Fix make_apt script.
This change makes the following fixes: - When creating a test repo.key, create a secret keyring as other workflows also use secret keyrings only. - We should not be using both --keyring and --secret-keyring options. Just use --secret-keyring. - Pass homedir to all gpg commands. dpkg-sig takes an arg -g which stands for gpgopts. So we need to pass the homedir there too. PiperOrigin-RevId: 330443280
This commit is contained in:
parent
2202812e07
commit
fada564c83
4
Makefile
4
Makefile
|
@ -294,8 +294,8 @@ $(RELEASE_KEY):
|
|||
echo Name-Email: test@example.com >> $$C && \
|
||||
echo Expire-Date: 0 >> $$C && \
|
||||
echo %commit >> $$C && \
|
||||
gpg --batch $(GPG_TEST_OPTIONS) --passphrase '' --no-default-keyring --keyring $$T --no-tty --gen-key $$C && \
|
||||
gpg --batch $(GPG_TEST_OPTIONS) --export-secret-keys --no-default-keyring --keyring $$T --secret-keyring $$T > $@; \
|
||||
gpg --batch $(GPG_TEST_OPTIONS) --passphrase '' --no-default-keyring --secret-keyring $$T --no-tty --gen-key $$C && \
|
||||
gpg --batch $(GPG_TEST_OPTIONS) --export-secret-keys --no-default-keyring --secret-keyring $$T > $@; \
|
||||
rc=$$?; rm -f $$T $$C; exit $$rc
|
||||
|
||||
release: $(RELEASE_KEY) ## Builds a release.
|
||||
|
|
|
@ -58,6 +58,7 @@ mkdir -p "${release}"
|
|||
# using the same key. This is a limitation in GnuPG pre-2.1.
|
||||
declare -r keyring=$(mktemp /tmp/keyringXXXXXX.gpg)
|
||||
declare -r homedir=$(mktemp -d /tmp/homedirXXXXXX)
|
||||
declare -r gpg_opts=("--no-default-keyring" "--secret-keyring" "${keyring}" "--homedir" "${homedir}")
|
||||
cleanup() {
|
||||
rm -rf "${keyring}" "${homedir}"
|
||||
}
|
||||
|
@ -67,8 +68,8 @@ trap cleanup EXIT
|
|||
# is not found. This isn't actually a failure for us, because we don't require
|
||||
# the public key (this may be stored separately). The second import will succeed
|
||||
# because, in reality, the first import succeeded and it's a no-op.
|
||||
gpg --no-default-keyring --keyring "${keyring}" --homedir "${homedir}" --import "${private_key}" || \
|
||||
gpg --no-default-keyring --keyring "${keyring}" --homedir "${homedir}" --import "${private_key}"
|
||||
gpg "${gpg_opts[@]}" --import "${private_key}" || \
|
||||
gpg "${gpg_opts[@]}" --import "${private_key}"
|
||||
|
||||
# Copy the packages into the root.
|
||||
for pkg in "$@"; do
|
||||
|
@ -103,7 +104,8 @@ for pkg in "$@"; do
|
|||
cp -a "${pkg}" "${target}"
|
||||
chmod 0644 "${target}"
|
||||
if [[ "${ext}" == "deb" ]]; then
|
||||
dpkg-sig -g "--no-default-keyring --keyring ${keyring}" --sign builder "${target}"
|
||||
# We use [*] here to expand the gpg_opts array into a single shell-word.
|
||||
dpkg-sig -g "${gpg_opts[*]}" --sign builder "${target}"
|
||||
fi
|
||||
done
|
||||
|
||||
|
@ -138,5 +140,5 @@ rm "${release}"/apt.conf
|
|||
# Sign the release.
|
||||
declare -r digest_opts=("--digest-algo" "SHA512" "--cert-digest-algo" "SHA512")
|
||||
(cd "${release}" && rm -f Release.gpg InRelease)
|
||||
(cd "${release}" && gpg --no-default-keyring --keyring "${keyring}" --clearsign "${digest_opts[@]}" -o InRelease Release)
|
||||
(cd "${release}" && gpg --no-default-keyring --keyring "${keyring}" -abs "${digest_opts[@]}" -o Release.gpg Release)
|
||||
(cd "${release}" && gpg "${gpg_opts[@]}" --clearsign "${digest_opts[@]}" -o InRelease Release)
|
||||
(cd "${release}" && gpg "${gpg_opts[@]}" -abs "${digest_opts[@]}" -o Release.gpg Release)
|
||||
|
|
Loading…
Reference in New Issue