From ba5b4813f295ca2a62a6f9119049fc03a4730c1e Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Fri, 14 Jun 2024 19:04:29 +0200 Subject: [PATCH] fix: signature check breaks qubes-builder update The state module git.latest does not allow setting environment variable for us to set the correct GNUPGHOME. The module environ.set does not work as we call git as the normal user and not as root, but may still be the problem of git.latest not respecting environment variables. The problem with always pulling new commits is that it may conflict with the current work the user has done on the repository locally. It will also not work in case the last commit is not signed by a trusted key deployed by the formula, in this case, you should add the key manually to verify the commit. Setting the gpg.program only for the required repositories solves the aforementioned problem and also enhances usability by removing extra commands that the user needs to learn and remember. Fixes: https://github.com/ben-grande/qusal/issues/58 --- salt/qubes-builder/README.md | 28 ++++++----- salt/qubes-builder/configure.sls | 48 ++++++++++++++----- .../files/admin/policy/default.policy | 2 + .../files/client/bin/gpg-qubes-builder | 6 +++ salt/qubes-builder/install.sls | 9 ++++ 5 files changed, 68 insertions(+), 25 deletions(-) create mode 100755 salt/qubes-builder/files/client/bin/gpg-qubes-builder diff --git a/salt/qubes-builder/README.md b/salt/qubes-builder/README.md index eda5387b..d5ab4096 100644 --- a/salt/qubes-builder/README.md +++ b/salt/qubes-builder/README.md @@ -8,8 +8,9 @@ Setup Qubes OS Builder V2 in Qubes OS itself. * [Installation](#installation) * [Access Control](#access-control) * [Usage](#usage) + * [Pulling new commits](#pulling-new-commits) + * [Add PGP public key to qubes-builder GPG home directory](#add-pgp-public-key-to-qubes-builder-gpg-home-directory) * [Builder configuration](#builder-configuration) - * [Update repository safely](#update-repository-safely) ## Description @@ -58,6 +59,19 @@ unattended build. ## Usage +### Pulling new commits + +The installation will clone the repository but not pull new commits. You will +need to pull new commits from time to time, their signature will be +automatically verified before merging them to your git index. + +### Add PGP public key to qubes-builder GPG home directory + +If you need to pull commits signed by someone with a key not deployed by +default, import their key to the GPG home directory of qubes-builder: +```sh +gpg --homedir "$HOME/.gnupg/qubes-builder" --import KEY +``` ### Builder configuration When using the Qubes Executor, configure the `builder.yml` `dispvm` option to @@ -74,15 +88,3 @@ executor: ``` Setting the Disposable VM to Dom0 works because it will use the `default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`. - -### Update repository safely - -If you need to pull new commits, set `GNUPGHOME` to -`/home/user/.gnupg/qubes-builder`, the provided gitconfig enforces signature -verification on git merges: -```sh -GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull -Commit 7c37bb7 has a good GPG signature by Frederic Pierret (fepitre) - -... -``` diff --git a/salt/qubes-builder/configure.sls b/salt/qubes-builder/configure.sls index c7bd21f6..faea0ad3 100644 --- a/salt/qubes-builder/configure.sls +++ b/salt/qubes-builder/configure.sls @@ -23,18 +23,6 @@ include: - mode: '0755' - makedirs: True -"{{ slsdotpath }}-git-clone-builderv2": - git.latest: - - name: https://github.com/QubesOS/qubes-builderv2.git - - target: /home/user/src/qubes-builderv2 - - user: user - -"{{ slsdotpath }}-git-clone-infrastructure-mirrors": - git.latest: - - name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git - - target: /home/user/src/qubes-infrastructure-mirrors - - user: user - "{{ slsdotpath }}-gnupg-home": file.directory: - name: /home/user/.gnupg/qubes-builder @@ -72,6 +60,42 @@ include: - cwd: /home/user/.gnupg/qubes-builder - runas: user +"{{ slsdotpath }}-git-clone-builderv2": + git.cloned: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - name: https://github.com/QubesOS/qubes-builderv2.git + - target: /tmp/qubes-builderv2 + - user: user + +"{{ slsdotpath }}-git-clone-infrastructure-mirrors": + git.cloned: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - name: https://github.com/QubesOS/qubes-infrastructure-mirrors.git + - target: /home/user/src/qubes-infrastructure-mirrors + - user: user + +"{{ slsdotpath }}-git-config-gpg.program-for-builder": + git.config_set: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - git: "{{ slsdotpath }}-git-clone-infrastructure-mirrors" + - name: gpg.program + - value: gpg-qubes-builder + - repo: /home/user/src/qubes-infrastructure-mirrors + - user: user + +"{{ slsdotpath }}-git-config-gpg.program-for-mirrors": + git.config_set: + - require: + - cmd: "{{ slsdotpath }}-import-keys" + - git: "{{ slsdotpath }}-git-clone-builderv2" + - name: gpg.program + - value: gpg-qubes-builder + - repo: /home/user/src/qubes-builderv2 + - user: user + "{{ slsdotpath }}-git-verify-HEAD-builderv2": cmd.run: - require: diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy index 4a18275a..f03622f4 100644 --- a/salt/qubes-builder/files/admin/policy/default.policy +++ b/salt/qubes-builder/files/admin/policy/default.policy @@ -5,6 +5,8 @@ ## Do not modify this file, create a new policy with with a lower number in the ## file name instead. For example `30-user.policy`. + +## TODO: split-gpg2 configuration for isolated_gnupghomedirs. qubes.Gpg2 * {{ sls_path }} @default allow target=sys-pgp qusal.GitInit +qubes-builder {{ sls_path }} @default allow target=sys-git diff --git a/salt/qubes-builder/files/client/bin/gpg-qubes-builder b/salt/qubes-builder/files/client/bin/gpg-qubes-builder new file mode 100755 index 00000000..08003ed6 --- /dev/null +++ b/salt/qubes-builder/files/client/bin/gpg-qubes-builder @@ -0,0 +1,6 @@ +#!/bin/sh +# SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. +# +# SPDX-License-Identifier: AGPL-3.0-or-later +set -eu +env GNUPGHOME="$HOME/.gnupg/qubes-builder" gpg2 "$@" diff --git a/salt/qubes-builder/install.sls b/salt/qubes-builder/install.sls index 79b82b94..750a049b 100644 --- a/salt/qubes-builder/install.sls +++ b/salt/qubes-builder/install.sls @@ -66,4 +66,13 @@ include: - addusers: - user +"{{ slsdotpath }}-add-gpg-program-verify-git-commits-using-builder-keyring": + file.managed: + - name: /usr/bin/gpg-qubes-builder + - source: salt://{{ slsdotpath }}/files/client/bin/gpg-qubes-builder + - user: root + - group: root + - mode: '0755' + - makedirs: True + {% endif -%}