mirror of
https://github.com/ben-grande/qusal.git
synced 2024-10-01 02:35:49 -04:00
fix: signature check breaks qubes-builder update
The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: https://github.com/ben-grande/qusal/issues/58
This commit is contained in:
parent
afcb73085f
commit
ba5b4813f2
@ -8,8 +8,9 @@ Setup Qubes OS Builder V2 in Qubes OS itself.
|
||||
* [Installation](#installation)
|
||||
* [Access Control](#access-control)
|
||||
* [Usage](#usage)
|
||||
* [Pulling new commits](#pulling-new-commits)
|
||||
* [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory)
|
||||
* [Builder configuration](#builder-configuration)
|
||||
* [Update repository safely](#update-repository-safely)
|
||||
|
||||
## Description
|
||||
|
||||
@ -58,6 +59,19 @@ unattended build.
|
||||
|
||||
## Usage
|
||||
|
||||
### Pulling new commits
|
||||
|
||||
The installation will clone the repository but not pull new commits. You will
|
||||
need to pull new commits from time to time, their signature will be
|
||||
automatically verified before merging them to your git index.
|
||||
|
||||
### Add PGP public key to qubes-builder GPG home directory
|
||||
|
||||
If you need to pull commits signed by someone with a key not deployed by
|
||||
default, import their key to the GPG home directory of qubes-builder:
|
||||
```sh
|
||||
gpg --homedir "$HOME/.gnupg/qubes-builder" --import KEY
|
||||
```
|
||||
### Builder configuration
|
||||
|
||||
When using the Qubes Executor, configure the `builder.yml` `dispvm` option to
|
||||
@ -74,15 +88,3 @@ executor:
|
||||
```
|
||||
Setting the Disposable VM to Dom0 works because it will use the
|
||||
`default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
|
||||
|
||||
### Update repository safely
|
||||
|
||||
If you need to pull new commits, set `GNUPGHOME` to
|
||||
`/home/user/.gnupg/qubes-builder`, the provided gitconfig enforces signature
|
||||
verification on git merges:
|
||||
```sh
|
||||
GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull
|
||||
Commit 7c37bb7 has a good GPG signature by Frederic Pierret (fepitre)
|
||||
<frederic.pierret@qubes-os.org>
|
||||
...
|
||||
```
|
||||
|
@ -23,18 +23,6 @@ include:
|
||||
- mode: '0755'
|
||||
- makedirs: True
|
||||
|
||||
"{{ slsdotpath }}-git-clone-builderv2":
|
||||
git.latest:
|
||||
- name: https://github.com/QubesOS/qubes-builderv2.git
|
||||
- target: /home/user/src/qubes-builderv2
|
||||
- user: user
|
||||
|
||||
"{{ slsdotpath }}-git-clone-infrastructure-mirrors":
|
||||
git.latest:
|
||||
- name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git
|
||||
- target: /home/user/src/qubes-infrastructure-mirrors
|
||||
- user: user
|
||||
|
||||
"{{ slsdotpath }}-gnupg-home":
|
||||
file.directory:
|
||||
- name: /home/user/.gnupg/qubes-builder
|
||||
@ -72,6 +60,42 @@ include:
|
||||
- cwd: /home/user/.gnupg/qubes-builder
|
||||
- runas: user
|
||||
|
||||
"{{ slsdotpath }}-git-clone-builderv2":
|
||||
git.cloned:
|
||||
- require:
|
||||
- cmd: "{{ slsdotpath }}-import-keys"
|
||||
- name: https://github.com/QubesOS/qubes-builderv2.git
|
||||
- target: /tmp/qubes-builderv2
|
||||
- user: user
|
||||
|
||||
"{{ slsdotpath }}-git-clone-infrastructure-mirrors":
|
||||
git.cloned:
|
||||
- require:
|
||||
- cmd: "{{ slsdotpath }}-import-keys"
|
||||
- name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git
|
||||
- target: /home/user/src/qubes-infrastructure-mirrors
|
||||
- user: user
|
||||
|
||||
"{{ slsdotpath }}-git-config-gpg.program-for-builder":
|
||||
git.config_set:
|
||||
- require:
|
||||
- cmd: "{{ slsdotpath }}-import-keys"
|
||||
- git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors"
|
||||
- name: gpg.program
|
||||
- value: gpg-qubes-builder
|
||||
- repo: /home/user/src/qubes-infrastructure-mirrors
|
||||
- user: user
|
||||
|
||||
"{{ slsdotpath }}-git-config-gpg.program-for-mirrors":
|
||||
git.config_set:
|
||||
- require:
|
||||
- cmd: "{{ slsdotpath }}-import-keys"
|
||||
- git: "{{ slsdotpath }}-git-clone-builderv2"
|
||||
- name: gpg.program
|
||||
- value: gpg-qubes-builder
|
||||
- repo: /home/user/src/qubes-builderv2
|
||||
- user: user
|
||||
|
||||
"{{ slsdotpath }}-git-verify-HEAD-builderv2":
|
||||
cmd.run:
|
||||
- require:
|
||||
|
@ -5,6 +5,8 @@
|
||||
|
||||
## Do not modify this file, create a new policy with with a lower number in the
|
||||
## file name instead. For example `30-user.policy`.
|
||||
|
||||
## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
|
||||
qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
|
||||
|
||||
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git
|
||||
|
6
salt/qubes-builder/files/client/bin/gpg-qubes-builder
Executable file
6
salt/qubes-builder/files/client/bin/gpg-qubes-builder
Executable file
@ -0,0 +1,6 @@
|
||||
#!/bin/sh
|
||||
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
||||
#
|
||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||
set -eu
|
||||
env GNUPGHOME="$HOME/.gnupg/qubes-builder" gpg2 "$@"
|
@ -66,4 +66,13 @@ include:
|
||||
- addusers:
|
||||
- user
|
||||
|
||||
"{{ slsdotpath }}-add-gpg-program-verify-git-commits-using-builder-keyring":
|
||||
file.managed:
|
||||
- name: /usr/bin/gpg-qubes-builder
|
||||
- source: salt://{{ slsdotpath }}/files/client/bin/gpg-qubes-builder
|
||||
- user: root
|
||||
- group: root
|
||||
- mode: '0755'
|
||||
- makedirs: True
|
||||
|
||||
{% endif -%}
|
||||
|
Loading…
Reference in New Issue
Block a user