Mailinglist Archive: opensuse-buildservice (273 mails)

< Previous Next >
[opensuse-buildservice] Patch to bs_publish to make secure apt repository
  • From: Carsten Hoeger <choeger@xxxxxxxxxxxx>
  • Date: Wed, 14 Jan 2009 15:43:05 +0100
  • Message-id: <20090114144305.GB4186@xxxxxxxxxxxx>
Hi,

now that I have signing up and running for RPM, I also need to have
a signed apt repo. How that works can be read at
http://wiki.debian.org/SecureApt

I created a patch to bs_publish to generate a Release and a Release.gpg file,
which is needed to secure apt.

Patch is attached.
Would be nice, if that patch would be included within the next release.


--
With best regards,

Carsten Hoeger
--- bs_publish.orig 2009-01-14 10:50:16.000000000 +0100
+++ bs_publish 2009-01-14 15:08:08.000000000 +0100
@@ -398,6 +398,10 @@

unlink("$extrep/Packages");
unlink("$extrep/Packages.gz");
+ unlink("$extrep/Release");
+ unlink("$extrep/Release.gpg");
+
+
print " running dpkg-scanpackages\n";
qsystem('chdir', $extrep, 'stdout', 'Packages.new', 'dpkg-scanpackages',
'.', '/dev/null') && print " apt-ftparchive failed: $?\n";
if (-f "$extrep/Packages.new") {
@@ -406,6 +410,43 @@
unlink("$extrep/Packages");
rename("$extrep/Packages.new", "$extrep/Packages");
}
+
+ my $date = POSIX::ctime(time());
+ $date =~ s/\n//m;
+ my $str = <<"EOL";
+Origin: openSUSE Build Service $projid $repoid
+Label: $repoinfo->{'title'}
+Version: 0.00
+Date: $date
+Description: openSUSE Build Service $projid $repoid
+MD5Sum:
+EOL
+
+ open(OUT,">$extrep/Release") || die("$extrep/Release: $!\n");
+ print OUT $str;
+ close(OUT) || die("close: $!\n");
+
+ open(OUT,">>$extrep/Release") || die("$extrep/Release: $!\n");
+ foreach my $f ( "Release", "Packages", "Packages.gz" ) {
+
+ open(FILE,"<$extrep/$f") || die;
+ my @all = <FILE>;
+ close(FILE);
+ my $md5 = Digest::MD5::md5_hex(join("",@all));
+ my $size = (stat("$extrep/$f"))[7];
+ print OUT " $md5 $size $f\n";
+
+ }
+ close(OUT) || die("close: $!\n");
+
+ # re-sign changed Release file
+ if ($BSConfig::sign && -e "$extrep/Release") {
+ my @signargs;
+ push @signargs, '--project', $projid if $BSConfig::sign_project;
+ push @signargs, @$signargs;
+ qsystem($BSConfig::sign, @signargs, '-d', "$extrep/Release") && print("
sign failed: $?\n");
+ rename("$extrep/Release.asc","$extrep/Release.gpg");
+ }
}

sub deleterepo_debian {
< Previous Next >
Follow Ups