sync with archisov53

Imported: 42cdf86 (HEAD -> master, origin/master, origin/HEAD) Set more generic output for signatures cc735db Force PGP signature file extension 73e3ccd Add ephemeral signing key to CI setup e2cce07 (tag: v53) Add changelog for v53 9dbb600 Add packages for unlocking LUKS2 volumes with systemd 81da518 Add required packages to interact with smartcards 6287f72 Remove docs/README.knownissues. Replaced by issue #83. 76c8030 Remove docs/README.build. Superseded by README.rst a855dd4 Move README.profile.rst to docs/ 6294d1d Update README.profile.rst 5754000 Update README.rst 06c3218 configs/releng/syslinux/: increase serial baud rate to 115200 0406f9c mkarchiso: create reproducible gzip archives a771297 mkarchiso: make sure to remove potentially preexisting files from $airootfs_dir before creating them with output redirection 98c7b67 mkarchiso: append IMAGE_ID and IMAGE_VERSION to /etc/os-release 0ed1c61 Add package count, El Torito EFI image size and initramfs image sizes to GitLab metrics 8bf95d3 Ignore SC3060 in initcpio hook bde3971 Fix shellcheck complains in CI scripts 1a97109 mkarchiso: also add iso name in grub environment block 09b6127 mkarchiso: use -isohybrid-gpt-basdat instead of -appended_part_as_gpt for ISOs that will support BIOS booting Signed-off-by: David P <megver83@parabola.nu>
author: David P <megver83@parabola.nu> 2021-05-01 19:23:57 -0400
committer: David P <megver83@parabola.nu> 2021-05-01 19:23:57 -0400
commit: 79b988553b2707aed9fba21dd53033a7a011af6f (patch)
tree: 222954dc9225424739342ad79e8cf247465d75b2 /parabolaiso/mkparabolaiso
parent: 8d2c3a55a19f73cb9c532037972320ce17dc1529 (diff)
1 files changed, 68 insertions, 22 deletions
diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso
index de48fae..6f04947 100755
--- a/parabolaiso/mkparabolaiso
+++ b/parabolaiso/mkparabolaiso
@@ -94,7 +94,7 @@ usage: ${app_name} [options] <profile_dir>
                       Default: '${iso_label}'
      -P <publisher>   Set the ISO publisher
                       Default: '${iso_publisher}'
-     -g <gpg_key>     Set the GPG key to be used for signing the squashfs image
+     -g <gpg_key>     Set the PGP key ID to be used for signing the rootfs image
      -h               This message
      -o <out_dir>     Set the output directory
                       Default: '${out_dir}'
@@ -154,6 +154,7 @@ _cleanup_airootfs() {
     # Delete package pacman related files.
     find "${work_dir}" \( -name '*.pacnew' -o -name '*.pacsave' -o -name '*.pacorig' \) -delete
     # Create an empty /etc/machine-id
+    rm -f -- "${airootfs_dir}/etc/machine-id"
     printf '' > "${airootfs_dir}/etc/machine-id"
 
     _msg_info "Done!"
@@ -230,12 +231,13 @@ _mkairootfs_erofs() {
 }
 
 _mksignature() {
-    _msg_info "Signing SquashFS image..."
+    _msg_info "Signing ${arch} rootfs image..."
     cd -- "${isofs_dir}/${install_dir}/${arch}"
+    # always use the .sig file extension, as that is what mkinitcpio-parabolaiso's hooks expect
     if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then
-        gpg --detach-sign --default-key "${gpg_key}" airootfs.sfs
+        gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs
     elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then
-        gpg --detach-sign --default-key "${gpg_key}" airootfs.erofs
+        gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs
     fi
     cd -- "${OLDPWD}"
     _msg_info "Done!"
@@ -427,10 +429,10 @@ _make_bootmode_bios.syslinux.mbr() {
     if [[ -e "${isofs_dir}/syslinux/hdt.c32" ]]; then
         install -d -m 0755 -- "${isofs_dir}/syslinux/hdt"
         if [[ -e "${airootfs_dir}/usr/share/hwdata/pci.ids" ]]; then
-            gzip -c -9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \
+            gzip -cn9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \
                 "${isofs_dir}/syslinux/hdt/pciids.gz"
         fi
-        find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -c -9 '{}' ';' -quit > \
+        find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -cn9 '{}' ';' -quit > \
             "${isofs_dir}/syslinux/hdt/modalias.gz"
     fi
 
@@ -814,15 +816,10 @@ _add_xorrisofs_options_bios.syslinux.mbr() {
         '-isohybrid-mbr' "${isofs_dir}/syslinux/isohdpfx.bin"
         # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR
         # bootstrap code area) and mark it as bootable
-        # This violates the UEFI specification, but may allow booting on some systems
+        # May allow booting on some systems
         # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT
         '--mbr-force-bootable'
-        # Set the ISO 9660 partition's type to "Linux filesystem data"
-        # When only MBR is present, the partition type ID will be 0x83 "Linux" as xorriso translates all
-        # GPT partition type GUIDs except for the ESP GUID to MBR type ID 0x83
-        '-iso_mbr_part_type' '0FC63DAF-8483-4772-8E79-3D69D8477DE4'
-        # Move the first partition away from the start of the ISO to match the expectations of partition
-        # editors
+        # Move the first partition away from the start of the ISO to match the expectations of partition editors
         # May allow booting on some systems
         # https://dev.lovelyhq.com/libburnia/libisoburn/src/branch/master/doc/partition_offset.wiki
         '-partition_offset' '16'
@@ -835,12 +832,26 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.esp() {
     # partition will not be mountable
     # shellcheck disable=SC2076
     [[ " ${xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || xorrisofs_options+=('-partition_offset' '16')
-    xorrisofs_options+=(
-        # Attach efiboot.img as a second partition and set its partition type to "EFI system partition"
-        '-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img"
-        # Ensure GPT is used as some systems do not support UEFI booting without it
-        '-appended_part_as_gpt'
-    )
+    # Attach efiboot.img as a second partition and set its partition type to "EFI system partition"
+    xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img")
+    # Ensure GPT is used as some systems do not support UEFI booting without it
+    # shellcheck disable=SC2076
+    if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then
+        # A valid GPT prevents BIOS booting on some systems, instead use an invalid GPT (without a protective MBR).
+        # The attached partition will have the EFI system partition type code in MBR, but in the invalid GPT it will
+        # have a Microsoft basic partition type code.
+        if [[ ! " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.eltorito ' ]]; then
+            # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the
+            # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e',
+            # the appended EFI system partition will have the Microsoft basic data type GUID in GPT.
+            if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then
+                xorrisofs_options+=('-isohybrid-gpt-basdat')
+            fi
+        fi
+    else
+        # Use valid GPT if BIOS booting support will not be required
+        xorrisofs_options+=('-appended_part_as_gpt')
+    fi
 }
 
 # systemd-boot via El Torito
@@ -856,6 +867,15 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito() {
             # Boot image is not emulating floppy or hard disk; required for all known boot loaders
             '-no-emul-boot'
         )
+        # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead.
+        if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then
+            # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the
+            # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e',
+            # the appended EFI system partition will have the Microsoft basic data type GUID in GPT.
+            if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then
+                xorrisofs_options+=('-isohybrid-gpt-basdat')
+            fi
+        fi
     else
         # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a
         # file inside the ISO 9660 file system
@@ -895,6 +915,15 @@ _add_xorrisofs_options_uefi-x64.refind.eltorito() {
             # Boot image is not emulating floppy or hard disk; required for all known boot loaders
             '-no-emul-boot'
         )
+        # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead.
+        if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then
+            # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the
+            # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e',
+            # the appended EFI system partition will have the Microsoft basic data type GUID in GPT.
+            if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then
+                xorrisofs_options+=('-isohybrid-gpt-basdat')
+            fi
+        fi
     else
         # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a
         # file inside the ISO 9660 file system
@@ -1115,12 +1144,29 @@ _export_gpg_publickey() {
 }
 
 _make_version() {
+    local osrelease
     install -d -m 0755 -- "${isofs_dir}/${install_dir}"
-    _msg_info "Creating ${arch} files with iso version..."
+    _msg_info "Creating files with iso version..."
+    # Write version file to airootfs
+    rm -f -- "${airootfs_dir}/version"
     printf '%s\n' "${iso_version}" > "${airootfs_dir}/version"
+    # Write version file to ISO 9660
     printf '%s\n' "${iso_version}" > "${isofs_dir}/${install_dir}/version"
-    printf '%.1024s' "$(printf '# GRUB Environment Block\nVERSION=%s\n%s' "${iso_version}" \
-        "$(printf '%0.1s' "#"{1..1024})")" > "${isofs_dir}/${install_dir}/grubenv"
+    # Write grubenv with version information to ISO 9660
+    printf '%.1024s' "$(printf '# GRUB Environment Block\nNAME=%s\nVERSION=%s\n%s' \
+        "${iso_name}" "${iso_version}" "$(printf '%0.1s' "#"{1..1024})")" \
+        > "${isofs_dir}/${install_dir}/grubenv"
+    # Append IMAGE_ID & IMAGE_VERSION to os-release
+    osrelease="$(realpath -- "${airootfs_dir}/etc/os-release")"
+    if [[ ! -e "${airootfs_dir}/etc/os-release" && -e "${airootfs_dir}/usr/lib/os-release" ]]; then
+        osrelease="$(realpath -- "${airootfs_dir}/usr/lib/os-release")"
+    fi
+    if [[ "${osrelease}" != "${airootfs_dir}"* ]]; then
+        _msg_warning "os-release file '${osrelease}' is outside of valid path."
+    else
+        [[ ! -e "${osrelease}" ]] || sed -i '/^IMAGE_ID=/d;/^IMAGE_VERSION=/d' "${osrelease}"
+        printf 'IMAGE_ID=%s\nIMAGE_VERSION=%s\n' "${iso_name}" "${iso_version}" >> "${osrelease}"
+    fi
     _msg_info "Done!"
 }
author	David P <megver83@parabola.nu>	2021-05-01 19:23:57 -0400
committer	David P <megver83@parabola.nu>	2021-05-01 19:23:57 -0400
commit	79b988553b2707aed9fba21dd53033a7a011af6f (patch)
tree	222954dc9225424739342ad79e8cf247465d75b2 /parabolaiso/mkparabolaiso
parent	8d2c3a55a19f73cb9c532037972320ce17dc1529 (diff)