NACK: [linux-snap][bionic][PATCH] trusted.gpg.d directly supports .asc keys without gnupg/agent/etc.
Dimitri John Ledkov
xnox at ubuntu.com
Tue Aug 13 12:54:25 UTC 2019
On Mon, 12 Aug 2019 at 14:05, Stefan Bader <stefan.bader at canonical.com> wrote:
>
> On 01.08.19 05:01, Dimitri John Ledkov wrote:
> > As per apt-key manpage one can ship armored keys with .asc extension
> > since apt 1.4 (bionic and up). For prior releases, gpg1 exported
> > binary .gpg keys are supported. No need to install gnupg, run
> > gnupg-agent, or execute apt-key.
> >
> > Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
> > ---
>
> Though maybe more complicated than it needs to but why change a running system?
> If we remember till then, this is something for doing better in core20
>
because installing and removing packages clobbers things.
It also shows lack of knowledge of apt snippets support which has been
around since xenial, and it means this will be copied over again
elsewhere.
This should not have been done like this in the first place, and is
poor engineering.
> -Stefan
>
> > Sample build with this change in place is shown at:
> > https://launchpad.net/~xnox/+snap/pc-kernel-bionic/+build/633218
> >
> > Makefile | 9 +--------
> > 1 file changed, 1 insertion(+), 8 deletions(-)
> >
> > diff --git a/Makefile b/Makefile
> > index b2c5ea5..00d3b25 100644
> > --- a/Makefile
> > +++ b/Makefile
> > @@ -93,14 +93,7 @@ all:
> >
> > # Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
> > # public signing key to apt:
> > - # - gnugpg is required by apt-key
> > - # - gnugpg 2.x requires gpg-agent to be running
> > - # - procfs must be bind-mounted for gpg-agent
> > - # - running apt-key as a child process of gpg-agent --daemon stops the
> > - # agent shortly after apt-key executes
> > - $(ENV) chroot chroot apt-get -y install gnupg
> > - mkdir --mode=0600 chroot/tmp/gnupg-home
> > - cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
> > + cp snappy-dev-image.asc chroot/etc/apt/trusted.gpg.d/
> > # Copy in the sources.list just before modifying it (on build envs this already
> > # seems to be present, otherwise those would not fail).
> > cp /etc/apt/sources.list chroot/etc/apt/sources.list
> >
>
>
--
Regards,
Dimitri.
More information about the kernel-team
mailing list