particle-os/debian-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-forge/sources/org.osbuild.ostree
Christian Kellner e1b2803ae0 sources/ostree: support gpg verification 
Add a new `gpgkeys` option that, if set, must contain a list of
public keys. These keys will then be used by ostree to verify
signed commits when pulling from the remote. If the `gpgkeys`
option is missing, no verification will be attempted.
2020-04-15 15:39:45 +02:00

75 lines
2 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python3
import json
import os
import sys
import subprocess
import uuid
def ostree(*args, _input=None, **kwargs):
args = list(args) + [f'--{k}={v}' for k, v in kwargs.items()]
print(f"ostree " + " ".join(args), file=sys.stderr)
subprocess.run(["ostree"] + args,
encoding="utf-8",
stdout=sys.stderr,
input=_input,
check=True)
def main(options, checksums, cache, output):
commits = options["commits"]
os.makedirs(output, exist_ok=True)
os.makedirs(cache, exist_ok=True)
# Prepare the cache and the output repo
repo_cache = os.path.join(cache, "repo")
ostree("init", mode="archive", repo=repo_cache)
repo_out = os.path.join(output, "repo")
ostree("init", mode="archive", repo=repo_out)
for commit in checksums:
remote = commits[commit]["remote"]
url = remote["url"]
gpg = remote.get("gpgkeys", [])
uid = str(uuid.uuid4())
extra_args = []
if not gpg:
extra_args += ["--no-gpg-verify"]
ostree("remote", "add",
"--no-gpg-verify",
*extra_args,
uid, url,
repo=repo_cache)
for key in gpg:
ostree("remote", "gpg-import", "--stdin", uid,
repo=repo_cache, _input=key)
# Transfer the commit: remote → cache
print(f"pulling {commit}", file=sys.stderr)
ostree("pull", uid, commit, repo=repo_cache)
# Transfer the commit: cache → output
ostree("pull-local", repo_cache, commit,
repo=repo_out)
# Remove the temporary remote again
ostree("remote", "delete", uid,
repo=repo_cache)
json.dump({}, sys.stdout)
return 0
if __name__ == '__main__':
source_args = json.load(sys.stdin)
r = main(source_args["options"],
source_args["checksums"],
source_args["cache"],
source_args["output"])
sys.exit(r)
Reference in a new issue View git blame Copy permalink