[lxc-devel] [distrobuilder/master] shared: Fix GPG

monstermunchkin on Github lxc-bot at linuxcontainers.org
Tue Mar 6 13:37:22 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 363 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180306/d3b1f0c5/attachment.bin>
-------------- next part --------------
From 4ad8b8959b691323265cdc8fba600f26c4936e27 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Tue, 6 Mar 2018 14:36:52 +0100
Subject: [PATCH] shared: Fix GPG

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 shared/util.go         | 22 +++++++++++++++-------
 shared/util_test.go    | 20 +++++++++++---------
 sources/debootstrap.go |  7 ++++---
 3 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/shared/util.go b/shared/util.go
index 0e40c0c..598104d 100644
--- a/shared/util.go
+++ b/shared/util.go
@@ -3,8 +3,10 @@ package shared
 import (
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
+	"path"
 	"path/filepath"
 	"regexp"
 	"strconv"
@@ -57,19 +59,22 @@ func RunCommand(name string, arg ...string) error {
 
 // VerifyFile verifies a file using gpg.
 func VerifyFile(signedFile, signatureFile string, keys []string, keyserver string) (bool, error) {
-	gpgDir, err := CreateGPGKeyring(keyserver, keys)
+	keyring, err := CreateGPGKeyring(keyserver, keys)
 	if err != nil {
 		return false, err
 	}
+	gpgDir := path.Dir(keyring)
 	defer os.RemoveAll(gpgDir)
 
 	if signatureFile != "" {
-		out, err := lxd.RunCommand("gpg", "--homedir", gpgDir, "--verify", signatureFile, signedFile)
+		out, err := lxd.RunCommand("gpg", "--homedir", gpgDir, "--keyring", keyring,
+			"--verify", signatureFile, signedFile)
 		if err != nil {
 			return false, fmt.Errorf("Failed to verify: %s", out)
 		}
 	} else {
-		out, err := lxd.RunCommand("gpg", "--homedir", gpgDir, "--verify", signedFile)
+		out, err := lxd.RunCommand("gpg", "--homedir", gpgDir, "--keyring", keyring,
+			"--verify", signedFile)
 		if err != nil {
 			return false, fmt.Errorf("Failed to verify: %s", out)
 		}
@@ -80,9 +85,12 @@ func VerifyFile(signedFile, signatureFile string, keys []string, keyserver strin
 
 // CreateGPGKeyring creates a new GPG keyring.
 func CreateGPGKeyring(keyserver string, keys []string) (string, error) {
-	gpgDir := filepath.Join(os.TempDir(), "distrobuilder.gpg")
+	gpgDir, err := ioutil.TempDir(os.TempDir(), "distrobuilder.")
+	if err != nil {
+		return "", fmt.Errorf("Failed to create gpg directory: %s", err)
+	}
 
-	err := os.MkdirAll(gpgDir, 0700)
+	err = os.MkdirAll(gpgDir, 0700)
 	if err != nil {
 		return "", err
 	}
@@ -103,13 +111,13 @@ func CreateGPGKeyring(keyserver string, keys []string) (string, error) {
 
 	// Export keys to support gpg1 and gpg2
 	out, err = lxd.RunCommand("gpg", "--homedir", gpgDir, "--export", "--output",
-		filepath.Join(gpgDir, "pubring.gpg"))
+		filepath.Join(gpgDir, "distrobuilder.gpg"))
 	if err != nil {
 		os.RemoveAll(gpgDir)
 		return "", fmt.Errorf("Failed to export keyring: %s", out)
 	}
 
-	return gpgDir, nil
+	return filepath.Join(gpgDir, "distrobuilder.gpg"), nil
 }
 
 // Pack creates an xz-compressed tarball.
diff --git a/shared/util_test.go b/shared/util_test.go
index ea7365a..dd23c02 100644
--- a/shared/util_test.go
+++ b/shared/util_test.go
@@ -3,6 +3,7 @@ package shared
 import (
 	"log"
 	"os"
+	"path"
 	"path/filepath"
 	"testing"
 
@@ -91,24 +92,25 @@ func TestVerifyFile(t *testing.T) {
 }
 
 func TestCreateGPGKeyring(t *testing.T) {
-	gpgDir, err := CreateGPGKeyring("pgp.mit.edu", []string{"0x5DE8949A899C8D99"})
+	keyring, err := CreateGPGKeyring("pgp.mit.edu", []string{"0x5DE8949A899C8D99"})
 	if err != nil {
 		t.Fatalf("Unexpected error: %s", err)
 	}
 
-	if !lxd.PathExists(gpgDir) {
-		t.Fatalf("Failed to create gpg directory: %s", gpgDir)
+	if !lxd.PathExists(keyring) {
+		t.Fatalf("Failed to create GPG keyring '%s'", keyring)
 	}
-	os.RemoveAll(gpgDir)
+	os.RemoveAll(path.Dir(keyring))
 
-	// This shouldn't fail either.
-	gpgDir, err = CreateGPGKeyring("", []string{})
+	// This shouldn't fail, but the keyring file should not be created since
+	// there are no keys to be exported.
+	keyring, err = CreateGPGKeyring("", []string{})
 	if err != nil {
 		t.Fatalf("Unexpected error: %s", err)
 	}
 
-	if !lxd.PathExists(gpgDir) {
-		t.Fatalf("Failed to create gpg directory: %s", gpgDir)
+	if lxd.PathExists(keyring) {
+		t.Fatalf("GPG keyring '%s' should not exist", keyring)
 	}
-	os.RemoveAll(gpgDir)
+	os.RemoveAll(path.Dir(keyring))
 }
diff --git a/sources/debootstrap.go b/sources/debootstrap.go
index b8b7086..8ff74fa 100644
--- a/sources/debootstrap.go
+++ b/sources/debootstrap.go
@@ -2,6 +2,7 @@ package sources
 
 import (
 	"os"
+	"path"
 	"path/filepath"
 
 	"github.com/lxc/distrobuilder/shared"
@@ -30,13 +31,13 @@ func (s *Debootstrap) Run(source shared.DefinitionSource, release, arch, cacheDi
 	}
 
 	if len(source.Keys) > 0 {
-		gpgDir, err := shared.CreateGPGKeyring(source.Keyserver, source.Keys)
+		keyring, err := shared.CreateGPGKeyring(source.Keyserver, source.Keys)
 		if err != nil {
 			return err
 		}
-		defer os.RemoveAll(gpgDir)
+		defer os.RemoveAll(path.Base(keyring))
 
-		args = append(args, "--keyring", filepath.Join(gpgDir, "pubring.gpg"))
+		args = append(args, "--keyring", keyring)
 	}
 
 	args = append(args, release, filepath.Join(cacheDir, "rootfs"))


More information about the lxc-devel mailing list