Project

General

Profile

Housekeeping #567

[RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librerelease

lukeshu - over 5 years ago - . Updated about 1 year ago.

Status:
info needed
Priority:
discussion
Category:
-
Assignee:
-
% Done:

0%


Description

Title says it. Makepkg is by itself capable of generating signatures. I think moving signatures closer to the "source" makes sense.

History

#1

Updated by lukeshu over 5 years ago

  • Status changed from open to info needed
#2

Updated by g4jc over 4 years ago

lukeshu wrote:

Title says it. Makepkg is by itself capable of generating signatures. I think moving signatures closer to the "source" makes sense.

I agree, this is very important. Librerelease should be used only to gpg --verify before uploading, while packagers sign the package during compile. As you said, "closer to the source".

I have began the process of trying to figure out why this does not work.

Some preliminary steps needed:
  • nano /etc/makepkg.conf --> make sure that "!sign = sign" in BUILDENV, and set the correct "default-key [KEYID]"
  • Create the librechroot.
  • Now we need to import our GPG keys into the librechroot: cp -R /home/user/.gnupg /var/lib/archbuild/default/user/root
  • The next thing we need to do is apply a fix for not having a desktop environment in chroot a.k.a. gpg: agent_genkey failed: No pinentry error.
  • sudo librechroot enter
  • sudo rm /usr/bin/pinentry
  • ln -s /usr/bin/pinentry-curses /usr/bin/pinentry

At this point the build continues to fail, but I can clearsign files manually from inside the chroot.

If anyone knows where libremakepkg is causing the break it would be helpful to know.

My guesses:
  • /libretools/src/chroot-tools/libremakepkg
  • /libretools/src/chroot-tools/makechrootpkg.sh.patch | This patch has some makepkg vars hardcoded
#3

Updated by fauno over 4 years ago

you can change the default pinentry by setting "pinentry-program /usr/bin/pinentry-curses" in ~/.gnupg/gpg-agent.conf

why would you sign inside the chroot anyway?

#4

Updated by g4jc over 4 years ago

fauno wrote:

you can change the default pinentry by setting "pinentry-program /usr/bin/pinentry-curses" in ~/.gnupg/gpg-agent.conf

why would you sign inside the chroot anyway?

I was using it to test, not as a final patch.
At least I know that gpg is now working fully inside the chroot, making the libremakepkg failure issue more curious.

Edit: And as to why - chroot can't see your keys outside of the chroot. I had guessed that is one of the reasons for this original error: | > Signing package... | > WARNING: Failed to sign package file.

However the problem is deeper than just that. I will continue testing to see if it is resolvable.

#5

Updated by lukeshu over 3 years ago

  • Priority changed from bug to discussion
#6

Updated by lukeshu about 1 year ago

  • Tracker changed from Bug to Housekeeping

Also available in: Atom PDF