particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
1912 commits 2 branches 0 tags 60 MiB
Find a file
Tomas Hozza 3dea4b934c stages/rpm: don't verify signatures during install 
If instructed, the rpm stage checks all digests and signatures of a package
explicitly using `rpmkeys` tool. The default stage behavior is that no
package signatures are checked when installed by the stage (not even
explicitly).

For these reasons, the package signature checking is supposed to be
disabled when installing rpm packages. This was achieved by passing the
`--define "_pkgverify_level none"` option to rpm. However this option
specifies only requirements for a package to be installed and `none`
means that packages without any signature are accepted by rpm. If the
package signature is deemed BAD, the package installation fails even
though this option has been passed to rpm.

There are valid cases when even packages which signature marked as BAD
should be installed. It may happen, that the GPG key used to sign a
package uses an algorithm not allowed by the system crypto policy, e.g.
SHA1. If such GPG key is imported on the system and a package signed
using it is being installed, its installation would fail when the
package is read by rpm. This is because its signatures are by default
checked if they exist in the package.

The desired behavior to not check any package signatures when installing
a package is instead achieved by using `--nosignature` rpm option. It
turns off the whole signature checking mechanism.

Use the `--nosignature` rpm option instead of
`--define "_pkgverify_level none"`, when installing packages using rpm.

Fix https://github.com/osbuild/osbuild/issues/991
2022-03-22 18:41:12 +01:00
.devcontainer devcontainer: include packit, boto3 & more tools 2021-08-17 10:42:03 +02:00
.github ci: add test_executable to test matrix 2022-02-15 13:25:23 +00:00
assemblers Fix type orci-archive/oci-archive 2022-02-14 14:15:19 +01:00
data devices: add custom udev rule inhibitor mechanism 2021-12-09 00:44:21 +00:00
devices devices/lvm2.lv: separate stdout and stderr 2022-03-04 08:42:35 +01:00
docs docs: add --export option to the osbuild man page 2021-07-14 14:35:30 +02:00
inputs inputs/org.osbuild.containers: Drop format and file options 2022-02-10 14:43:17 +01:00
mounts mounts/ostree.deployment: initialize fields 2021-12-03 17:09:33 +00:00
osbuild util/selinux: add setfilecon method 2022-03-18 20:36:10 +01:00
runners runners: add org.osbuild.fedora37 2022-03-03 10:40:47 +01:00
schemas v2: Add source-epoch key in pipeline declaration and pass to buildroot 2022-02-09 09:58:49 +01:00
schutzbot ci/deploy: use public EPEL-9 2022-03-02 16:59:11 +01:00
selinux docs: document osbuild and selinux integration 2021-10-01 11:02:32 +02:00
sources sources/curl: don't limit total download time 2022-03-16 14:48:03 +01:00
stages stages/rpm: don't verify signatures during install 2022-03-22 18:41:12 +01:00
test util/selinux: add setfilecon method 2022-03-18 20:36:10 +01:00
tools osbuild-mpp: Support mpp-resolve-image for container images 2022-02-10 14:43:17 +01:00
.editorconfig editorconfig: include markdown specifications 2020-10-23 16:29:50 +02:00
.gitignore gitignore: Ignore generated man pages 2021-11-26 19:39:42 +00:00
.gitlab-ci.yml rpmbuild: run on centos-9 2022-02-22 18:05:51 +00:00
.packit.yaml Packit: build SRPMs in Copr 2022-03-09 13:38:29 +00:00
.travis.yml ci: move test_boot to github-actions 2020-05-13 22:00:27 +02:00
LICENSE Revert "Fill in the license template" 2019-11-18 12:23:10 +01:00
Makefile make: require clean git for make make 2021-12-08 14:22:12 +01:00
osbuild.spec Post release version bump 2022-03-04 15:49:16 +00:00
README.md Add support for installing containers in images 2022-02-10 14:43:17 +01:00
requirements.txt Makefile: use pytest for nicer output 2020-12-04 18:24:48 +01:00
samples samples: replace with symlink to test data 2021-07-12 18:44:50 +02:00
setup.cfg setup: disable new pylint warnings 2021-11-19 00:19:05 +00:00
setup.py Post release version bump 2022-03-04 15:49:16 +00:00

README.md

OSBuild

Build-Pipelines for Operating System Artifacts

OSBuild is a pipeline-based build system for operating system artifacts. It defines a universal pipeline description and a build system to execute them, producing artifacts like operating system images, working towards an image build pipeline that is more comprehensible, reproducible, and extendable.

See the osbuild(1) man-page for details on how to run osbuild, the definition of the pipeline description, and more.

Project

Contributing

Please refer to the developer guide to learn about our workflow, code style and more.

Requirements

The requirements for this project are:

  • bubblewrap >= 0.4.0
  • python >= 3.7

Additionally, the built-in stages require:

  • bash >= 5.0
  • coreutils >= 8.31
  • curl >= 7.68
  • qemu-img >= 4.2.0
  • rpm >= 4.15
  • tar >= 1.32
  • util-linux >= 235
  • skopeo

At build-time, the following software is required:

  • python-docutils >= 0.13
  • pkg-config >= 0.29

Testing requires additional software:

  • pytest

Install

Installing osbuild requires to not only install the osbuild module, but also additional artifacts such as tools (i.e: osbuild-mpp) sources, stages, schemas and SELinux policies.

For this reason, doing an installation from source is not trivial and the easier way to install it is to create the set of RPMs that contain all these components.

This can be done with the rpm make target, i.e:

make rpm

A set of RPMs will be created in the ./rpmbuild/RPMS/noarch/ directory and can be installed in the system using the distribution package manager, i.e:

sudo dnf install ./rpmbuild/RPMS/noarch/*.rpm

Repository:

License:

  • Apache-2.0
  • See LICENSE file for details.