Copy apt gpg keys directly into trusted.gpg.d

This avoids having to have gnupg2/apt-key dependencies in the base,
and is now well supported by modern Debuntu.

Signed-off-by: Matthew Thode <mthode@mthode.org>
Change-Id: I7065b2fab6125d9635ef99ff65d374b8b6b4c3a2
This commit is contained in:
Matthew Thode 2020-08-24 19:55:01 -05:00 committed by Ian Wienand
parent d140cc239a
commit 8cc08418d7
5 changed files with 35 additions and 76 deletions

View File

@ -0,0 +1 @@
export DIB_ADD_APT_KEYS=${DIB_ADD_APT_KEYS:-""}

View File

@ -1,39 +0,0 @@
#!/bin/bash
#
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
DIB_ADD_APT_KEYS=${DIB_ADD_APT_KEYS:-""}
if [ -z "${DIB_ADD_APT_KEYS}" ]; then
echo "DIB_ADD_APT_KEYS is not set - not importing keys"
exit 0
fi
DIR=${TMP_MOUNT_PATH}/tmp/apt_keys
if [ -e ${DIR} ]; then
echo "${DIR} already exists!"
exit 1
fi
sudo mkdir -p ${DIR} # dib-lint: safe_sudo
# Copy to DIR
for KEY in $(find ${DIB_ADD_APT_KEYS} -type f); do
sudo cp -L ${KEY} ${DIR} # dib-lint: safe_sudo
done

View File

@ -1,37 +0,0 @@
#!/bin/bash
#
# Copyright 2014 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
KEY_DIRECTORY=/tmp/apt_keys
if [ ! -d "${KEY_DIRECTORY}" ]; then
exit 0
fi
for KEY in ${KEY_DIRECTORY}/*; do
if ! file -b "${KEY}" | grep -qE '(PGP public key block|GPG key public ring)'; then
echo "Skipping ${KEY}, not a valid GPG public key"
continue
fi
apt-key add ${KEY}
done
apt-get -y update

View File

@ -0,0 +1,28 @@
#!/bin/bash
# Copyright (c) 2020 Matthew Thode (mthode@mthode.org)
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
# dib-lint: disable=safe_sudo
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
if [ -n "${DIB_ADD_APT_KEYS}" ]; then
find "${DIB_ADD_APT_KEYS}" -type f -exec sudo cp -L {} "${TARGET_ROOT}/etc/apt/trusted.gpg.d/" \;
fi

View File

@ -0,0 +1,6 @@
---
upgrade:
- |
The ``DIB_ADD_APT_KEYS`` argument now copies keys into
``/etc/apt/trusted.gpg.d``, rather than using ``apt-key`` to add
them.