From fe7390d638b85cafc041e9c00166dd19612fca13 Mon Sep 17 00:00:00 2001 From: Guillem Jover Date: Tue, 22 Dec 2015 15:56:45 +0100 Subject: [PATCH] MT#17029 Use the keyring from the ngcp-keyring package Switch the logic to something similar to what debootstrap is doing. Depend on the archive keyring for the archive we want to download from, and pass that keyring to debootstrap. Do not install the file manually but pull the package from inside the gues that provides the keyring fragments, so that we do not end up with unowned files on the system. Change-Id: I853084005c8373b17f6e8558e5725b4d5cf8e424 --- debian/control | 5 +++-- deployment.sh | 58 +++++++++++--------------------------------------- 2 files changed, 16 insertions(+), 47 deletions(-) diff --git a/debian/control b/debian/control index 3156244..f328c2a 100644 --- a/debian/control +++ b/debian/control @@ -9,7 +9,8 @@ Homepage: http://sipwise.com/ Package: ngcp-netscript Architecture: any -Depends: ${misc:Depends}, - ${shlibs:Depends} +Depends: + ${misc:Depends}, + ngcp-keyring, Description: NGCP deployment scripts scripts needed to install Sipwise NGCP system. diff --git a/deployment.sh b/deployment.sh index b6963f6..67ac23e 100755 --- a/deployment.sh +++ b/deployment.sh @@ -155,49 +155,10 @@ loadNfsIpArray() { [ "$n" == "7" ] && return 0 || return 1 } -debootstrap_sipwise_key() { - mkdir -p /etc/debootstrap/pre-scripts/ - cat > /etc/debootstrap/pre-scripts/install-sipwise-key.sh << EOF -#!/bin/bash -# installed via deployment.sh -cp /etc/apt/trusted.gpg.d/sipwise.gpg "\${MNTPOINT}"/etc/apt/trusted.gpg.d/ -EOF - chmod 775 /etc/debootstrap/pre-scripts/install-sipwise-key.sh -} - -install_sipwise_key() { - if [ -f "/etc/apt/trusted.gpg.d/sipwise.gpg" ]; then - md5sum_sipwise_key=$(md5sum /etc/apt/trusted.gpg.d/sipwise.gpg | awk '{print $1}') - echo "Sipwise keyring already installed (MD5: [${md5sum_sipwise_key}]), debootstrap sipwise key" - debootstrap_sipwise_key - return - else - echo "Sipwise keyring not found, downloading." +check_sipwise_keyring() { + if ! [ -f "/usr/share/keyrings/sipwise-archive-keyring.gpg" ]; then + die "Sipwise keyring not found, aborting installation." fi - - for x in 1 2 3; do - - if "$PRO_EDITION" ; then - wget -O /etc/apt/trusted.gpg.d/sipwise.gpg ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/sppro/sipwise.gpg - else - wget -O /etc/apt/trusted.gpg.d/sipwise.gpg ${SIPWISE_REPO_TRANSPORT}://${SIPWISE_REPO_HOST}/spce/sipwise.gpg - fi - - md5sum_sipwise_key_expected=bcd09c9ad563b2d380152a97d5a0ea83 - md5sum_sipwise_key_calculated=$(md5sum /etc/apt/trusted.gpg.d/sipwise.gpg | awk '{print $1}') - - if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then - echo "Sipwise keyring has wrong checksum (expected: [$md5sum_sipwise_key_expected] - got: [$md5sum_sipwise_key_calculated]), retry $x" - else - break - fi - done - - if [ "$md5sum_sipwise_key_calculated" != "$md5sum_sipwise_key_expected" ] ; then - die "Error validating sipwise keyring for apt usage, aborting installation." - fi - - debootstrap_sipwise_key } install_apt_transport_https () { @@ -748,8 +709,8 @@ if ! "$NGCP_INSTALLER" ; then unset ROLE fi -set_deploy_status "installing_sipwise_keys" -install_sipwise_key +set_deploy_status "check_sipwise_keyring" +check_sipwise_keyring set_deploy_status "installing_apt_transport_https" install_apt_transport_https @@ -1254,12 +1215,19 @@ $FIRMWARE_PACKAGES EOF fi +if "$NGCP_INSTALLER" ; then + cat >> /etc/debootstrap/packages << EOF +# ngcp archive keyring +ngcp-keyring +EOF +fi + # NOTE: we use the debian.sipwise.com CNAME by intention here # to avoid conflicts with apt-pinning, preferring deb.sipwise.com # over official Debian MIRROR="${SIPWISE_REPO_TRANSPORT}://${DEBIAN_REPO_HOST}/debian/" SEC_MIRROR="${SIPWISE_REPO_TRANSPORT}://${DEBIAN_REPO_HOST}/debian-security/" -KEYRING='/etc/apt/trusted.gpg.d/sipwise.gpg' +KEYRING='/usr/share/keyrings/sipwise-archive-keyring.gpg' set_deploy_status "debootstrap"