fix: signature check breaks qubes-builder update

The state module git.latest does not allow setting environment variable
for us to set the correct GNUPGHOME. The module environ.set does not
work as we call git as the normal user and not as root, but may still be
the problem of git.latest not respecting environment variables.

The problem with always pulling new commits is that it may conflict with
the current work the user has done on the repository locally. It will
also not work in case the last commit is not signed by a trusted key
deployed by the formula, in this case, you should add the key manually
to verify the commit.

Setting the gpg.program only for the required repositories solves the
aforementioned problem and also enhances usability by removing extra
commands that the user needs to learn and remember.

Fixes: https://github.com/ben-grande/qusal/issues/58
This commit is contained in:
Ben Grande 2024-06-14 19:04:29 +02:00
parent afcb73085f
commit ba5b4813f2
No known key found for this signature in database
GPG Key ID: 00C64E14F51F9E56
5 changed files with 68 additions and 25 deletions

View File

@ -8,8 +8,9 @@ Setup Qubes OS Builder V2 in Qubes OS itself.
* [Installation](#installation)
* [Access Control](#access-control)
* [Usage](#usage)
* [Pulling new commits](#pulling-new-commits)
* [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory)
* [Builder configuration](#builder-configuration)
* [Update repository safely](#update-repository-safely)
## Description
@ -58,6 +59,19 @@ unattended build.
## Usage
### Pulling new commits
The installation will clone the repository but not pull new commits. You will
need to pull new commits from time to time, their signature will be
automatically verified before merging them to your git index.
### Add PGP public key to qubes-builder GPG home directory
If you need to pull commits signed by someone with a key not deployed by
default, import their key to the GPG home directory of qubes-builder:
```sh
gpg --homedir "$HOME/.gnupg/qubes-builder" --import KEY
```
### Builder configuration
When using the Qubes Executor, configure the `builder.yml` `dispvm` option to
@ -74,15 +88,3 @@ executor:
```
Setting the Disposable VM to Dom0 works because it will use the
`default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
### Update repository safely
If you need to pull new commits, set `GNUPGHOME` to
`/home/user/.gnupg/qubes-builder`, the provided gitconfig enforces signature
verification on git merges:
```sh
GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull
Commit 7c37bb7 has a good GPG signature by Frederic Pierret (fepitre)
<frederic.pierret@qubes-os.org>
...
```

View File

@ -23,18 +23,6 @@ include:
- mode: '0755'
- makedirs: True
"{{ slsdotpath }}-git-clone-builderv2":
git.latest:
- name: https://github.com/QubesOS/qubes-builderv2.git
- target: /home/user/src/qubes-builderv2
- user: user
"{{ slsdotpath }}-git-clone-infrastructure-mirrors":
git.latest:
- name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git
- target: /home/user/src/qubes-infrastructure-mirrors
- user: user
"{{ slsdotpath }}-gnupg-home":
file.directory:
- name: /home/user/.gnupg/qubes-builder
@ -72,6 +60,42 @@ include:
- cwd: /home/user/.gnupg/qubes-builder
- runas: user
"{{ slsdotpath }}-git-clone-builderv2":
git.cloned:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- name: https://github.com/QubesOS/qubes-builderv2.git
- target: /tmp/qubes-builderv2
- user: user
"{{ slsdotpath }}-git-clone-infrastructure-mirrors":
git.cloned:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git
- target: /home/user/src/qubes-infrastructure-mirrors
- user: user
"{{ slsdotpath }}-git-config-gpg.program-for-builder":
git.config_set:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors"
- name: gpg.program
- value: gpg-qubes-builder
- repo: /home/user/src/qubes-infrastructure-mirrors
- user: user
"{{ slsdotpath }}-git-config-gpg.program-for-mirrors":
git.config_set:
- require:
- cmd: "{{ slsdotpath }}-import-keys"
- git: "{{ slsdotpath }}-git-clone-builderv2"
- name: gpg.program
- value: gpg-qubes-builder
- repo: /home/user/src/qubes-builderv2
- user: user
"{{ slsdotpath }}-git-verify-HEAD-builderv2":
cmd.run:
- require:

View File

@ -5,6 +5,8 @@
## Do not modify this file, create a new policy with with a lower number in the
## file name instead. For example `30-user.policy`.
## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git

View File

@ -0,0 +1,6 @@
#!/bin/sh
# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
set -eu
env GNUPGHOME="$HOME/.gnupg/qubes-builder" gpg2 "$@"

View File

@ -66,4 +66,13 @@ include:
- addusers:
- user
"{{ slsdotpath }}-add-gpg-program-verify-git-commits-using-builder-keyring":
file.managed:
- name: /usr/bin/gpg-qubes-builder
- source: salt://{{ slsdotpath }}/files/client/bin/gpg-qubes-builder
- user: root
- group: root
- mode: '0755'
- makedirs: True
{% endif -%}