sync with archiso fbc7224v67

fbc7224 (tag: v67) Add changelog for version 67
3e962db Update PGP key ID for David Runge
326cfed Add the ability to generate rootfs signatures using openssl CMS module if ``-c`` is given.
5f135b4 Add changelog entry for ordering pacman-init after time-sync.target
3f55c95 Order pacman-init.service after time-sync.target
69b22dc Enable systemd-timesyncd and systemd-time-wait-sync
8afa2b6 Merge remote-tracking branch 'origin/merge-requests/286'
4d64a58 remove ipw2100-fw and ipw2200-fw, cleanup of [core]
ced3d3f Order pacman-init.service before archlinux-keyring-wkd-sync.service

Signed-off-by: David P <megver83@parabola.nu>

7 files changed, 113 insertions, 39 deletions

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 89d5c1f..f6b5798 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -35,6 +35,7 @@ Archiso Authors
 * Øyvind Heggstad <heggstad@gmail.com>
 * plain linen <bcdedit@hotmail.com>
 * Pellegrino Prevete <pellegrinoprevete@gmail.com>
+* Anton Hvornum <anton@hvornum.se>
 
 ===================
 Parabolaiso Authors
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 43aafd0..9ff12c3 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -14,6 +14,22 @@ Changed
 Removed
 -------
 
+[67] - 2022-09-25
+=================
+
+Added
+-----
+
+- The ability to generate rootfs signatures using openssl CMS module if ``-c`` is given.
+
+Changed
+-------
+
+- Order ``pacman-init.service`` before ``archlinux-keyring-wkd-sync.service`` since
+  ``archlinux-keyring-wkd-sync.service`` needs an initialized pacman keyring.
+- Order ``pacman-init.service`` after ``time-sync.target`` since ``pacman-init.service`` may otherwise create local
+  signatures that are not valid on target systems after installation.
+
 [66] - 2022-08-28
 =================
 
diff --git a/configs/releng/airootfs/etc/systemd/system/dbus-org.freedesktop.timesync1.service b/configs/releng/airootfs/etc/systemd/system/dbus-org.freedesktop.timesync1.service
new file mode 120000
index 0000000..cd00411
--- /dev/null
+++ b/configs/releng/airootfs/etc/systemd/system/dbus-org.freedesktop.timesync1.service
@@ -0,0 +1 @@
+/usr/lib/systemd/system/systemd-timesyncd.service
\ No newline at end of file
diff --git a/configs/releng/airootfs/etc/systemd/system/pacman-init.service b/configs/releng/airootfs/etc/systemd/system/pacman-init.service
index b18f7f8..b824884 100644
--- a/configs/releng/airootfs/etc/systemd/system/pacman-init.service
+++ b/configs/releng/airootfs/etc/systemd/system/pacman-init.service
@@ -1,7 +1,9 @@
 [Unit]
 Description=Initializes Pacman keyring
 Requires=etc-pacman.d-gnupg.mount
-After=etc-pacman.d-gnupg.mount
+After=etc-pacman.d-gnupg.mount time-sync.target
+BindsTo=etc-pacman.d-gnupg.mount
+Before=archlinux-keyring-wkd-sync.service
 
 [Service]
 Type=oneshot
diff --git a/configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-time-wait-sync.service b/configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-time-wait-sync.service
new file mode 120000
index 0000000..cabf28b
--- /dev/null
+++ b/configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-time-wait-sync.service
@@ -0,0 +1 @@
+/usr/lib/systemd/system/systemd-time-wait-sync.service
\ No newline at end of file
diff --git a/configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service b/configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
new file mode 120000
index 0000000..cd00411
--- /dev/null
+++ b/configs/releng/airootfs/etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
@@ -0,0 +1 @@
+/usr/lib/systemd/system/systemd-timesyncd.service
\ No newline at end of file
diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso
index e4dcbfd..fa5f5ba 100755
--- a/parabolaiso/mkparabolaiso
+++ b/parabolaiso/mkparabolaiso
@@ -45,7 +45,6 @@ bootmodes=()
 airootfs_image_type=""
 airootfs_image_tool_options=()
 cert_list=()
-sign_netboot_artifacts=""
 declare -A file_permissions=()
 efibootimg=""
 efiboot_files=()
@@ -93,7 +92,8 @@ usage: ${app_name} [options] <profile_dir>
                       Default: '${iso_label}'
      -P <publisher>   Set the ISO publisher
                       Default: '${iso_publisher}'
-     -c [cert ..]     Provide certificates for codesigning of netboot artifacts
+     -c [cert ..]     Provide certificates for codesigning of netboot artifacts as
+                      well as the rootfs artifact.
                       Multiple files are provided as quoted, space delimited list.
                       The first file is considered as the signing certificate,
                       the second as the key.
@@ -253,14 +253,11 @@ _mkchecksum() {
 }
 
 # GPG sign the root file system image.
-_mksignature() {
-    local airootfs_image_filename gpg_options=()
-    _msg_info "Signing ${arch} rootfs image..."
-    if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
-        airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
-    elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
-        airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
-    fi
+_mk_pgp_signature() {
+    local gpg_options=()
+    local airootfs_image_filename="${1}"
+    _msg_info "Signing rootfs image using GPG..."
+
     rm -f -- "${airootfs_image_filename}.sig"
     # Add gpg sender option if the value is provided
     [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
@@ -385,6 +382,15 @@ _make_packages() {
         exec {PARABOLAISO_GNUPG_FD}<>"${work_dir}/pubkey.gpg"
         export PARABOLAISO_GNUPG_FD
     fi
+        if [[ -v cert_list[0] ]]; then
+        exec {PARABOLAISO_TLS_FD}<>"${cert_list[0]}"
+        export PARABOLAISO_TLS_FD
+    fi
+    if [[ -v cert_list[2] ]]; then
+        exec {PARABOLAISO_TLSCA_FD}<>"${cert_list[2]}"
+        export PARABOLAISO_TLSCA_FD
+    fi
+
 
     # Unset TMPDIR to work around https://bugs.archlinux.org/task/70580
     if [[ "${quiet}" = "y" ]]; then
@@ -393,6 +399,14 @@ _make_packages() {
         env -u TMPDIR pacstrap -C "${work_dir}/${buildmode}.pacman.conf.${arch}" -c -G -M -- "${pacstrap_dir}" "${buildmode_pkg_list[@]}" "${buildmode_pkg_list_arch[@]}"
     fi
 
+    if [[ -v cert_list[0] ]]; then
+        exec {PARABOLAISO_TLS_FD}<&-
+        unset PARABOLAISO_TLS_FD
+    fi
+    if [[ -v cert_list[2] ]]; then
+        exec {PARABOLAISO_TLSCA_FD}<&-
+        unset PARABOLAISO_TLSCA_FD
+    fi
     if [[ -n "${gpg_key}" ]]; then
         exec {PARABOLAISO_GNUPG_FD}<&-
         unset PARABOLAISO_GNUPG_FD
@@ -1015,8 +1029,18 @@ _validate_requirements_bootmode_uefi-x64.grub.eltorito() {
 _prepare_airootfs_image() {
     _run_once "_mkairootfs_${airootfs_image_type}"
     _mkchecksum
+
+    if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
+        airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
+    elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
+        airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
+    fi
+
     if [[ -n "${gpg_key}" ]]; then
-        _mksignature
+        _mk_pgp_signature "${airootfs_image_filename}"
+    fi
+    if [[ -v cert_list ]]; then
+        _cms_sign_artifact "${airootfs_image_filename}"
     fi
 }
 
@@ -1029,6 +1053,32 @@ _export_netboot_artifacts() {
     du -hs -- "${out_dir}/${install_dir}"
 }
 
+_cms_sign_artifact() {
+    local artifact="${1}"
+    local openssl_flags=(
+        "-sign"
+        "-binary"
+        "-nocerts"
+        "-noattr"
+        "-outform" "DER" "-out" "${artifact}.cms.sig"
+        "-in" "${artifact}"
+        "-signer" "${cert_list[0]}"
+        "-inkey" "${cert_list[1]}"
+    )
+
+    if (( ${#cert_list[@]} > 2 )); then
+        openssl_flags+=("-certfile" "${cert_list[2]}")
+    fi
+
+    _msg_info "Signing ${artifact} image using openssl cms..."
+
+    rm -f -- "${artifact}.cms.sig"
+
+    openssl cms "${openssl_flags[@]}"
+
+    _msg_info "Done!"
+}
+
 # sign build artifacts for netboot
 _sign_netboot_artifacts() {
     local _file _dir
@@ -1181,6 +1231,26 @@ _validate_common_requirements_buildmode_iso_netboot() {
         fi
     fi
 
+    if [[ -v cert_list ]]; then
+        # Check if the certificate files exist
+        for _cert in "${cert_list[@]}"; do
+            if [[ ! -e "${_cert}" ]]; then
+                (( validation_error=validation_error+1 ))
+                _msg_error "File '${_cert}' does not exist." 0
+            fi
+        done
+        # Check if there are at least three certificate files to sign netboot and rootfs.
+        if (( ${#cert_list[@]} < 2 )); then
+            (( validation_error=validation_error+1 ))
+            _msg_error "Two certificates are required for codesigning netboot artifacts, but '${cert_list[*]}' is provided." 0
+        fi
+
+        if ! command -v openssl &> /dev/null; then
+            (( validation_error=validation_error+1 ))
+            _msg_error "Validating build mode '${_buildmode}': openssl is not available on this host. Install 'openssl'!" 0
+        fi
+    fi
+
     # Check if the specified airootfs_image_type is supported
     if typeset -f "_mkairootfs_${airootfs_image_type}" &> /dev/null; then
         if typeset -f "_validate_requirements_airootfs_image_type_${airootfs_image_type}" &> /dev/null; then
@@ -1222,31 +1292,8 @@ _validate_requirements_buildmode_iso() {
 }
 
 _validate_requirements_buildmode_netboot() {
-    local _override_cert_list=()
-
-    if [[ "${sign_netboot_artifacts}" == "y" ]]; then
-        # Check if the certificate files exist
-        for _cert in "${cert_list[@]}"; do
-            if [[ -e "${_cert}" ]]; then
-                _override_cert_list+=("$(realpath -- "${_cert}")")
-            else
-                (( validation_error=validation_error+1 ))
-                _msg_error "File '${_cert}' does not exist." 0
-            fi
-        done
-        cert_list=("${_override_cert_list[@]}")
-        # Check if there are at least two certificate files
-        if (( ${#cert_list[@]} < 2 )); then
-            (( validation_error=validation_error+1 ))
-            _msg_error "Two certificates are required for codesigning, but '${cert_list[*]}' is provided." 0
-        fi
-    fi
     _validate_common_requirements_buildmode_iso_netboot
     _validate_common_requirements_buildmode_all
-    if ! command -v openssl &> /dev/null; then
-        (( validation_error=validation_error+1 ))
-        _msg_error "Validating build mode '${_buildmode}': openssl is not available on this host. Install 'openssl'!" 0
-    fi
 }
 
 # SYSLINUX El Torito
@@ -1624,10 +1671,7 @@ _set_overrides() {
     fi
     [[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
     [[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender"
-    if [[ -v override_cert_list ]]; then
-        sign_netboot_artifacts="y"
-    fi
-    [[ ! -v override_cert_list ]] || cert_list+=("${override_cert_list[@]}")
+    [[ ! -v override_cert_list ]] || mapfile -t cert_list < <(realpath -- "${override_cert_list[@]}")
     if [[ -v override_quiet ]]; then
         quiet="$override_quiet"
     elif [[ -z "$quiet" ]]; then
@@ -1785,8 +1829,16 @@ _build_buildmode_netboot() {
     local run_once_mode="${buildmode}"
 
     _build_iso_base
+
+    if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
+        airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
+    elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
+        airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
+    fi
+
     if [[ -v cert_list ]]; then
         _run_once _sign_netboot_artifacts
+        _cms_sign_artifact "${airootfs_image_filename}"
     fi
     _run_once _export_netboot_artifacts
 }