[v3] isar-bootstrap: Run gpg-agent before starting apt-key

Message ID	20210122170903.28134-1-amikan@ilbers.de
State	Accepted, archived
Headers	show Return-Path: <isar-users+bncBCHIPONZWECRBPENVSAAMGQEOBBCODA@googlegroups.com> Received-SPF: pass (google.com: domain of isar-users+bncbchiponzwecrbpenvsaamgqeobbcoda@googlegroups.com designates 209.85.220.55 as permitted sender) client-ip=209.85.220.55; Sender: isar-users@googlegroups.com Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; From: Anton Mikanovich <amikan@ilbers.de> To: isar-users@googlegroups.com Cc: Yuri Adamov <yadamov@ilbers.de>, Anton Mikanovich <amikan@ilbers.de> Subject: [PATCH v3] isar-bootstrap: Run gpg-agent before starting apt-key Date: Fri, 22 Jan 2021 20:09:03 +0300 Message-Id: <20210122170903.28134-1-amikan@ilbers.de> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
Series	[v3] isar-bootstrap: Run gpg-agent before starting apt-key \| expand [v3] isar-bootstrap: Run gpg-agent before starting apt-key

Message ID

20210122170903.28134-1-amikan@ilbers.de

State

Accepted, archived

Headers

Received-SPF: pass (google.com: domain of
	isar-users+bncbchiponzwecrbpenvsaamgqeobbcoda@googlegroups.com
	designates 209.85.220.55 as permitted sender)
	client-ip=209.85.220.55; 
Sender: isar-users@googlegroups.com
Received-SPF: pass (google.com: domain of amikan@ilbers.de designates
	85.214.156.166 as permitted sender) client-ip=85.214.156.166; 
From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Yuri Adamov <yadamov@ilbers.de>, Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v3] isar-bootstrap: Run gpg-agent before starting apt-key
Date: Fri, 22 Jan 2021 20:09:03 +0300
Message-Id: <20210122170903.28134-1-amikan@ilbers.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
	contact isar-users+owners@googlegroups.com

Series

[v3] isar-bootstrap: Run gpg-agent before starting apt-key | expand

Commit Message

Anton Mikanovich Jan. 22, 2021, 7:09 a.m. UTC

From: Yuri Adamov <yadamov@ilbers.de>

Building rpi-stretch natively (under qemu) sometimes fails with:

gpg: can't connect to the agent: IPC connect call failed

gpg starts gpg-agent and times out after 5 s. This value is hard-coded.

Besides, leaving running gpg-agent processes is not clean and prevents
unmounting of filesystems.

This patch starts and stops the agent manually.

Signed-off-by: Yuri Adamov <yadamov@ilbers.de>
Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
Changes since v2:
- Restored conditional gnupg include.
- Made gpg-agent run in gpg enabled builds only.

Changes since v1:
- Removed unnecessary sleeping.
- Removed -9 in kill.
- Commented unconditionally gnupg package append.
- Removed unused OVERRIDES_append and get_distro_needs_gpg_support().
---
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

Comments

Jan Kiszka Jan. 25, 2021, 2:31 a.m. UTC | #1

On 22.01.21 18:09, Anton Mikanovich wrote:
> From: Yuri Adamov <yadamov@ilbers.de>
> 
> Building rpi-stretch natively (under qemu) sometimes fails with:
> 
> gpg: can't connect to the agent: IPC connect call failed
> 
> gpg starts gpg-agent and times out after 5 s. This value is hard-coded.
> 
> Besides, leaving running gpg-agent processes is not clean and prevents
> unmounting of filesystems.
> 
> This patch starts and stops the agent manually.
> 
> Signed-off-by: Yuri Adamov <yadamov@ilbers.de>
> Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
> ---
> Changes since v2:
> - Restored conditional gnupg include.
> - Made gpg-agent run in gpg enabled builds only.
> 
> Changes since v1:
> - Removed unnecessary sleeping.
> - Removed -9 in kill.
> - Commented unconditionally gnupg package append.
> - Removed unused OVERRIDES_append and get_distro_needs_gpg_support().
> ---
>  meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> index 8f5f727..0edefc5 100644
> --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
> @@ -309,14 +309,25 @@ isar_bootstrap() {
>              mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d"
>              install -v -m644 "${WORKDIR}/isar-apt.conf" \
>                               "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf"
> +            if [ "${@get_distro_needs_gpg_support(d)}" = "gnupg" ]; then
> +                MY_GPGHOME="$(chroot "${ROOTFSDIR}" mktemp -d /tmp/gpghomeXXXXXXXXXX)"
> +                echo "Created temporary directory ${MY_GPGHOME} for gpg-agent"
> +                export GNUPGHOME="${MY_GPGHOME}"
> +                chroot "${ROOTFSDIR}" gpg-agent --daemon
> +                APT_KEY_APPEND="--homedir ${MY_GPGHOME}"
> +            fi
>              find ${APT_KEYS_DIR}/ -type f | while read keyfile
>              do
>                  kfn="$(basename $keyfile)"
>                  cp $keyfile "${ROOTFSDIR}/tmp/$kfn"
>                  chroot "${ROOTFSDIR}" /usr/bin/apt-key \
> -                   --keyring ${THIRD_PARTY_APT_KEYRING} add "/tmp/$kfn"
> +                    --keyring ${THIRD_PARTY_APT_KEYRING} ${APT_KEY_APPEND} add "/tmp/$kfn"
>                  rm "${ROOTFSDIR}/tmp/$kfn"
>              done
> +            if [ -d "${MY_GPGHOME}" ]; then
> +                echo "Killing gpg-agent for ${MY_GPGHOME}"
> +                chroot "${ROOTFSDIR}" gpgconf --kill gpg-agent && /bin/rm -rf "${MY_GPGHOME}"
> +            fi
>  
>              if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then
>                  install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \
> 

Thanks, looks good to me.

Jan

Anton Mikanovich Feb. 5, 2021, 4:59 a.m. UTC | #2

25.01.2021 15:31, Jan Kiszka wrote:
>
> Thanks, looks good to me.
>
> Jan
>
Applied to next, thanks.

diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 8f5f727..0edefc5 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -309,14 +309,25 @@  isar_bootstrap() {
             mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d"
             install -v -m644 "${WORKDIR}/isar-apt.conf" \
                              "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf"
+            if [ "${@get_distro_needs_gpg_support(d)}" = "gnupg" ]; then
+                MY_GPGHOME="$(chroot "${ROOTFSDIR}" mktemp -d /tmp/gpghomeXXXXXXXXXX)"
+                echo "Created temporary directory ${MY_GPGHOME} for gpg-agent"
+                export GNUPGHOME="${MY_GPGHOME}"
+                chroot "${ROOTFSDIR}" gpg-agent --daemon
+                APT_KEY_APPEND="--homedir ${MY_GPGHOME}"
+            fi
             find ${APT_KEYS_DIR}/ -type f | while read keyfile
             do
                 kfn="$(basename $keyfile)"
                 cp $keyfile "${ROOTFSDIR}/tmp/$kfn"
                 chroot "${ROOTFSDIR}" /usr/bin/apt-key \
-                   --keyring ${THIRD_PARTY_APT_KEYRING} add "/tmp/$kfn"
+                    --keyring ${THIRD_PARTY_APT_KEYRING} ${APT_KEY_APPEND} add "/tmp/$kfn"
                 rm "${ROOTFSDIR}/tmp/$kfn"
             done
+            if [ -d "${MY_GPGHOME}" ]; then
+                echo "Killing gpg-agent for ${MY_GPGHOME}"
+                chroot "${ROOTFSDIR}" gpgconf --kill gpg-agent && /bin/rm -rf "${MY_GPGHOME}"
+            fi
 
             if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then
                 install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \

[v3] isar-bootstrap: Run gpg-agent before starting apt-key

Commit Message

Comments

Patch