https://labs.parabola.nu/https://labs.parabola.nu/favicon.ico?15367742552014-07-01T01:29:41ZParabola Issue Trackerlibretools - Housekeeping #567: [RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librereleasehttps://labs.parabola.nu/issues/567?journal_id=54232014-07-01T01:29:41Zlukeshulukeshu@parabola.nu
<ul><li><strong>Status</strong> changed from <i>open</i> to <i>info needed</i></li></ul> libretools - Housekeeping #567: [RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librereleasehttps://labs.parabola.nu/issues/567?journal_id=60002015-06-27T16:55:14Zg4jcg4jc@openmailbox.org
<ul></ul><p>lukeshu wrote:</p>
<blockquote>
<p>Title says it. Makepkg is by itself capable of generating signatures. I think moving signatures closer to the "source" makes sense.</p>
</blockquote>
<p>I agree, this is very important. Librerelease should be used only to gpg --verify before uploading, while packagers sign the package during compile. As you said, "closer to the source".</p>
<p>I have began the process of trying to figure out why this does not work.</p>
Some preliminary steps needed:
<ul>
<li>nano /etc/makepkg.conf --> make sure that "!sign = sign" in BUILDENV, and set the correct "default-key [KEYID]" </li>
<li>Create the librechroot.</li>
<li>Now we need to import our GPG keys into the librechroot: cp -R /home/user/.gnupg /var/lib/archbuild/default/user/root</li>
<li>The next thing we need to do is apply a fix for not having a desktop environment in chroot a.k.a. gpg: agent_genkey failed: No pinentry error.</li>
<li>sudo librechroot enter</li>
<li>sudo rm /usr/bin/pinentry</li>
<li>ln -s /usr/bin/pinentry-curses /usr/bin/pinentry</li>
</ul>
<p>At this point the build continues to fail, but I can clearsign files manually from inside the chroot.</p>
<p>If anyone knows where libremakepkg is causing the break it would be helpful to know.</p>
My guesses:
<ul>
<li>/libretools/src/chroot-tools/libremakepkg</li>
<li>/libretools/src/chroot-tools/makechrootpkg.sh.patch | This patch has some makepkg vars hardcoded</li>
</ul> libretools - Housekeeping #567: [RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librereleasehttps://labs.parabola.nu/issues/567?journal_id=60012015-06-27T17:01:09Zfaunofauno@parabola.nu
<ul></ul><p>you can change the default pinentry by setting "pinentry-program /usr/bin/pinentry-curses" in ~/.gnupg/gpg-agent.conf</p>
<p>why would you sign inside the chroot anyway?</p> libretools - Housekeeping #567: [RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librereleasehttps://labs.parabola.nu/issues/567?journal_id=60022015-06-27T17:32:54Zg4jcg4jc@openmailbox.org
<ul></ul><p>fauno wrote:</p>
<blockquote>
<p>you can change the default pinentry by setting "pinentry-program /usr/bin/pinentry-curses" in ~/.gnupg/gpg-agent.conf</p>
<p>why would you sign inside the chroot anyway?</p>
</blockquote>
<p>I was using it to test, not as a final patch.<br />At least I know that gpg is now working fully inside the chroot, making the libremakepkg failure issue more curious.</p>
<p>Edit: And as to why - chroot can't see your keys outside of the chroot. I had guessed that is one of the reasons for this original error:
| > Signing package...
| > WARNING: Failed to sign package file.</p>
<p>However the problem is deeper than just that. I will continue testing to see if it is resolvable.</p> libretools - Housekeeping #567: [RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librereleasehttps://labs.parabola.nu/issues/567?journal_id=66612016-04-15T22:59:41Zlukeshulukeshu@parabola.nu
<ul><li><strong>Priority</strong> changed from <i>bug</i> to <i>discussion</i></li></ul> libretools - Housekeeping #567: [RFC] [librestage/librerelease] Have librestage (or even libremakepkg) generate signatures, instead of librereleasehttps://labs.parabola.nu/issues/567?journal_id=104612018-10-02T17:37:50Zlukeshulukeshu@parabola.nu
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Housekeeping</i></li></ul>