final checkin for the night

This commit is contained in:
brent s. 2016-12-16 04:28:53 -05:00
parent 39e037c08a
commit 77590ef0a0
3 changed files with 44 additions and 15 deletions

View File

@ -25,6 +25,15 @@ def genGPG(conf):
gpghome = build['dlpath'] + '/.gnupg' gpghome = build['dlpath'] + '/.gnupg'
os.environ['GNUPGHOME'] = gpghome os.environ['GNUPGHOME'] = gpghome
gpg = gpgme.Context() gpg = gpgme.Context()
# do we need to add a keyserver?
if build['gpgkeyserver'] != '':
dirmgr = '{0}/dirmngr.conf'.format(gpghome)
if os.path.isfile(dirmgr):
with open(dirmgr, 'r+') as f:
findme = any(gpgmirror in line for line in f)
if not findme:
f.seek(0, os.SEEK_END)
f.write("\n# Added by {0}.\nkeyserver {1}\n")
if mykey: if mykey:
try: try:
privkey = gpg.get_key(mykey, True) privkey = gpg.get_key(mykey, True)
@ -37,9 +46,6 @@ def genGPG(conf):
if key.can_sign: if key.can_sign:
pkeys.append(key) pkeys.append(key)
break break
#for subkey in key.subkeys: # for parsing each and every subkey- this should be unnecessary
#if subkey.can_sign:
#pkeys.append(gpg.get_key(subkey.fpr))
if len(pkeys) == 0: if len(pkeys) == 0:
print("{0}: [GPG] Generating a GPG key...".format(datetime.datetime.now())) print("{0}: [GPG] Generating a GPG key...".format(datetime.datetime.now()))
loader = jinja2.FileSystemLoader(templates_dir) loader = jinja2.FileSystemLoader(templates_dir)
@ -48,6 +54,15 @@ def genGPG(conf):
tpl_out = tpl.render(build = build, bdisk = bdisk) tpl_out = tpl.render(build = build, bdisk = bdisk)
privkey = gpg.get_key(gpg.genkey(tpl_out).fpr, True) privkey = gpg.get_key(gpg.genkey(tpl_out).fpr, True)
pkeys.append(privkey) pkeys.append(privkey)
# do we need to add a keyserver? this is for the freshly-generated GNUPGHOME
if build['gpgkeyserver'] != '':
dirmgr = '{0}/dirmngr.conf'.format(gpghome)
with open(dirmgr, 'r+') as f:
findme = any(gpgmirror in line for line in f)
if not findme:
f.seek(0, os.SEEK_END)
f.write("\n# Added by {0}.\nkeyserver {1}\n"
gpg.signers = pkeys
# Now we try to find and add the key for the base image. # Now we try to find and add the key for the base image.
gpg.keylist_mode = 2 # remote (keyserver) gpg.keylist_mode = 2 # remote (keyserver)
try: try:
@ -67,22 +82,27 @@ def genGPG(conf):
subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT) subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT)
sigkeys = [] sigkeys = []
for k in gpg.get_key(importkey).subkeys: for k in gpg.get_key(importkey).subkeys:
signkeys.append(k.fpr) sigkeys.append(k.fpr)
cmd = ['/usr/bin/gpg',
'--batch',
'--yes',
'--lsign-key',
'0x{0}'.format(importkey)]
subprocess.call(cmd, stdout = DEVNULL, stderr = subprocess.STDOUT)
return(gpg)



def killStaleAgent(conf):
# RETURNS:
# our private/signing keys: privkey (is a list)

def killStaleAgent():
# Kill off any stale GPG agents running. # Kill off any stale GPG agents running.
# Probably not even needed, but good to have. # Probably not even needed, but good to have.
chrootdir = conf['build']['chrootdir']
dlpath = conf['build']['dlpath']
procs = psutil.process_iter() procs = psutil.process_iter()
plst = [] plst = []
for p in procs: for p in procs:
if (p.name() == 'gpg-agent' and p.uids()[0] == os.getuid()): if (p.name() in ('gpg-agent', 'dirmngr') and p.uids()[0] == os.getuid()):
pd = psutil.Process(p.pid).as_dict() pd = psutil.Process(p.pid).as_dict()
if pd['cwd'] != '/': for d in (chrootdir, dlpath):
if pd['cwd'].startswith('{0}'.format(d)):
plst.append(p.pid) plst.append(p.pid)
if len(plst) >= 1: if len(plst) >= 1:
for p in plst: for p in plst:
@ -132,3 +152,7 @@ def signIMG(path, conf):


def gpgVerify(sigfile, datafile, conf): def gpgVerify(sigfile, datafile, conf):
pass pass

def delTempKeys(conf):
pass
killStaleAgent(conf)

View File

@ -7,6 +7,7 @@ import datetime
import bSSL import bSSL
import ipxe import ipxe
import bsync import bsync
import bGPG


# we need to: # we need to:
# we also need to figure out how to implement "mentos" (old bdisk) like functionality, letting us reuse an existing chroot install if possible to save time for future builds. # we also need to figure out how to implement "mentos" (old bdisk) like functionality, letting us reuse an existing chroot install if possible to save time for future builds.
@ -16,6 +17,7 @@ if __name__ == '__main__':
print('{0}: Starting.'.format(datetime.datetime.now())) print('{0}: Starting.'.format(datetime.datetime.now()))
conf = host.parseConfig(host.getConfig())[1] conf = host.parseConfig(host.getConfig())[1]
prep.dirChk(conf) prep.dirChk(conf)
conf['gpgobj'] = bGPG.genGPG(conf)
prep.buildChroot(conf['build'], keep = False) prep.buildChroot(conf['build'], keep = False)
prep.prepChroot(conf['build'], conf['bdisk'], conf['user']) prep.prepChroot(conf['build'], conf['bdisk'], conf['user'])
arch = conf['build']['arch'] arch = conf['build']['arch']

View File

@ -195,8 +195,11 @@ gpgkey = 7F2D434B9741E8AC
; What is a valid keyserver we should use ; What is a valid keyserver we should use
; to fetch gpgkey? ; to fetch gpgkey?
; 0.) Only used if mirrorgpgsig is set ; 0.) Only used if mirrorgpgsig is set
; 1.) The default is probably fine. ; 1.) The default (blank) is probably fine.
gpgkeyserver = pgp.mit.edu ; If you don't specify a personal GPG config
; (under the gpg section), then you'll definitely probably
; want to leave this blank.
gpgkeyserver =


; Should we sign our release files? (See the GPG section) ; Should we sign our release files? (See the GPG section)
; 0.) Only accepts (case-insensitive): ; 0.) Only accepts (case-insensitive):