From 2f407fa54dbf644d05578361d10a9b6964e0f0da Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Tue, 22 Dec 2015 15:56:45 +0100 Subject: [PATCH] MT#17029 Use the keyring from the ngcp-keyring package Switch the logic to something similar to what debootstrap is doing. Depend on the archive keyring for the archive we want to download from, and pass that keyring to debootstrap. Do not install the file manually but pull the package from inside the gues that provides the keyring fragments, so that we do not end up with unowned files on the system. Change-Id: I853084005c8373b17f6e8558e5725b4d5cf8e424 --- debian/control | 5 +++-- deployment.sh | 54 +++++++++----------------------------------------- 2 files changed, 12 insertions(+), 47 deletions(-) diff --git a/debian/control b/debian/control index 3156244..f328c2a 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,8 @@ Homepage: http://sipwise.com/ Package: ngcp-netscript Architecture: any -Depends: ${misc:Depends}, - ${shlibs:Depends} +Depends: + ${misc:Depends}, + ngcp-keyring, Description: NGCP deployment scripts scripts needed to install Sipwise NGCP system. diff --git a/deployment.sh b/deployment.sh index b6963f6..c1b5f51 100755 --- a/deployment.sh +++ b/deployment.sh @@ -155,49 +155,10 @@ loadNfsIpArray() { [ "$n" == "7" ] && return 0 || return 1 } -debootstrap_sipwise_key() { - mkdir -p /etc/debootstrap/pre-scripts/ - cat > /etc/debootstrap/pre-scripts/install-sipwise-key.sh << EOF -#!/bin/bash -# installed via deployment.sh -cp /etc/apt/trusted.gpg.d/sipwise.gpg "\${MNTPOINT}"/etc/apt/trusted.gpg.d/ -EOF - chmod 775 /etc/debootstrap/pre-scripts/install-sipwise-key.sh -} - -install_sipwise_key() { - if [ -f "/etc/apt/trusted.gpg.d/sipwise.gpg" ]; then - md5sum_sipwise_key=$(md5sum /etc/apt/trusted.gpg.d/sipwise.gpg | awk '{print $1}') - echo "Sipwise keyring already installed (MD5: [${md5sum_sipwise_key}]), debootstrap sipwise key" - debootstrap_sipwise_key - return - else - echo "Sipwise keyring not found, downloading." +check_sipwise_keyring() { + if ! [ -f "/usr/share/keyrings/sipwise-archive-keyring.gpg" ]; then + die "Sipwise keyring not found, aborting installation." fi - - for x in 1 2 3; do - - if "$PRO_EDITION" ; then - wget -O /etc/apt/trusted.gpg.d/sipwise.gpg ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/sppro/sipwise.gpg - else - wget -O /etc/apt/trusted.gpg.d/sipwise.gpg ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/spce/sipwise.gpg - fi - - md5sum_sipwise_key_expected=bcd09c9ad563b2d380152a97d5a0ea83 - md5sum_sipwise_key_calculated=$(md5sum /etc/apt/trusted.gpg.d/sipwise.gpg | awk '{print $1}') - - if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then - echo "Sipwise keyring has wrong checksum (expected: [$md5sum_sipwise_key_expected] - got: [$md5sum_sipwise_key_calculated]), retry $x" - else - break - fi - done - - if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then - die "Error validating sipwise keyring for apt usage, aborting installation." - fi - - debootstrap_sipwise_key } install_apt_transport_https () { @@ -748,8 +709,8 @@ if ! "$NGCP_INSTALLER" ; then unset ROLE fi -set_deploy_status "installing_sipwise_keys" -install_sipwise_key +set_deploy_status "check_sipwise_keyring" +check_sipwise_keyring set_deploy_status "installing_apt_transport_https" install_apt_transport_https @@ -1171,6 +1132,9 @@ echo FSCK=no >>/etc/debootstrap/config # package selection cat > /etc/debootstrap/packages << EOF +# ngcp archive keyring +ngcp-keyring + # addons: packages which d-i installs but debootstrap doesn't eject grub-pc @@ -1259,7 +1223,7 @@ fi # over official Debian MIRROR="${SIPWISE_REPO_TRANSPORT}://${DEBIAN_REPO_HOST}/debian/" SEC_MIRROR="${SIPWISE_REPO_TRANSPORT}://${DEBIAN_REPO_HOST}/debian-security/" -KEYRING='/etc/apt/trusted.gpg.d/sipwise.gpg' +KEYRING='/usr/share/keyrings/sipwise-archive-keyring.gpg' set_deploy_status "debootstrap"