fix: signature check breaks qubes-builder update

The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: #58
ben-grande · Jun 14, 2024 · ba5b481 · ba5b481
1 parent afcb730
commit ba5b481
Show file tree

Hide file tree

Showing 5 changed files with 68 additions and 25 deletions.
diff --git a/salt/qubes-builder/README.md b/salt/qubes-builder/README.md
@@ -8,8 +8,9 @@ Setup Qubes OS Builder V2 in Qubes OS itself.
 * [Installation](#installation)
 * [Access Control](#access-control)
 * [Usage](#usage)
+  * [Pulling new commits](#pulling-new-commits)
+  * [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory)
   * [Builder configuration](#builder-configuration)
-  * [Update repository safely](#update-repository-safely)
 
 ## Description
 
@@ -58,6 +59,19 @@ unattended build.
 
 ## Usage
 
+### Pulling new commits
+
+The installation will clone the repository but not pull new commits. You will
+need to pull new commits from time to time, their signature will be
+automatically verified before merging them to your git index.
+
+### Add PGP public key to qubes-builder GPG home directory
+
+If you need to pull commits signed by someone with a key not deployed by
+default, import their key to the GPG home directory of qubes-builder:
+```sh
+gpg --homedir "$HOME/.gnupg/qubes-builder" --import KEY
+```
 ### Builder configuration
 
 When using the Qubes Executor, configure the `builder.yml` `dispvm` option to
@@ -74,15 +88,3 @@ executor:
 ```
 Setting the Disposable VM  to Dom0 works because it will use the
 `default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`.
-
-### Update repository safely
-
-If you need to pull new commits, set `GNUPGHOME` to
-`/home/user/.gnupg/qubes-builder`, the provided gitconfig enforces signature
-verification on git merges:
-```sh
-GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull
-Commit 7c37bb7 has a good GPG signature by Frederic Pierret (fepitre)
-<[email protected]>
-...
-```
diff --git a/salt/qubes-builder/configure.sls b/salt/qubes-builder/configure.sls
@@ -23,18 +23,6 @@ include:
     - mode: '0755'
     - makedirs: True
 
-"{{ slsdotpath }}-git-clone-builderv2":
-  git.latest:
-    - name: https://github.com/QubesOS/qubes-builderv2.git
-    - target: /home/user/src/qubes-builderv2
-    - user: user
-
-"{{ slsdotpath }}-git-clone-infrastructure-mirrors":
-  git.latest:
-    - name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git
-    - target: /home/user/src/qubes-infrastructure-mirrors
-    - user: user
-
 "{{ slsdotpath }}-gnupg-home":
   file.directory:
     - name: /home/user/.gnupg/qubes-builder
@@ -72,6 +60,42 @@ include:
     - cwd: /home/user/.gnupg/qubes-builder
     - runas: user
 
+"{{ slsdotpath }}-git-clone-builderv2":
+  git.cloned:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: https://github.com/QubesOS/qubes-builderv2.git
+    - target: /tmp/qubes-builderv2
+    - user: user
+
+"{{ slsdotpath }}-git-clone-infrastructure-mirrors":
+  git.cloned:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+    - name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git
+    - target: /home/user/src/qubes-infrastructure-mirrors
+    - user: user
+
+"{{ slsdotpath }}-git-config-gpg.program-for-builder":
+  git.config_set:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+      - git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors"
+    - name: gpg.program
+    - value: gpg-qubes-builder
+    - repo: /home/user/src/qubes-infrastructure-mirrors
+    - user: user
+
+"{{ slsdotpath }}-git-config-gpg.program-for-mirrors":
+  git.config_set:
+    - require:
+      - cmd: "{{ slsdotpath }}-import-keys"
+      - git: "{{ slsdotpath }}-git-clone-builderv2"
+    - name: gpg.program
+    - value: gpg-qubes-builder
+    - repo: /home/user/src/qubes-builderv2
+    - user: user
+
 "{{ slsdotpath }}-git-verify-HEAD-builderv2":
   cmd.run:
     - require:

diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy
@@ -5,6 +5,8 @@
 
 ## Do not modify this file, create a new policy with with a lower number in the
 ## file name instead. For example `30-user.policy`.
+
+## TODO: split-gpg2 configuration for isolated_gnupghomedirs.
 qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp
 
 qusal.GitInit  +qubes-builder {{ sls_path }} @default allow target=sys-git

diff --git a/salt/qubes-builder/files/client/bin/gpg-qubes-builder b/salt/qubes-builder/files/client/bin/gpg-qubes-builder
@@ -0,0 +1,6 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <[email protected]>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+set -eu
+env GNUPGHOME="$HOME/.gnupg/qubes-builder" gpg2 "$@"
diff --git a/salt/qubes-builder/install.sls b/salt/qubes-builder/install.sls
@@ -66,4 +66,13 @@ include:
     - addusers:
       - user
 
+"{{ slsdotpath }}-add-gpg-program-verify-git-commits-using-builder-keyring":
+  file.managed:
+    - name: /usr/bin/gpg-qubes-builder
+    - source: salt://{{ slsdotpath }}/files/client/bin/gpg-qubes-builder
+    - user: root
+    - group: root
+    - mode: '0755'
+    - makedirs: True
+
 {% endif -%}