diff options
| author | sharethewisdom | 2019-12-07 03:12:08 +0100 |
|---|---|---|
| committer | sharethewisdom | 2019-12-07 03:42:05 +0100 |
| commit | ff88eb86eb43451af81b6bd41d0431fd6748e014 (patch) | |
| tree | 9bf43c0837645671d14787be2e804a19a91e8b00 | |
| download | aur-ff88eb86eb43451af81b6bd41d0431fd6748e014.tar.gz | |
initial commit
| -rw-r--r-- | .SRCINFO | 50 | ||||
| -rw-r--r-- | .gitignore | 10 | ||||
| -rw-r--r-- | 0001-mkinitcpio-remove-preset-pacsave.patch | 59 | ||||
| -rw-r--r-- | 0002-mkinitcpio-sign-when-done.patch | 30 | ||||
| -rw-r--r-- | 89-mkinitcpio-sign-install.hook | 12 | ||||
| -rw-r--r-- | PKGBUILD | 53 | ||||
| -rw-r--r-- | gpg.conf | 6 | ||||
| -rw-r--r-- | mkinitcpio-sign-install | 23 | ||||
| -rw-r--r-- | mkinitcpio.install | 15 |
9 files changed, 258 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO new file mode 100644 index 000000000000..1a1d586917dd --- /dev/null +++ b/.SRCINFO @@ -0,0 +1,50 @@ +pkgbase = mkinitcpio-sign-patch + pkgdesc = Modular initramfs image creation utility (automatically signs kernels and images) + pkgver = 27 + pkgrel = 2 + url = https://projects.archlinux.org/mkinitcpio.git/ + install = mkinitcpio.install + arch = any + license = GPL + depends = awk + depends = mkinitcpio-busybox>=1.19.4-2 + depends = kmod + depends = util-linux>=2.23 + depends = libarchive + depends = coreutils + depends = bash + depends = diffutils + depends = findutils + depends = grep + depends = filesystem>=2011.10-1 + depends = gzip + depends = systemd + depends = gnupg + optdepends = xz: Use lzma or xz compression for the initramfs image + optdepends = bzip2: Use bzip2 compression for the initramfs image + optdepends = lzop: Use lzo compression for the initramfs image + optdepends = lz4: Use lz4 compression for the initramfs image + optdepends = mkinitcpio-nfs-utils: Support for root filesystem on NFS + provides = initramfs + conflicts = mkinitcpio + backup = etc/mkinitcpio.conf + source = https://sources.archlinux.org/other/mkinitcpio/mkinitcpio-27.tar.gz + source = https://sources.archlinux.org/other/mkinitcpio/mkinitcpio-27.tar.gz.sig + source = 0001-mkinitcpio-remove-preset-pacsave.patch + source = gpg.conf + source = 89-mkinitcpio-sign-install.hook + source = mkinitcpio-sign-install + source = 0002-mkinitcpio-sign-when-done.patch + validpgpkeys = 487EACC08557AD082088DABA1EB2638FF56C0C53 + validpgpkeys = 86CFFCA918CF3AF47147588051E8B148A9999C34 + validpgpkeys = ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB + sha256sums = e6bff1cb78b677538eb9aace900b715fd59de8fc210b74fb9d899dfaa32bc354 + sha256sums = SKIP + sha256sums = 845569fa760f70c868ecb3dc8ae9667287970526dddaf403fdafcb716e8b3d51 + sha256sums = f6eebbd610dcb91288d39b93e4f7f7f47e1c13abaab2d379607d78d417bfd0c7 + sha256sums = cb094c11de6d4ad903484dea41ef456a4a92c788e570ff8f21214021de7e4f14 + sha256sums = dc555d3c8d774556732362ae707704b09b86c21c55f53f5c68215ca1d3b24b0a + sha256sums = 5dc8d9ae28979ea09a6b2ba0192a211421b0a40518a8763bdc86c4f841926590 + +pkgname = mkinitcpio-sign-patch + diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000000..d7727ffc22a3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +* +!.gitignore +!.SRCINFO +!PKGBUILD +!0001-mkinitcpio-remove-preset-pacsave.patch +!0002-mkinitcpio-sign-when-done.patch +!gpg.conf +!mkinitcpio-sign-install +!mkinitcpio.install +!89-mkinitcpio-sign-install.hook diff --git a/0001-mkinitcpio-remove-preset-pacsave.patch b/0001-mkinitcpio-remove-preset-pacsave.patch new file mode 100644 index 000000000000..e2f7efc30aad --- /dev/null +++ b/0001-mkinitcpio-remove-preset-pacsave.patch @@ -0,0 +1,59 @@ +diff --git a/libalpm/scripts/mkinitcpio-remove b/libalpm/scripts/mkinitcpio-remove +index 86838e4..17b4b31 100644 +--- a/libalpm/scripts/mkinitcpio-remove ++++ b/libalpm/scripts/mkinitcpio-remove +@@ -2,6 +2,20 @@ + + package=0 + ++process_preset() { ++ if [[ -n "${pkgbase}" && -e $preset ]]; then ++ if ! cmp $preset > /dev/null 2>&1 <(sed "s|%PKGBASE%|${pkgbase}|g" /usr/share/mkinitcpio/hook.preset); then ++ if [[ ! -e $preset.pacsave ]]; then ++ # save the preset as pacsave ++ mv $preset $preset.pacsave && return 0 ++ fi ++ else ++ # remove the preset ++ rm $preset && return 0 ++ fi ++ fi ++} ++ + while read -r line; do + if [[ $line != */vmlinuz ]]; then + # triggers when it's a change to usr/lib/initcpio/* +@@ -23,17 +37,25 @@ while read -r line; do + # remove the installed kernel + rm $kernel + fi +- if [[ -e $preset ]]; then +- # remove the preset +- rm $preset ++ ++ process_preset "${pkgbase}" $preset ++ ++ if [[ -e $initramfs ]]; then ++ # remove the main image ++ rm $initramfs + fi +- if [[ -e $initramfs && -e $fallback_initramfs ]]; then +- # remove the images +- rm $initramfs $fallback_initramfs ++ if [[ -e $fallback_initramfs ]]; then ++ # remove the fallback image ++ rm $fallback_initramfs + fi + done + + if (( package )) && compgen -G /etc/mkinitcpio.d/"*.preset" > /dev/null; then +- # remove all presets +- rm /etc/mkinitcpio.d/*.preset ++ shopt -s nullglob ++ for preset in /etc/mkinitcpio.d/*.preset; do ++ pkgbase=${preset##*/} ++ pkgbase=${pkgbase%.preset} ++ process_preset "${pkgbase}" $preset ++ done ++ shopt -u nullglob + fi diff --git a/0002-mkinitcpio-sign-when-done.patch b/0002-mkinitcpio-sign-when-done.patch new file mode 100644 index 000000000000..8dd8822ec33c --- /dev/null +++ b/0002-mkinitcpio-sign-when-done.patch @@ -0,0 +1,30 @@ +diff --unified --recursive --text a/mkinitcpio b/mkinitcpio +--- a/mkinitcpio 2019-12-07 01:05:10.293236383 +0100 ++++ b/mkinitcpio 2019-12-07 02:47:29.735948757 +0100 +@@ -245,6 +245,26 @@ + error "Image generation FAILED: %s" "$errmsg" + elif (( _builderrors == 0 )); then + msg "Image generation successful" ++ sleep .1 ++ if [ ! -d "${out%/*}" ]; then ++ error "Directory \"${out%/*}\" not found!" ++ else ++ gpg=(/usr/bin/gpg --homedir /usr/lib/initcpio/sign) ++ if [ ! -f $out.sig ] || ! `${gpg[@]} --verify "$out.sig" "$out" 1>/dev/null 2>&1`; then ++ msg "Signing updated $out ..." ++ ${gpg[@]} --detach-sign "$out" ++ [ $? -gt 0 ] && error "$out is not signed!" ++ fi ++ kernelimg=/boot/vmlinuz-${out#*-} ++ kernelimg=${kernelimg%.img} ++ kernelimg=${kernelimg%-fallback} ++ if [ ! -f ${kernelimg}.sig ] || ! `${gpg[@]} --verify ${kernelimg}.sig "$kernelimg" 1>/dev/null 2>&1`; then ++ msg "Signing updated kernel $kernelimg ..." ++ ${gpg[@]} --detach-sign "$kernelimg" ++ [ $? -gt 0 ] && error "$kernelimg is not signed!" ++ fi ++ /usr/bin/gpgconf --kill gpg-agent 1>/dev/null 2>&1 ++ fi + fi + } + diff --git a/89-mkinitcpio-sign-install.hook b/89-mkinitcpio-sign-install.hook new file mode 100644 index 000000000000..4921bb58c565 --- /dev/null +++ b/89-mkinitcpio-sign-install.hook @@ -0,0 +1,12 @@ +[Trigger] +Type = File +Operation = Install +Operation = Upgrade +Target = usr/lib/modules/*/vmlinuz +Target = usr/lib/initcpio/* + +[Action] +Description = Checking for a keypair to sign images with +When = PostTransaction +Exec = /usr/share/libalpm/scripts/mkinitcpio-sign-install +NeedsTargets diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 000000000000..c5c5acf67026 --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,53 @@ +# Maintainer: Bart De Roy <de dot roy dot bart at gmail dot com> + +pkgname=mkinitcpio-sign-patch +pkgver=27 +pkgrel=2 +pkgdesc="Modular initramfs image creation utility (automatically signs kernels and images)" +arch=('any') +url="https://projects.archlinux.org/mkinitcpio.git/" +license=('GPL') +depends=('awk' 'mkinitcpio-busybox>=1.19.4-2' 'kmod' 'util-linux>=2.23' 'libarchive' 'coreutils' + 'bash' 'diffutils' 'findutils' 'grep' 'filesystem>=2011.10-1' 'gzip' 'systemd' 'gnupg') +optdepends=('xz: Use lzma or xz compression for the initramfs image' + 'bzip2: Use bzip2 compression for the initramfs image' + 'lzop: Use lzo compression for the initramfs image' + 'lz4: Use lz4 compression for the initramfs image' + 'mkinitcpio-nfs-utils: Support for root filesystem on NFS') +provides=('initramfs') +conflicts=('mkinitcpio') +backup=('etc/mkinitcpio.conf') +source=("https://sources.archlinux.org/other/${pkgname%-sign-patch}/${pkgname%-sign-patch}-$pkgver.tar.gz"{,.sig} + "0001-mkinitcpio-remove-preset-pacsave.patch" + "gpg.conf" "89-mkinitcpio-sign-install.hook" "mkinitcpio-sign-install" + "0002-mkinitcpio-sign-when-done.patch") +install=mkinitcpio.install +sha256sums=('e6bff1cb78b677538eb9aace900b715fd59de8fc210b74fb9d899dfaa32bc354' + 'SKIP' + '845569fa760f70c868ecb3dc8ae9667287970526dddaf403fdafcb716e8b3d51' + 'f6eebbd610dcb91288d39b93e4f7f7f47e1c13abaab2d379607d78d417bfd0c7' + 'cb094c11de6d4ad903484dea41ef456a4a92c788e570ff8f21214021de7e4f14' + 'dc555d3c8d774556732362ae707704b09b86c21c55f53f5c68215ca1d3b24b0a' + '5dc8d9ae28979ea09a6b2ba0192a211421b0a40518a8763bdc86c4f841926590') +validpgpkeys=('487EACC08557AD082088DABA1EB2638FF56C0C53' # Dave Reisner + '86CFFCA918CF3AF47147588051E8B148A9999C34' # Evangelos Foutras + 'ECCAC84C1BA08A6CC8E63FBBF22FB1D78A77AEAB') # Giancarlo Razzolini + +prepare() { + cd ${pkgname%-sign-patch}-$pkgver + # Apply 0001-mkinitcpio-remove-preset-pacsave.patch + patch -Np1 < $srcdir/0001-mkinitcpio-remove-preset-pacsave.patch + patch -Np1 < $srcdir/0002-mkinitcpio-sign-when-done.patch +} + +check() { + make -C "${pkgname%-sign-patch}-$pkgver" check +} + +package() { + make -C "${pkgname%-sign-patch}-$pkgver" DESTDIR="$pkgdir" install + install -m644 $srcdir/89-mkinitcpio-sign-install.hook $pkgdir/usr/share/libalpm/hooks/89-mkinitcpio-sign-install.hook + install -m755 $srcdir/mkinitcpio-sign-install $pkgdir/usr/share/libalpm/scripts/mkinitcpio-sign-install + install -dm700 $pkgdir/usr/lib/initcpio/sign + install -m600 $srcdir/gpg.conf $pkgdir/usr/lib/initcpio/sign/gpg.conf +} diff --git a/gpg.conf b/gpg.conf new file mode 100644 index 000000000000..bf86bf9ed18c --- /dev/null +++ b/gpg.conf @@ -0,0 +1,6 @@ +yes +no-greeting +disable-dirmngr +pinentry-mode loopback +batch +passphrase-file /usr/lib/initcpio/sign/passphrase diff --git a/mkinitcpio-sign-install b/mkinitcpio-sign-install new file mode 100644 index 000000000000..4bacd2fe0071 --- /dev/null +++ b/mkinitcpio-sign-install @@ -0,0 +1,23 @@ +#!/bin/bash -e + +pushd /usr/lib/initcpio/sign +gpg-agent --daemon --max-cache-ttl 1 +keys=(`gpg --homedir . --list-keys --with-colons | awk -F: '/^pub:/ { print $5 }' | tr '\n' ' '`) + +if [[ $keys != "" ]]; then + echo "found $keys" +else + gpg --homedir . --gen-key + [ $? -ne 0 ] && 1>&2 echo "you need to generate a GPG keypair to use for signing in /usr/lib/initcpio/sign" && exit 1 + gpg --homedir . --export > ~/boot.key +fi + +if [ ! -f ./passphrase ] && `read pass`; then + echo "$pass" > passphrase +fi + +chmod 600 passphrase 2>&1 1>/dev/null + +if (( ${#args[@]} )); then + mkinitcpio "${args[@]}" +fi diff --git a/mkinitcpio.install b/mkinitcpio.install new file mode 100644 index 000000000000..8571ee7d3f2d --- /dev/null +++ b/mkinitcpio.install @@ -0,0 +1,15 @@ +#!/bin/sh + +post_upgrade() { + if [ "$(vercmp 0.9.0 "$2")" -eq 1 ]; then + printf '==> If your /usr is on a separate partition, you must add the "usr" hook\n' + printf ' to /etc/mkinitcpio.conf and regenerate your images before rebooting\n' + fi + + if [ "$(vercmp 0.12.0 "$2")" -eq 1 ]; then + printf '==> The "block" hook has replaced several hooks:\n' + printf ' fw, sata, pata, scsi, virtio, mmc, usb\n' + printf ' Replace any and all of these in /etc/mkinitcpio.conf with a single\n' + printf ' instance of the "block" hook\n' + fi +} |