diff options
author | David P <megver83@parabola.nu> | 2021-05-01 19:23:57 -0400 |
---|---|---|
committer | David P <megver83@parabola.nu> | 2021-05-01 19:23:57 -0400 |
commit | 79b988553b2707aed9fba21dd53033a7a011af6f (patch) | |
tree | 222954dc9225424739342ad79e8cf247465d75b2 /parabolaiso/mkparabolaiso | |
parent | 8d2c3a55a19f73cb9c532037972320ce17dc1529 (diff) |
sync with archisov53
Imported:
42cdf86 (HEAD -> master, origin/master, origin/HEAD) Set more generic output for signatures
cc735db Force PGP signature file extension
73e3ccd Add ephemeral signing key to CI setup
e2cce07 (tag: v53) Add changelog for v53
9dbb600 Add packages for unlocking LUKS2 volumes with systemd
81da518 Add required packages to interact with smartcards
6287f72 Remove docs/README.knownissues. Replaced by issue #83.
76c8030 Remove docs/README.build. Superseded by README.rst
a855dd4 Move README.profile.rst to docs/
6294d1d Update README.profile.rst
5754000 Update README.rst
06c3218 configs/releng/syslinux/: increase serial baud rate to 115200
0406f9c mkarchiso: create reproducible gzip archives
a771297 mkarchiso: make sure to remove potentially preexisting files from $airootfs_dir before creating them with output redirection
98c7b67 mkarchiso: append IMAGE_ID and IMAGE_VERSION to /etc/os-release
0ed1c61 Add package count, El Torito EFI image size and initramfs image sizes to GitLab metrics
8bf95d3 Ignore SC3060 in initcpio hook
bde3971 Fix shellcheck complains in CI scripts
1a97109 mkarchiso: also add iso name in grub environment block
09b6127 mkarchiso: use -isohybrid-gpt-basdat instead of -appended_part_as_gpt for ISOs that will support BIOS booting
Signed-off-by: David P <megver83@parabola.nu>
Diffstat (limited to 'parabolaiso/mkparabolaiso')
-rwxr-xr-x | parabolaiso/mkparabolaiso | 90 |
1 files changed, 68 insertions, 22 deletions
diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso index de48fae..6f04947 100755 --- a/parabolaiso/mkparabolaiso +++ b/parabolaiso/mkparabolaiso @@ -94,7 +94,7 @@ usage: ${app_name} [options] <profile_dir> Default: '${iso_label}' -P <publisher> Set the ISO publisher Default: '${iso_publisher}' - -g <gpg_key> Set the GPG key to be used for signing the squashfs image + -g <gpg_key> Set the PGP key ID to be used for signing the rootfs image -h This message -o <out_dir> Set the output directory Default: '${out_dir}' @@ -154,6 +154,7 @@ _cleanup_airootfs() { # Delete package pacman related files. find "${work_dir}" \( -name '*.pacnew' -o -name '*.pacsave' -o -name '*.pacorig' \) -delete # Create an empty /etc/machine-id + rm -f -- "${airootfs_dir}/etc/machine-id" printf '' > "${airootfs_dir}/etc/machine-id" _msg_info "Done!" @@ -230,12 +231,13 @@ _mkairootfs_erofs() { } _mksignature() { - _msg_info "Signing SquashFS image..." + _msg_info "Signing ${arch} rootfs image..." cd -- "${isofs_dir}/${install_dir}/${arch}" + # always use the .sig file extension, as that is what mkinitcpio-parabolaiso's hooks expect if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then - gpg --detach-sign --default-key "${gpg_key}" airootfs.sfs + gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then - gpg --detach-sign --default-key "${gpg_key}" airootfs.erofs + gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs fi cd -- "${OLDPWD}" _msg_info "Done!" @@ -427,10 +429,10 @@ _make_bootmode_bios.syslinux.mbr() { if [[ -e "${isofs_dir}/syslinux/hdt.c32" ]]; then install -d -m 0755 -- "${isofs_dir}/syslinux/hdt" if [[ -e "${airootfs_dir}/usr/share/hwdata/pci.ids" ]]; then - gzip -c -9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \ + gzip -cn9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \ "${isofs_dir}/syslinux/hdt/pciids.gz" fi - find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -c -9 '{}' ';' -quit > \ + find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -cn9 '{}' ';' -quit > \ "${isofs_dir}/syslinux/hdt/modalias.gz" fi @@ -814,15 +816,10 @@ _add_xorrisofs_options_bios.syslinux.mbr() { '-isohybrid-mbr' "${isofs_dir}/syslinux/isohdpfx.bin" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable - # This violates the UEFI specification, but may allow booting on some systems + # May allow booting on some systems # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT '--mbr-force-bootable' - # Set the ISO 9660 partition's type to "Linux filesystem data" - # When only MBR is present, the partition type ID will be 0x83 "Linux" as xorriso translates all - # GPT partition type GUIDs except for the ESP GUID to MBR type ID 0x83 - '-iso_mbr_part_type' '0FC63DAF-8483-4772-8E79-3D69D8477DE4' - # Move the first partition away from the start of the ISO to match the expectations of partition - # editors + # Move the first partition away from the start of the ISO to match the expectations of partition editors # May allow booting on some systems # https://dev.lovelyhq.com/libburnia/libisoburn/src/branch/master/doc/partition_offset.wiki '-partition_offset' '16' @@ -835,12 +832,26 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.esp() { # partition will not be mountable # shellcheck disable=SC2076 [[ " ${xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || xorrisofs_options+=('-partition_offset' '16') - xorrisofs_options+=( - # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" - '-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img" - # Ensure GPT is used as some systems do not support UEFI booting without it - '-appended_part_as_gpt' - ) + # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" + xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img") + # Ensure GPT is used as some systems do not support UEFI booting without it + # shellcheck disable=SC2076 + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # A valid GPT prevents BIOS booting on some systems, instead use an invalid GPT (without a protective MBR). + # The attached partition will have the EFI system partition type code in MBR, but in the invalid GPT it will + # have a Microsoft basic partition type code. + if [[ ! " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.eltorito ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + xorrisofs_options+=('-isohybrid-gpt-basdat') + fi + fi + else + # Use valid GPT if BIOS booting support will not be required + xorrisofs_options+=('-appended_part_as_gpt') + fi } # systemd-boot via El Torito @@ -856,6 +867,15 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito() { # Boot image is not emulating floppy or hard disk; required for all known boot loaders '-no-emul-boot' ) + # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + xorrisofs_options+=('-isohybrid-gpt-basdat') + fi + fi else # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a # file inside the ISO 9660 file system @@ -895,6 +915,15 @@ _add_xorrisofs_options_uefi-x64.refind.eltorito() { # Boot image is not emulating floppy or hard disk; required for all known boot loaders '-no-emul-boot' ) + # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + xorrisofs_options+=('-isohybrid-gpt-basdat') + fi + fi else # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a # file inside the ISO 9660 file system @@ -1115,12 +1144,29 @@ _export_gpg_publickey() { } _make_version() { + local osrelease install -d -m 0755 -- "${isofs_dir}/${install_dir}" - _msg_info "Creating ${arch} files with iso version..." + _msg_info "Creating files with iso version..." + # Write version file to airootfs + rm -f -- "${airootfs_dir}/version" printf '%s\n' "${iso_version}" > "${airootfs_dir}/version" + # Write version file to ISO 9660 printf '%s\n' "${iso_version}" > "${isofs_dir}/${install_dir}/version" - printf '%.1024s' "$(printf '# GRUB Environment Block\nVERSION=%s\n%s' "${iso_version}" \ - "$(printf '%0.1s' "#"{1..1024})")" > "${isofs_dir}/${install_dir}/grubenv" + # Write grubenv with version information to ISO 9660 + printf '%.1024s' "$(printf '# GRUB Environment Block\nNAME=%s\nVERSION=%s\n%s' \ + "${iso_name}" "${iso_version}" "$(printf '%0.1s' "#"{1..1024})")" \ + > "${isofs_dir}/${install_dir}/grubenv" + # Append IMAGE_ID & IMAGE_VERSION to os-release + osrelease="$(realpath -- "${airootfs_dir}/etc/os-release")" + if [[ ! -e "${airootfs_dir}/etc/os-release" && -e "${airootfs_dir}/usr/lib/os-release" ]]; then + osrelease="$(realpath -- "${airootfs_dir}/usr/lib/os-release")" + fi + if [[ "${osrelease}" != "${airootfs_dir}"* ]]; then + _msg_warning "os-release file '${osrelease}' is outside of valid path." + else + [[ ! -e "${osrelease}" ]] || sed -i '/^IMAGE_ID=/d;/^IMAGE_VERSION=/d' "${osrelease}" + printf 'IMAGE_ID=%s\nIMAGE_VERSION=%s\n' "${iso_name}" "${iso_version}" >> "${osrelease}" + fi _msg_info "Done!" } |