From 9eeead76333efe9ff40d3911a4ca9abe50aef54c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Tue, 21 Feb 2017 10:24:25 +0100 Subject: [PATCH] install release keys in a saner way MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit apt actually expects single exported keys in the trusted directory, not keyrings. recent gpg2 versions (like that in Debian Stretch) switch to a different default keyring format which apt does not handle at all, so the old hack will break soon. by changing the key format in this repository from armored exported public key to binary exported public key, which both apt in Debian Jessie and apt in Debian Stretch understand, we can just install those two files directly in the trusted dir. bonus: the package content does not change based on gpg version or configuration anymore. Signed-off-by: Fabian Grünbichler CC: dietmar@proxmox.com CC: w.bumiller@proxmox.com --- Makefile | 7 ++----- proxmox-ve/postinst | 3 +++ proxmox-ve/proxmox-release-4.x.pubkey | Bin 1702 -> 570 bytes proxmox-ve/proxmox-release-5.x.pubkey | Bin 1698 -> 1181 bytes 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index ed7e307..e7edb76 100644 --- a/Makefile +++ b/Makefile @@ -90,10 +90,6 @@ LINUX_TOOLS_DEB=${LINUX_TOOLS_PKG}_${KERNEL_VER}-${PKGREL}_amd64.deb DEBS=${DST_DEB} ${HDR_DEB} ${FW_DEB} ${PVE_DEB} ${VIRTUAL_HDR_DEB} ${LINUX_TOOLS_DEB} -PVE_RELEASE_KEYS= \ - proxmox-ve/proxmox-release-4.x.pubkey \ - proxmox-ve/proxmox-release-5.x.pubkey - all: check_gcc ${DEBS} ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS} @@ -101,7 +97,8 @@ ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst ${PVE_RELEASE_KEYS} mkdir -p proxmox-ve/data/DEBIAN mkdir -p proxmox-ve/data/usr/share/doc/${PVEPKG}/ mkdir -p proxmox-ve/data/etc/apt/trusted.gpg.d - gpg2 --no-default-keyring --keyring ./proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve.gpg --import ${PVE_RELEASE_KEYS} + install -m 0644 proxmox-ve/proxmox-release-4.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-4.x.gpg + install -m 0644 proxmox-ve/proxmox-release-5.x.pubkey proxmox-ve/data/etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg sed -e 's/@KVNAME@/${KVNAME}/' -e 's/@KERNEL_VER@/${KERNEL_VER}/' -e 's/@RELEASE@/${RELEASE}/' -e 's/@PKGREL@/${PKGREL}/' proxmox-ve/data/DEBIAN/control sed -e 's/@KVNAME@/${KVNAME}/' proxmox-ve/data/DEBIAN/postinst chmod 0755 proxmox-ve/data/DEBIAN/postinst diff --git a/proxmox-ve/postinst b/proxmox-ve/postinst index baf3d29..88cd778 100755 --- a/proxmox-ve/postinst +++ b/proxmox-ve/postinst @@ -19,6 +19,9 @@ case "$1" in # cleanup - remove Proxmox Release Key key from /etc/apt/trusted.gpg /usr/bin/apt-key --keyring /etc/apt/trusted.gpg del 9887F95A >/dev/null 2>&1 || /bin/true + # cleanup - remove old stretch-incompatible variant of installing release key + rm -f /etc/apt/trusted.gpg.d/proxmox-ve.gpg /etc/apt/trusted.gpg.d/proxmox-ve.gpg~ + # setup kernel links for installation CD (rescue boot) mkdir -p /boot/pve ln -sf /boot/vmlinuz-@KVNAME@ /boot/pve/vmlinuz diff --git a/proxmox-ve/proxmox-release-4.x.pubkey b/proxmox-ve/proxmox-release-4.x.pubkey index 816a8b8b9167c9438dff3fb14cb919a83d75c143..40416a623ca2dc062f197bd70084f6c79f408a79 100644 GIT binary patch literal 570 zcmV-A0>%BA0ipy+2E)Y>1OT41Lucrrt8P~fescuij(7RHJ{FZX)e=nkm!eMEf!9Wi$pyGWq zEBH#f!9Keh>xxUJmUhj8c2+;J+pBM35w$PDw$M<@dO7QGxqvvl{PV2)8>oIwx8jxFvNm-4wSn0v# z_>1rmaQyWsZU8%?5amp%4<|{sg+K=7s1m+IStVsmW~Q7qQSrI^9oOv2)GiGe0ssuF z08fF6z+v@zwcO6!b~<$aT13!QV-TReb?F}t7h8dX@}y2SU{3@9i%Su>LusA=sK-`% z5Ko0HJPu8tXr?N{>PxMbKol}F#l9}ta>YN80spP|Ki3xiSy2Qk@2;Fjg{PS54J-<# z6{M?BU6bd<55(ZQPQ>J_SqSe}olszYjX>m`PTM%$T^wBs()_|7ROw zdP}Q}&gIM^>=S54v@uX}Z+LBQcpy?`Y-M3{Wgtssc_2J+a&LHTZ+I+>whxuBQF94rST*Y+I19_b^Y^rh-%eVw~Nh|IEn+02jncLt=5*><-hPXr_ IRI;BLwAsV?{r~^~ literal 1702 zcmaKtx31%66oh*|#Vu_RyJ8LoT>Q*Aixk<3lo-UE!_)h&0lRSF(|+B|nVBCyzK;`S z)%tQ|=gYZshRT2GV*JG!Hn0DpKcMhE%~jw1@g;YwBY$n^PvR%_^_y(nZ${Ov$L|o- zx^l&dwY)QTj|2RBMy!s~pRQP+@EJ z3%I7}-?va^{hQu5wW}g;4-dzPbdDEK-}{bfI-}1|xT-R(d?p*`0%q%NjfKo}Bm8ON zoN0bi#9$0Vf?ctOg&+99sAY>i88sLgLnJ|ef4V6%T3{O&yzG3@lhX$>va>`B8Hl%f zX;xkJDRIc#Sp*vRoK+>vn37~%NqbWhVq~3&H9hV7G?|aKmIp3{DzQmEsTWh3(!lDr zi;BRoez^i+twcLCN0;gR^eMR@ZAMOqU9@hJ`_T@=j^1;bgx~{z(B^bE3M2*vFvp#9 zig*HX9#YHevT-G*UJm*6EG~=>zSz3QpzOpWB4nN!JsYxG&iPi~@DG`AvG#SNK1$g2 zZa~~;2ar~WRjoc7qfcRx%ekk?M6j_m=Mlgz$l(Qoh1)~g$mH(2BTZ46M?_s~*Omds zR(kr=UBUvAxjTo=Q^6e6lT@p49ct33ykE}(gV+uhrH6hKu4!(?CaTOcUd_0+FRQy@ zSsHhPF%p+eW_v|*R_{&jaaXkMEu-6;=X@xMjwXIsjVdn9+XqbcFGSCOn5%GSikC}@ z7i)~Mi_@0{$C=)@W(CB#n#RqJ1jMD6X{;sYEIcd-)mRMwIm=WroXY9)fBzk z?fa=flE)iI`^gAqg5k39E!Zx@Rh~A#A=?u1@L(fbl(q#_Z);!%Y>-U}-Hsh5&}_Bg zP*B?#ozRpw!%>&7w^s%;HA7qE}PQh-5#obTlBCng?{# z@lQU{VTx|8E5Jo)_EHSWZzD4yNo2D`8E{ZVWp=8f{BN`%;B1lB#PDs;3_z{q#Y*ih#U}Tr5@ZHY`9pE!Cq= zr%T<2L%kpTZ+~+sBBaCKyE;Ud@K)2&!p{zT(hnlNu?~PlNr+ z>RC~SIE;maRSeFURFQzBcGmbdffnuCi%zRYN~j61)(aB}u?DtyTq+lC&k-LKvuILg zvW@lzX6q=DMtGyns8xO>B_2zOl~{{1C-M*gwFK&4wchjczW*mM6F(Px?gFwq9=%m` zg=(}84r^5Py!Lb<7yxx2PgcUa+k0pfVsSI2yKMnXAjM&X{#^ELhyLCe(Gvb=fc^r5 C=_V-v diff --git a/proxmox-ve/proxmox-release-5.x.pubkey b/proxmox-ve/proxmox-release-5.x.pubkey index e7002c995380140bed423991e6a9e93ca9f55737..8488f4597a19764cefa9f505198cf9cade46a7a7 100644 GIT binary patch literal 1181 zcmV;O1Y-M{0u2OL!^(#N5CFlbWz^cmS$iU3j`tWHxifM%&-CJff@AGol zsH@ILM|Nb@iXiJR!?bucn(rCU?!EmI{EML$~s&c;(5!^@tb|ry{`aO#N9+z^lU6`^U=!f7Tc$! zoJu!T$l!B7y`0~@JAD*={9he%hY3_Mf^*m_n{^#=7AZ`V;vucOl(~YCCW7VZe`h<2?yaA!=_po7;jXswMD!B8Z8z zv~|Y_Wr@@QYUi%aIdM4CyU;e1HqVb+HdJ^)i{)PH%+mr(Dvyg5H|>w4qss@3b=}2B zJVsD78XMLlq!+f)>p@F#6Hg?f4tz~`wNZO%${Xjm>06*^Ldp3*24+}O`)fDgL+eY0 zly<6cva%?+#m{)d>C-*cJO03{B;`!5Q)oB~kK)iFk$rTH+FUqC)t^o&dlK4i?MM<{ z1SU1+FvTC!pxXcu0RRECNlxCFZDnqBAT=&{AW~&) zWnpt=AWLO=AUtq#Z+LBQcr9{eY-M3{Wk7IpZ+LBQcrIgaZ9a(tKLis22mmPs0$0Pz zhXNY|1ql+&0{{mL2?z%R0s#gU2m%QT3j`Jd0|5da0Rk6*0162Z4VoEH;_n6nIz$it zD62qC$c7Ov6A}vxxO3<;ku+a|R)os7jNY@JZ0P1f6_|CzlY;Si>S;2902em#|7NW2>mD{k4seJ&(fq zKbBzToOheFC9lLCveIcBXbe2>4;<$fAUb)={>gB0=oB}<=IWOsdVX6XII*|BN~?M$ zWHpZ-)zgJP<2#`Onrs!pt^LXQD@AhXs*iy{ zGRVl$2mg#JlKI=JbN2)Q^@YYqmVS#jA2w}xrp0`|ERjkM#gJ6>YiM-?0 zaGVG(Nrs}d?IiohfiKng(O8Fh`a?mMW0(T@+itGYCodZ!=xW5$W~QiniSA{$&RDk0 zDO5xvT6p{&cgVhKc5_1n_QDP5TpK`u=3se|ZVQ8}8h6U(82z8})ztXRz)7WwAwxA2 z&KNr8DY^SB8XS6U+M3NBD;MArAN}nLN+un7G|s#2IFOq*#h4IJ1CUQG9M6?lxOwS= v%Kl)1hf;D({;(*NGd#D)wu}8xdg|eIA%q2|pVoL}OgjDN+!-q6Et(MSB{?cK literal 1698 zcmaKtx3a6)7DaQu;^fpVybxX00UPf<0%Zsgc4LGUU;obQs!n^QW6f;Lnt%TM9*`8x z{&5xe$Blrg2|tFE{s7YvjQ`U=NL+rFW*q+dQHIS`es&T;pr_eDev98R2NExWSxF*t ziJ#?HuiHIO)mL}r?c3!X15}+0C&O0mor}Ih)LD{ygvbI9H6yW{0;ArKx(IeQCNWCS z8VN4xKxD-JsI|V5TQVL82}=V`pXUd=Y-16O1CG2HGO>@-Zx$z;A{v*RNNNM69^+`+ zZCmaV4H{ChYSk5gzq0Tqrxpzppgd}46;=Z&HtfpRW}NSg>Qm2-NXJeW>XF7aKVn}} z4^3NE1E{erA5l~bquW!XtmzEp8GjWFg0hU}rHXi-o_|((-G)g&4VwrxTD7qKdA;{=N#f-S z0!j+QZ_tRtX(Oc>`z1LT3R+UPc&jqW)Y0&+Jo`FC$%UdN_Y=^MsFyUrJo(WK;!Y%xL0y zApeHVW&s8 z;R&rjYHKE2`*scR8ktUup_)h?ZJuR0P1dLhOMVlrQ8W>5pe+V6>D+56zp(eM5L+s>Uv zTeh84_qSKd9U_O39?_m`jMEWDUt5jv)3nIBvSRtb78M9kO{P%0MKEP1Rn9SeD zLe8h-d#g4!$IIC&l7r|UT$;)_l6ZA}##^}(=PS-GO{MLsI|O}q+&I?{&Fr8ue!^9E zceM(z7`5fJriPn`E02_^1OzSC?Xy~gc`nUO`A9g-;H+*s3m??gH{>PskuT_3=^jOK zZ_sRbUfvOsM@5YZ`1PQ2o>lpjH-UCO%J4Rry5$DUj0v~34hi;6Ba620I*Ry##%o|r zFy$Uplc+2VhU G&;J027$ndD -- 2.39.2