'
+
+		archive_keys = { 'artax' :            [ 'archive-key-1-artax.asc'  , 'archive-key-1+-artax-backports.asc'  ],
+				 'artax-backports' :  [ 'archive-key-1-artax.asc'  , 'archive-key-1+-artax-backports.asc'  ],
+				 'baureo' :           [ 'archive-key-2-baureo.asc' , 'archive-key-2+-baureo-backports.asc' ],
+				 'baureo-backports' : [ 'archive-key-2-baureo.asc' , 'archive-key-2+-baureo-backports.asc' ],
+				 'cairon' :           [ 'archive-key-3-cairon.asc' , 'archive-key-3+-cairon-backports.asc' ],
+				 'cairon-backports' : [ 'archive-key-3-cairon.asc' , 'archive-key-3+-cairon-backports.asc' ],
+		}
+
+		keys = archive_keys[distribution]
+
+		for key in keys:
+			url = archive_keys_url + key
+			target = os.path.splitext(os.path.basename(key))
+
+			if verbose:
+				print('I: Downloading ' + url)
+
+			r = urllib.request.urlopen(url)
+			f = open('config/archives/' + target[0] + '.key', 'b+w')
+
+			f.write(r.read())
+
+		# FIXME: download signatures and verify them against debian-keyring
+
 	# Configuring default hooks
 	os.makedirs('config/hooks', exist_ok=True)

--- a/scripts/build/config
+++ b/scripts/build/config
@ -1378,89 +1378,5 @@ Name: ${LIVE_IMAGE_NAME}
 Type: ${LIVE_IMAGE_TYPE}
 EOF

-# TODO: allow verification against user-specified keyring
-# For now, we'll only validate against debian-keyring
-
-# TODO2: use chrooted validation rather than host system based one
-
-case "${LB_MODE}" in
-	progress-linux)
-		case "${LB_DISTRIBUTION}" in
-			artax)
-				_KEYS="1-artax"
-				;;
-
-			artax-backports)
-				_KEYS="1-artax 1+-artax-backports"
-				;;
-
-			baureo)
-				_KEYS="2-baureo"
-				;;
-
-			baureo-backports)
-				_KEYS="2-baureo 2+-baureo-backports"
-				;;
-
-			chairon)
-				_KEYS="3-chairon"
-				;;
-
-			chairon-backports)
-				_KEYS="3-chairon 3+-chairon-backports"
-				;;
-		esac
-
-		_URL="${LB_MIRROR_CHROOT}/project/keys"
-		;;
-
-	*)
-		_KEYS=""
-		;;
-esac
-
-for _KEY in ${_KEYS}
-do
-	Echo_message "Fetching archive-key ${_KEY}..."
-
-	wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc" -O config/archives/${LB_MODE}.bootstrap.key
-	wget ${WGET_OPTIONS} "${_URL}/archive-key-${_KEY}.asc.sig" -O config/archives/${LB_MODE}.bootstrap.key.sig
-
-	if [ -e /usr/bin/gpgv ]
-	then
-		if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
-		then
-			_KEY_VALID=""
-
-			for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
-			do
-				if [ -e "${_KEYRING}" ]
-				then
-					Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg | sed -e 's|-keyring||') keyring..."
-
-					set +e
-					/usr/bin/gpgv --quiet --keyring ${_KEYRING} config/archives/${LB_MODE}.key.sig config/archives/${LB_MODE}.key > /dev/null 2>&1 && _KEY_VALID="true" && break
-					set -e
-				fi
-			done
-
-			case "${_KEY_VALID}" in
-				true)
-					Echo_message "Verifying ${_KEY} signature successful."
-					;;
-
-				*)
-					Echo_error "Verifying ${_KEY} signature failed."
-					return 1
-					;;
-			esac
-		else
-			Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..."
-		fi
-	else
-		Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..."
-	fi
-done
-
 # Creating stage file
 Create_stagefile .build/config