From eebcd76feb474a15d82896cde9096e5884899018 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Sun, 10 Apr 2022 06:20:00 -0300 Subject: [PATCH] lxc-debian: allow using a custom keyring This makes it possible to create containers for unofficial architectures such as the ones on ports.debian.org, by specifying a custom mirror and its associated keyring. Signed-off-by: Antonio Terceiro --- templates/lxc-debian.in | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 50aa787..d98af0b 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -42,6 +42,8 @@ LOCALSTATEDIR="@LOCALSTATEDIR@" LXC_TEMPLATE_CONFIG="@LXCTEMPLATECONFIG@" # Allows the lxc-cache directory to be set by environment variable LXC_CACHE_PATH=${LXC_CACHE_PATH:-"$LOCALSTATEDIR/cache/lxc"} +DEBIAN_ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +KEYRING=${KEYRING:-${DEBIAN_ARCHIVE_KEYRING}} DOWNLOAD_KEYRING=${DOWNLOAD_KEYRING:-1} find_interpreter() @@ -387,13 +389,13 @@ apt-transport-https mkdir -p "$cache" # If debian-archive-keyring isn't installed, fetch GPG keys directly - releasekeyring=/usr/share/keyrings/debian-archive-keyring.gpg + releasekeyring=${KEYRING} lreleasekeyring=/etc/apt/trusted.gpg.d/debian-archive-$release-stable.gpg if [ -f "$releasekeyring" ]; then apt_gpg_opt="--keyring=${releasekeyring}" elif [ -f "$lreleasekeyring" ]; then apt_gpg_opt="--keyring=${lreleasekeyring}" - elif [ "$DOWNLOAD_KEYRING" = 1 ]; then + elif [ ${releasekeyring}" = "${DEBIAN_ARCHIVE_KEYRING} -a "$DOWNLOAD_KEYRING" = 1 ]; then [ ! -d "/etc/apt/trusted.gpg.d" ] && lreleasekeyring="$cache/archive-key.gpg" if [[ "$(id -u)" == "0" ]]; then case $release in @@ -660,6 +662,7 @@ Template specific options can be passed to lxc-create after a '--' like this: Usage: $1 -h|--help -p|--path= [-c|--clean] [-a|--arch=] [-r|--release=] [--mirror=] [--security-mirror=] + [--keyring=] [--package=] [-I|--interpreter-path=] [-F | --flush-cache] [-S|--auth-key=] @@ -675,6 +678,8 @@ Options : Defaults to current stable. --mirror=MIRROR Debian mirror to use during installation. Overrides the MIRROR environment variable (see below). + --keyring=KEYRING GPG keyring to authenticate the repository against. + Overrides the KEYRING environment variable (see below). --security-mirror=SECURITY_MIRROR Debian mirror to use for security updates. Overrides the SECURITY_MIRROR environment variable (see below). @@ -692,6 +697,7 @@ Environment variables: Defaults to '$MIRROR' SECURITY_MIRROR The Debian package security mirror to use. See also the --security-mirror switch above. Defaults to '$SECURITY_MIRROR' + KEYRING Defaults to '$DEBIAN_ARCHIVE_KEYRING' DOWNLOAD_KEYRING Sets whether to download keyring when missing or ignore keyring checks Defaults to 1 @@ -699,7 +705,7 @@ EOF return 0 } -options=$(getopt -o hp:n:a:r:cI:FS: -l arch:,auth-key:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@") +options=$(getopt -o hp:n:a:r:cI:FS: -l arch:,auth-key:,clean,help,enable-non-free,mirror:keyring:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@") if [ $? -ne 0 ]; then usage "$(basename "$0")" exit 1 @@ -743,6 +749,7 @@ do -c|--clean) clean=1; shift 1;; --enable-non-free) mainonly=0; shift 1;; --mirror) MIRROR=$2; shift 2;; + --keyring) KEYRING=$2; shift 2;; -n|--name) name=$2; shift 2;; --packages) packages=$2; shift 2;; -p|--path) path=$2; shift 2;;