summaryrefslogtreecommitdiff
path: root/parabolaiso/mkparabolaiso
diff options
context:
space:
mode:
authorDavid P <megver83@parabola.nu>2021-08-24 19:32:04 -0400
committerDavid P <megver83@parabola.nu>2021-08-24 19:32:13 -0400
commit388f67f632d8493cb4d58a4e7a1c65c75e60a40c (patch)
tree0a19035d330436a7ba52028d2171e263ad82a6e9 /parabolaiso/mkparabolaiso
parent3cb2f96bb185feb0804ee2920b7331f21d35e97e (diff)
sync with archiso
imported: 019f5aa (HEAD -> master, origin/master, origin/HEAD) Merge remote-tracking branch 'nl6720/gpg-sender' 3c6cdb1 .gitlab/ci/build_archiso.sh: use mkarchiso's -G option 59dffcf mkarchiso: support setting gpg sender ea9572b mkarchiso: add some sane gpg options to override those set in user's gpg.conf d3caf6f Merge remote-tracking branch 'nl6720/openssh-8.7p1' 56dc96e configs/*/airootfs/etc/ssh/sshd_config: update to openssh 8.7p1-1 a915e34 Merge remote-tracking branch 'nl6720/netboot-version' 0a58431 mkarchiso: put version files in netboot artifacts a560de4 Merge remote-tracking branch 'nl6720/no-mount' b040ef1 mkarchiso: ensure there are no existing image files before trying to create them 6185448 mkarchiso: copy files to ext4 image using mkfs.ext4's -d option instead of mounting the file system Signed-off-by: David P <megver83@parabola.nu>
Diffstat (limited to 'parabolaiso/mkparabolaiso')
-rwxr-xr-xparabolaiso/mkparabolaiso82
1 files changed, 43 insertions, 39 deletions
diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso
index 20883b9..9abbba4 100755
--- a/parabolaiso/mkparabolaiso
+++ b/parabolaiso/mkparabolaiso
@@ -19,6 +19,7 @@ quiet=""
work_dir=""
out_dir=""
gpg_key=""
+gpg_sender=""
iso_name=""
iso_label=""
iso_publisher=""
@@ -67,22 +68,6 @@ _msg_error() {
fi
}
-_mount_airootfs() {
- trap "_umount_airootfs" EXIT HUP INT TERM
- install -d -m 0755 -- "${work_dir}/mnt/airootfs"
- _msg_info "Mounting '${pacstrap_dir}.img' on '${work_dir}/mnt/airootfs'..."
- mount -- "${pacstrap_dir}.img" "${work_dir}/mnt/airootfs"
- _msg_info "Done!"
-}
-
-_umount_airootfs() {
- _msg_info "Unmounting '${work_dir}/mnt/airootfs'..."
- umount -d -- "${work_dir}/mnt/airootfs"
- _msg_info "Done!"
- rmdir -- "${work_dir}/mnt/airootfs"
- trap - EXIT HUP INT TERM
-}
-
# Show help usage, with an exit status.
# $1: exit status number.
_usage() {
@@ -104,7 +89,10 @@ usage: ${app_name} [options] <profile_dir>
Multiple files are provided as quoted, space delimited list.
The first file is considered as the signing certificate,
the second as the key.
- -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image
+ -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image.
+ Passed to gpg as the value for --default-key
+ -G <mbox> Set the PGP signer (must include an email address)
+ Passed to gpg as the value for --sender
-h This message
-m [mode ..] Build mode(s) to use (valid modes are: 'bootstrap', 'iso' and 'netboot').
Multiple build modes are provided as quoted, space delimited list.
@@ -135,6 +123,7 @@ _show_config() {
_msg_info " Current build mode: ${buildmode}"
_msg_info " Build modes: ${buildmodes[*]}"
_msg_info " GPG key: ${gpg_key:-None}"
+ _msg_info " GPG signer: ${gpg_sender:-None}"
_msg_info "Code signing certificates: ${cert_list[*]}"
_msg_info " Profile: ${profile}"
_msg_info "Pacman configuration file: ${pacman_conf}"
@@ -180,6 +169,7 @@ _cleanup_pacstrap_dir() {
# $@: options to pass to mksquashfs
_run_mksquashfs() {
local image_path="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
+ rm -f -- "${image_path}"
if [[ "${quiet}" == "y" ]]; then
mksquashfs "$@" "${image_path}" -noappend "${airootfs_image_tool_options[@]}" -no-progress > /dev/null
else
@@ -190,22 +180,27 @@ _run_mksquashfs() {
# Create an ext4 image containing the root file system and pack it inside a squashfs image.
# Save the squashfs image on the ISO 9660 file system.
_mkairootfs_ext4+squashfs() {
+ local ext4_hash_seed mkfs_ext4_options=()
[[ -e "${pacstrap_dir}" ]] || _msg_error "The path '${pacstrap_dir}' does not exist" 1
- _msg_info "Creating ext4 image of 32 GiB..."
- if [[ "${quiet}" == "y" ]]; then
- mkfs.ext4 -q -O '^has_journal,^resize_inode' -E 'lazy_itable_init=0' -m 0 -F -- "${pacstrap_dir}.img" 32G
- else
- mkfs.ext4 -O '^has_journal,^resize_inode' -E 'lazy_itable_init=0' -m 0 -F -- "${pacstrap_dir}.img" 32G
- fi
+ _msg_info "Creating ext4 image of 32 GiB and copying '${pacstrap_dir}/' to it..."
+
+ ext4_hash_seed="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 \
+ --name "${SOURCE_DATE_EPOCH} ext4 hash seed")"
+ mkfs_ext4_options=(
+ '-d' "${pacstrap_dir}"
+ '-O' '^has_journal,^resize_inode'
+ '-E' "lazy_itable_init=0,root_owner=0:0,hash_seed=${ext4_hash_seed}"
+ '-m' '0'
+ '-F'
+ '-U' 'clear'
+ )
+ [[ ! "${quiet}" == "y" ]] || mkfs_ext4_options+=('-q')
+ rm -f -- "${pacstrap_dir}.img"
+ E2FSPROGS_FAKE_TIME="${SOURCE_DATE_EPOCH}" mkfs.ext4 "${mkfs_ext4_options[@]}" -- "${pacstrap_dir}.img" 32G
tune2fs -c 0 -i 0 -- "${pacstrap_dir}.img" > /dev/null
_msg_info "Done!"
- _mount_airootfs
- _msg_info "Copying '${pacstrap_dir}/' to '${work_dir}/mnt/airootfs/'..."
- cp -aT -- "${pacstrap_dir}/" "${work_dir}/mnt/airootfs/"
- chown -- 0:0 "${work_dir}/mnt/airootfs/"
- _msg_info "Done!"
- _umount_airootfs
+
install -d -m 0755 -- "${isofs_dir}/${install_dir}/${arch}"
_msg_info "Creating SquashFS image, this may take some time..."
_run_mksquashfs "${pacstrap_dir}.img"
@@ -229,6 +224,7 @@ _mkairootfs_erofs() {
install -d -m 0755 -- "${isofs_dir}/${install_dir}/${arch}"
local image_path="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
+ rm -f -- "${image_path}"
# Generate reproducible file system UUID from SOURCE_DATE_EPOCH
fsuuid="$(uuidgen --sha1 --namespace 93a870ff-8565-4cf3-a67b-f47299271a96 --name "${SOURCE_DATE_EPOCH}")"
_msg_info "Creating EROFS image, this may take some time..."
@@ -251,15 +247,19 @@ _mkchecksum() {
# GPG sign the root file system image.
_mksignature() {
+ local airootfs_image_filename gpg_options=()
_msg_info "Signing ${arch} rootfs image..."
- cd -- "${isofs_dir}/${install_dir}/${arch}"
- # always use the .sig file extension, as that is what mkinitcpio-parabolaiso's hooks expect
if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
- gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs
+ airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.sfs"
elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
- gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs
- fi
- cd -- "${OLDPWD}"
+ airootfs_image_filename="${isofs_dir}/${install_dir}/${arch}/airootfs.erofs"
+ fi
+ rm -f -- "${airootfs_image_filename}.sig"
+ # Add gpg sender option if the value is provided
+ [[ -z "${gpg_sender}" ]] || gpg_options+=('--sender' "${gpg_sender}")
+ # always use the .sig file extension, as that is what mkinitcpio-archiso's hooks expect
+ gpg --batch --no-armor --no-include-key-block --output "${airootfs_image_filename}.sig" --detach-sign \
+ --default-key "${gpg_key}" "${gpg_options[@]}" "${airootfs_image_filename}"
_msg_info "Done!"
}
@@ -521,7 +521,7 @@ _make_efibootimg() {
)"
# The FAT image must be created with mkfs.fat not mformat, as some systems have issues with mformat made images:
# https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00099.html
- [[ -e "${work_dir}/efiboot.img" ]] && rm -f -- "${work_dir}/efiboot.img"
+ rm -f -- "${work_dir}/efiboot.img"
_msg_info "Creating FAT image of size: ${imgsize} KiB..."
mkfs.fat -C -n PARAISO_EFI "${work_dir}/efiboot.img" "${imgsize}"
@@ -1128,6 +1128,7 @@ _build_iso_image() {
typeset -f "_add_xorrisofs_options_${bootmode}" &> /dev/null && "_add_xorrisofs_options_${bootmode}"
done
+ rm -f -- "${out_dir}/${image_name}"
_msg_info "Creating ISO image..."
xorriso -as mkisofs \
-iso-level 3 \
@@ -1399,6 +1400,7 @@ _set_overrides() {
install_dir="${app_name}"
fi
[[ ! -v override_gpg_key ]] || gpg_key="$override_gpg_key"
+ [[ ! -v override_gpg_sender ]] || gpg_sender="$override_gpg_sender"
if [[ -v override_cert_list ]]; then
sign_netboot_artifacts="y"
fi
@@ -1416,7 +1418,8 @@ _set_overrides() {
}
_export_gpg_publickey() {
- gpg --batch --output "${work_dir}/pubkey.gpg" --export "${gpg_key}"
+ rm -f -- "${work_dir}/pubkey.gpg"
+ gpg --batch --no-armor --output "${work_dir}/pubkey.gpg" --export "${gpg_key}"
}
_make_version() {
@@ -1427,7 +1430,7 @@ _make_version() {
rm -f -- "${pacstrap_dir}/version"
printf '%s\n' "${iso_version}" > "${pacstrap_dir}/version"
- if [[ "${buildmode}" == "iso" ]]; then
+ if [[ "${buildmode}" == @("iso"|"netboot") ]]; then
install -d -m 0755 -- "${isofs_dir}/${install_dir}"
# Write version file to ISO 9660
printf '%s\n' "${iso_version}" > "${isofs_dir}/${install_dir}/version"
@@ -1575,7 +1578,7 @@ _build() {
done
}
-while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
+while getopts 'c:p:C:L:P:A:D:w:m:o:g:G:vh?' arg; do
case "${arg}" in
p) read -r -a override_pkg_list <<< "${OPTARG}" ;;
C) override_pacman_conf="${OPTARG}" ;;
@@ -1588,6 +1591,7 @@ while getopts 'c:p:C:L:P:A:D:w:m:o:g:vh?' arg; do
m) read -r -a override_buildmodes <<< "${OPTARG}" ;;
o) override_out_dir="${OPTARG}" ;;
g) override_gpg_key="${OPTARG}" ;;
+ G) override_gpg_sender="${OPTARG}" ;;
v) override_quiet="n" ;;
h|?) _usage 0 ;;
*)