Improved apt gpg management

Signed-off-by: Tanya Degurechaff <34323200+TanyaEleventhGoddess@users.noreply.github.com>
2020-07-04 15:40:23 +02:00 · 2020-07-04 15:40:23 +02:00 · 52fa9b7360
commit 52fa9b7360
parent 1ba667a771
2 changed files with 51 additions and 21 deletions
--- a/templates/lxc-debian.in
+++ b/templates/lxc-debian.in
@ -40,6 +40,7 @@ LOCALSTATEDIR="@LOCALSTATEDIR@"
 LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 # Allows the lxc-cache directory to be set by environment variable
 LXC_CACHE_PATH=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"}
+[ -z "$DOWNLOAD_KEYRING" ] && DOWNLOAD_KEYRING=1

 find_interpreter()
 {
@ -347,18 +348,32 @@ openssh-server

    # If debian-archive-keyring isn't installed, fetch GPG keys directly
    releasekeyring=/usr/share/keyrings/debian-archive-keyring.gpg
-    if [ ! -f $releasekeyring ]; then
-        releasekeyring="$cache/archive-key.gpg"
-        case $release in
-            "wheezy")
-                gpgkeyname="archive-key-7.0"
-                ;;
-            *)
-                gpgkeyname="archive-key-8"
-                ;;
-        esac
-        wget https://ftp-master.debian.org/keys/${gpgkeyname}.asc -O - --quiet \
-            | gpg --import --no-default-keyring --keyring="${releasekeyring}"
+    lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg
+    if [ -f "$releasekeyring" ]; then
+        apt_gpg_opt="--keyring=${releasekeyring}"
+    elif [ -f "$lreleasekeyring" ]; then
+        apt_gpg_opt="--keyring=${lreleasekeyring}"
+    elif [ "$DOWNLOAD_KEYRING" = 1 ]; then 
+        [ ! -d "/etc/apt/trusted.gpg.d" ] && lreleasekeyring="$cache/archive-key.gpg"
+        if [[ "$(id -u)" == "0" ]]; then
+            case $release in
+                "wheezy")
+                    gpgkeyname="archive-key-7.0"
+                    ;;
+                *)
+                    gpgkeyname="archive-key-8"
+                    ;;
+            esac
+            wget https://ftp-master.debian.org/keys/${gpgkeyname}.asc -O - --quiet \
+                | gpg --import --no-default-keyring --keyring="${lreleasekeyring}"
+            apt_gpg_opt="--keyring=${lreleasekeyring}"
+        else
+           echo "Must be root (sudo) to save $lreleasekeyring"
+        fi
+    fi
+    if [ -z "$apt_gpg_opt" ]; then
+        echo "WARNING: No GPG check"
+        apt_gpg_opt='--no-check-gpg'
    fi
    # check the mini debian was not already downloaded
    try_mksubvolume "$cache/partial-$release-$arch"
@ -371,7 +386,7 @@ openssh-server
    echo "Downloading debian minimal ..."
    if [ "$interpreter" = "" ] ; then
        debootstrap --verbose --variant=minbase --arch="$arch" \
-            --include=$packages --keyring="${releasekeyring}" \
+            --include=$packages "${apt_gpg_opt}" \
            "$release" "$cache/partial-$release-$arch" "$MIRROR"
        if [ $? -ne 0 ]; then
            echo "Failed to download the rootfs, aborting."
@ -379,7 +394,7 @@ openssh-server
        fi
    else
        debootstrap --foreign --verbose --variant=minbase --arch="$arch" \
-            --include=$packages --keyring="${releasekeyring}" \
+            --include=$packages "${apt_gpg_opt}" \
            "$release" "$cache/partial-$release-$arch" "$MIRROR"
        if [ $? -ne 0 ]; then
            echo "Failed to download the rootfs, aborting."
--- a/templates/lxc-kali.in
+++ b/templates/lxc-kali.in
@ -41,6 +41,7 @@ LOCALSTATEDIR="@LOCALSTATEDIR@"
 LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@"
 # Allows the lxc-cache directory to be set by environment variable
 LXC_CACHE_PATH=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"}
+[ -z "$DOWNLOAD_KEYRING" ] && DOWNLOAD_KEYRING=1

 find_interpreter()
 {
@ -330,11 +331,25 @@ kali-archive-keyring

    # If kali-archive-keyring isn't installed, fetch GPG keys directly
    releasekeyring=/usr/share/keyrings/kali-archive-keyring.gpg
-    if [ ! -f $releasekeyring ]; then
-        releasekeyring="$cache/archive-key.gpg"
-        gpgkeyname="archive-key"
-        wget https://archive.kali.org/${gpgkeyname}.asc -O - --quiet \
-            | gpg --import --no-default-keyring --keyring="${releasekeyring}"
+    lreleasekeyring=/etc/apt/trusted.gpg.d/kali-archive-keyring.gpg
+    if [ -f "$releasekeyring" ]; then
+        apt_gpg_opt="--keyring=${releasekeyring}"
+    elif [ -f "$lreleasekeyring" ]; then
+        apt_gpg_opt="--keyring=${lreleasekeyring}"
+    elif [ "$DOWNLOAD_KEYRING" = 1 ]; then 
+        [ ! -d "/etc/apt/trusted.gpg.d" ] && lreleasekeyring="$cache/archive-key.gpg"
+        if [[ "$(id -u)" == "0" ]]; then
+            gpgkeyname="archive-key"
+            wget https://archive.kali.org/${gpgkeyname}.asc -O - --quiet \
+                | gpg --import --no-default-keyring --keyring="${lreleasekeyring}"
+            apt_gpg_opt="--keyring=${lreleasekeyring}"
+        else
+           echo "Must be root (sudo) to save $lreleasekeyring"
+        fi
+    fi
+    if [ -z "$apt_gpg_opt" ]; then
+        echo "WARNING: No GPG check"
+        apt_gpg_opt='--no-check-gpg'
    fi
    # check the mini kali was not already downloaded
    try_mksubvolume "$cache/partial-$release-$arch"
@ -347,7 +362,7 @@ kali-archive-keyring
    echo "Downloading kali minimal ..."
    if [ "$interpreter" = "" ] ; then
        debootstrap --verbose --variant=minbase --arch="$arch" \
-            --include=$packages --keyring="${releasekeyring}" \
+            --include=$packages "${apt_gpg_opt}" \
            "$release" "$cache/partial-$release-$arch" "$MIRROR"
        if [ $? -ne 0 ]; then
            echo "Failed to download the rootfs, aborting."
@ -355,7 +370,7 @@ kali-archive-keyring
        fi
    else
        debootstrap --foreign --verbose --variant=minbase --arch="$arch" \
-            --include=$packages --keyring="${releasekeyring}" \
+            --include=$packages "${apt_gpg_opt}" \
            "$release" "$cache/partial-$release-$arch" "$MIRROR"
        if [ $? -ne 0 ]; then
            echo "Failed to download the rootfs, aborting."