Housekeeping #567
[RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librerelease
0%
Description
Title says it. Makepkg is by itself capable of generating signatures. I think moving signatures closer to the "source" makes sense.
History
Updated by g4jc almost 8 years ago
lukeshu wrote:
Title says it. Makepkg is by itself capable of generating signatures. I think moving signatures closer to the "source" makes sense.
I agree, this is very important. Librerelease should be used only to gpg --verify before uploading, while packagers sign the package during compile. As you said, "closer to the source".
I have began the process of trying to figure out why this does not work.
Some preliminary steps needed:- nano /etc/makepkg.conf --> make sure that "!sign = sign" in BUILDENV, and set the correct "default-key [KEYID]"
- Create the librechroot.
- Now we need to import our GPG keys into the librechroot: cp -R /home/user/.gnupg /var/lib/archbuild/default/user/root
- The next thing we need to do is apply a fix for not having a desktop environment in chroot a.k.a. gpg: agent_genkey failed: No pinentry error.
- sudo librechroot enter
- sudo rm /usr/bin/pinentry
- ln -s /usr/bin/pinentry-curses /usr/bin/pinentry
At this point the build continues to fail, but I can clearsign files manually from inside the chroot.
If anyone knows where libremakepkg is causing the break it would be helpful to know.
My guesses:- /libretools/src/chroot-tools/libremakepkg
- /libretools/src/chroot-tools/makechrootpkg.sh.patch | This patch has some makepkg vars hardcoded
Updated by fauno almost 8 years ago
you can change the default pinentry by setting "pinentry-program /usr/bin/pinentry-curses" in ~/.gnupg/gpg-agent.conf
why would you sign inside the chroot anyway?
Updated by g4jc almost 8 years ago
fauno wrote:
you can change the default pinentry by setting "pinentry-program /usr/bin/pinentry-curses" in ~/.gnupg/gpg-agent.conf
why would you sign inside the chroot anyway?
I was using it to test, not as a final patch.
At least I know that gpg is now working fully inside the chroot, making the libremakepkg failure issue more curious.
Edit: And as to why - chroot can't see your keys outside of the chroot. I had guessed that is one of the reasons for this original error: | > Signing package... | > WARNING: Failed to sign package file.
However the problem is deeper than just that. I will continue testing to see if it is resolvable.