Commit c7cda473 authored by Pierre Schmitz's avatar Pierre Schmitz
Browse files

Enable signature checking within build environment 

* bind /sys and /dev/pts from host
* drop support for devtmpfs as it is no longer needed
* add /run and /dev/rtc0
* clone own ipc, uts and mount namespaces for chroot
* set localtime, timezone and locale within chroot environment
* copy /etc/pacman.d/gnupg from host
parent 41b39c3e

makechrootpkg.in

+0 −4
Original line number Diff line number Diff line
@@ -258,15 +258,11 @@ nobody ALL = NOPASSWD: /usr/bin/pacman 
EOF

chmod 440 "$copydir/etc/sudoers.d/nobody-pacman"



# Set this system wide as makepkg will source /etc/profile before calling build()

echo 'LANG=C' > "$copydir/etc/locale.conf"



# This is a little gross, but this way the script is recreated every time in the

# working copy

cat >"$copydir/chrootbuild" <<EOF

#!/bin/bash

. /etc/profile

export LANG=C

export HOME=/build



cd /build

mkarchroot.in

+32 −26
Original line number Diff line number Diff line
@@ -30,7 +30,6 @@ usage() { 
	echo '    -M <file>     Location of a makepkg config file'

	echo '    -n            Do not copy config files into the chroot'

	echo '    -c <dir>      Set pacman cache. Default: /var/cache/pacman/pkg'

	echo '    -d            Use devtmpfs instead of minimal /dev (tmpfs)'

	echo '    -h            This message'

	exit 1

}
@@ -87,16 +86,16 @@ fi 
# {{{ functions

chroot_mount() {

	[[ -e "${working_dir}/sys" ]] || mkdir "${working_dir}/sys"

	mount -t sysfs sysfs "${working_dir}/sys"

	mount -o bind /sys "${working_dir}/sys"

	mount -o remount,ro,bind "${working_dir}/sys"



	[[ -e "${working_dir}/proc" ]] || mkdir "${working_dir}/proc"

	mount -t proc proc "${working_dir}/proc"

	mount -t proc proc -o nosuid,noexec,nodev "${working_dir}/proc"

	mount -o bind /proc/sys "${working_dir}/proc/sys"

	mount -o remount,ro,bind "${working_dir}/proc/sys"



	[[ -e "${working_dir}/dev" ]] || mkdir "${working_dir}/dev"

	if [[ ${USE_DEVTMPFS} = "y" ]]; then

		mount -t devtmpfs dev "${working_dir}/dev" -o mode=0755,nosuid

	else

		mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid

	mount -t tmpfs dev "${working_dir}/dev" -o mode=0755,size=10M,nosuid,strictatime

	mknod -m 666 "${working_dir}/dev/null" c 1 3

	mknod -m 666 "${working_dir}/dev/zero" c 1 5

	mknod -m 600 "${working_dir}/dev/console" c 5 1
@@ -106,19 +105,21 @@ chroot_mount() { 
	mknod -m 666 "${working_dir}/dev/ptmx" c 5 2

	mknod -m 666 "${working_dir}/dev/tty0" c 4 0

	mknod -m 666 "${working_dir}/dev/full" c 1 7

	mknod -m 666 "${working_dir}/dev/rtc0" c 254 0

	ln -s /proc/kcore "${working_dir}/dev/core"

	ln -s /proc/self/fd "${working_dir}/dev/fd"

	ln -s /proc/self/fd/0 "${working_dir}/dev/stdin"

	ln -s /proc/self/fd/1 "${working_dir}/dev/stdout"

	ln -s /proc/self/fd/2 "${working_dir}/dev/stderr"

	fi



	[[ -e "${working_dir}/dev/shm" ]] || mkdir "${working_dir}/dev/shm"

	mount -t tmpfs shm "${working_dir}/dev/shm" -o nodev,nosuid,size=128M



	[[ -e "${working_dir}/dev/pts" ]] || mkdir "${working_dir}/dev/pts"

	mount -t devpts devpts "${working_dir}/dev/pts" -o newinstance,ptmxmode=666

	mount -o bind "${working_dir}/dev/pts/ptmx" "${working_dir}/dev/ptmx"

	mount -o bind /dev/pts "${working_dir}/dev/pts"



	[[ -e "${working_dir}/run" ]] || mkdir "${working_dir}/run"

	mount -t tmpfs tmpfs "${working_dir}/run" -o nodev,nosuid,strictatime,size=64M



	[[ -e $cache_dir ]] || mkdir -p "${cache_dir}"

	[[ -e "${working_dir}/${cache_dir}" ]] || mkdir -p "${working_dir}/${cache_dir}"
@@ -135,6 +136,7 @@ chroot_mount() { 


copy_hostconf () {

	cp /etc/resolv.conf "${working_dir}/etc/resolv.conf"

	cp -a /etc/pacman.d/gnupg "${working_dir}/etc/pacman.d"

	echo "Server = ${host_mirror}" > ${working_dir}/etc/pacman.d/mirrorlist



	if [[ -n $pac_conf && $NOCOPY = 'n' ]]; then
@@ -147,12 +149,13 @@ copy_hostconf () { 
}



chroot_umount () {

	umount "${working_dir}/proc/sys"

	umount "${working_dir}/proc"

	umount "${working_dir}/sys"

	umount "${working_dir}/dev/ptmx"

	umount "${working_dir}/dev/pts"

	umount "${working_dir}/dev/shm"

	umount "${working_dir}/dev"

	umount "${working_dir}/run"

	umount "${working_dir}/${cache_dir}"

	[[ -n $host_mirror_path ]] && umount "${working_dir}/${host_mirror_path}"

}
@@ -184,7 +187,7 @@ if [[ -n $RUN ]]; then 
	chroot_mount

	copy_hostconf



	eval chroot "${working_dir}" ${RUN}

	eval unshare -mui -- chroot "${working_dir}" ${RUN}



	# }}}

else
@@ -226,6 +229,9 @@ else 
		sed -i 's@^#\(en_US\|de_DE\)\(\.UTF-8\)@\1\2@' "${working_dir}/etc/locale.gen"

		chroot "${working_dir}" /usr/sbin/locale-gen

	fi

	echo 'UTC' > "${working_dir}/etc/timezone"

	ln -s /usr/share/zoneinfo/UTC "${working_dir}/etc/localtime"

	echo 'LANG=C' > "${working_dir}/etc/locale.conf"



	copy_hostconf

pacman-extra.conf

+5 −3
Original line number Diff line number Diff line
@@ -45,9 +45,6 @@ Architecture = auto 
# keyring can then be populated with the keys of all official Arch Linux

# packagers with `pacman-key --populate archlinux`.



# Signature checking does not work within our chroot

SigLevel = Never



#

# REPOSITORIES

#   - can be defined here or included from another file
@@ -72,18 +69,23 @@ SigLevel = Never 
# after the header, and they will be used before the default mirrors.



#[testing]

#SigLevel = PackageRequired

#Include = /etc/pacman.d/mirrorlist



[core]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[extra]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



#[community-testing]

#SigLevel = PackageRequired

#Include = /etc/pacman.d/mirrorlist



[community]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



# An example of a custom package repository.  See the pacman manpage for

pacman-gnome-unstable.conf

+6 −3
Original line number Diff line number Diff line
@@ -45,9 +45,6 @@ Architecture = auto 
# keyring can then be populated with the keys of all official Arch Linux

# packagers with `pacman-key --populate archlinux`.



# Signature checking does not work within our chroot

SigLevel = Never



#

# REPOSITORIES

#   - can be defined here or included from another file
@@ -72,21 +69,27 @@ SigLevel = Never 
# after the header, and they will be used before the default mirrors.



[gnome-unstable]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[testing]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[core]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[extra]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[community-testing]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[community]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



# An example of a custom package repository.  See the pacman manpage for

pacman-kde-unstable.conf

+6 −3
Original line number Diff line number Diff line
@@ -45,9 +45,6 @@ Architecture = auto 
# keyring can then be populated with the keys of all official Arch Linux

# packagers with `pacman-key --populate archlinux`.



# Signature checking does not work within our chroot

SigLevel = Never



#

# REPOSITORIES

#   - can be defined here or included from another file
@@ -72,21 +69,27 @@ SigLevel = Never 
# after the header, and they will be used before the default mirrors.



[kde-unstable]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[testing]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[core]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[extra]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[community-testing]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



[community]

SigLevel = PackageRequired

Include = /etc/pacman.d/mirrorlist



# An example of a custom package repository.  See the pacman manpage for