diff --git a/.travis.yml b/.travis.yml index 2bde501..287af80 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,9 +10,9 @@ after_script: - ls -l ~/qubes-builder/iso env: - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-full.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 RPM_BUILD_DEFINES=--nocheck - - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-unsigned.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 EXPECT_FAILURE=./expected-failure - - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-unsigned2.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 EXPECT_FAILURE=./expected-failure - - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-unknown-key.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 EXPECT_FAILURE=./expected-failure + - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-unsigned.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 EXPECT_FAILURE=./scripts/expected-failure + - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-unsigned2.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 EXPECT_FAILURE=./scripts/expected-failure + - DIST_DOM0=fc29 INSTALLER_KICKSTART=/tmp/qubes-installer/conf/travis-iso-unknown-key.ks USE_QUBES_REPO_VERSION=4.1 USE_QUBES_REPO_TESTING=1 EXPECT_FAILURE=./scripts/expected-failure # don't build tags which are meant for code signing only branches: diff --git a/Makefile b/Makefile index 53cd412..890b7b2 100644 --- a/Makefile +++ b/Makefile @@ -88,7 +88,7 @@ iso-installer-gather: pushd $(BASE_DIR)/os/ && $(CREATEREPO) -q -g $(INSTALLER_DIR)/conf/comps-qubes.xml . iso-installer-lorax: - $(INSTALLER_DIR)/ksparser --ks $(INSTALLER_KICKSTART) --extract-repo-conf-to $(INSTALLER_DIR)/conf/dnf-lorax.repo + $(INSTALLER_DIR)/scripts/ksparser --ks $(INSTALLER_KICKSTART) --extract-repo-conf-to $(INSTALLER_DIR)/conf/dnf-lorax.repo $(LORAX) $(LORAX_OPTS) $(BASE_DIR)/os iso-installer-mkisofs: @@ -109,7 +109,7 @@ iso-installer: iso-prepare iso-installer-gather iso-installer-lorax iso-installe rm -rf work iso-liveusb: $(LIVE_KICKSTART) iso-prepare - pushd work && ../livecd-creator-qubes --debug --product='Qubes OS' --title="Qubes OS $(ISO_VERSION)" --fslabel="Qubes-$(ISO_VERSION)-x86_64-LIVE" --config $(LIVE_KICKSTART) && popd + pushd work && $(INSTALLER_DIR)/scripts/livecd-creator-qubes --debug --product='Qubes OS' --title="Qubes OS $(ISO_VERSION)" --fslabel="Qubes-$(ISO_VERSION)-x86_64-LIVE" --config $(LIVE_KICKSTART) && popd # Move result files to known-named directories mkdir -p build/ISO/qubes-x86_64/iso build/work mv work/*.iso build/ISO/qubes-x86_64/iso/ diff --git a/rpm_verify b/rpm_verify deleted file mode 100755 index 4855a74..0000000 --- a/rpm_verify +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/sh - -verify_rpm() { -RPM=$1 - -if ! [ -f $RPM ]; then - echo -n "No such file... " - return -fi - -if ! rpm --checksig $RPM > /dev/null; then - echo "Wrong PGP signature on $RPM!" - exit 1 -fi - -# Even if rpm returns success (ret = 0) that doesn't -# mean that the rpm has been signed! It might simply -# have no PGP signature at all. Yes, stupidity... - -if ! rpm --checksig $RPM | grep ' pgp ' > /dev/null ; then - if [ "$NO_SIGN" == "1" ] ; then - # When signing is disabed in qubes-builder - # This is used to build unsigned ISO - # This should only be used for testing builds - return 0 - fi - - echo "No PGP signature found!" - - exit 2 -fi -} - - -if [ $# -lt 1 ]; then - echo "Usage: $0 " - exit 1 -fi - -if [ -w /var/lib/rpm ]; then - # Make sure that the right Qubes release key is imported (in chroot) - rpm --import `dirname $0`/qubes-release/RPM-GPG-KEY-qubes-*-primary -fi - -for FILE in "$@"; do - verify_rpm $FILE || exit 1 -done - diff --git a/rpm_verify b/rpm_verify new file mode 120000 index 0000000..0b89ff8 --- /dev/null +++ b/rpm_verify @@ -0,0 +1 @@ +scripts/rpm_verify \ No newline at end of file diff --git a/expected-failure b/scripts/expected-failure similarity index 100% rename from expected-failure rename to scripts/expected-failure diff --git a/ksparser b/scripts/ksparser similarity index 100% rename from ksparser rename to scripts/ksparser diff --git a/livecd-creator-qubes b/scripts/livecd-creator-qubes similarity index 100% rename from livecd-creator-qubes rename to scripts/livecd-creator-qubes diff --git a/scripts/rpm_verify b/scripts/rpm_verify new file mode 100755 index 0000000..4855a74 --- /dev/null +++ b/scripts/rpm_verify @@ -0,0 +1,48 @@ +#!/bin/sh + +verify_rpm() { +RPM=$1 + +if ! [ -f $RPM ]; then + echo -n "No such file... " + return +fi + +if ! rpm --checksig $RPM > /dev/null; then + echo "Wrong PGP signature on $RPM!" + exit 1 +fi + +# Even if rpm returns success (ret = 0) that doesn't +# mean that the rpm has been signed! It might simply +# have no PGP signature at all. Yes, stupidity... + +if ! rpm --checksig $RPM | grep ' pgp ' > /dev/null ; then + if [ "$NO_SIGN" == "1" ] ; then + # When signing is disabed in qubes-builder + # This is used to build unsigned ISO + # This should only be used for testing builds + return 0 + fi + + echo "No PGP signature found!" + + exit 2 +fi +} + + +if [ $# -lt 1 ]; then + echo "Usage: $0 " + exit 1 +fi + +if [ -w /var/lib/rpm ]; then + # Make sure that the right Qubes release key is imported (in chroot) + rpm --import `dirname $0`/qubes-release/RPM-GPG-KEY-qubes-*-primary +fi + +for FILE in "$@"; do + verify_rpm $FILE || exit 1 +done + diff --git a/yum/update_repo.sh b/yum/update_repo.sh index 15b0496..20852de 100755 --- a/yum/update_repo.sh +++ b/yum/update_repo.sh @@ -4,7 +4,7 @@ # $1 -- path to rpm dir check_repo() { - if ! ../rpm_verify $1/*.rpm ; then + if ! ../scripts/rpm_verify $1/*.rpm ; then echo "ERROR: There are unsigned RPM packages in $1 repo:" echo "---------------------------------------" rpm --checksig $1/*.rpm | grep -v pgp