Help with signing iso squash file systems

Manjaro Development Others
1

Sorry if this is in the wrong section. I would have tried one of the other development sections, but I am unable to start a topic in them.
While setting up by build server for SbK Spins I learned that the iso’s produced with buildiso can be signed using the -q option. Sadly numerous searches for more information and attempts have failed. If this info is available, please point me to it.

Not sure if posting the secret key id is a good idea, I will replace it with ****** in this post.

I am using the command sudo buildiso -p mate-compiz -b stable -g “*******” with the real short id. The command has produced working iso’s without signing.
A question arises from an error. What goes in .config/manjaro-tools/pgpkey? The public or the private asc file, or something else?

It does appear to import the key. In any event I am getting this error before it fails

pgp: using “******” as default secret key for signing.
pgp: signing failed: Permission denied
pgp: signing failed: Permission denied
==> ERROR : A failure in make_iso().
Aborting…

Thanks in advance for any help.

Jim

2

The gpgkey in the config is for signing the squashed filesystems and to my knowledge not used.

But if you were to use it you would use the id of the key you want to use.

To sign an iso - which makes much more sense - you add the packager email and corresponding id in ~/.makepkg.conf line #123 and #125

You can find the key using

gpg --list-keys your@email.here
3

Thanks for replying. I did want to sign the squashed filesystems. But your info will likely help with packaging.

I tried building it as root to eliminate permission problems. It worked, and that showed it was a permission problem, not a setup or configuration one. The issue turned out to be that ~/.gnupg was only readable by the owner of the directory. I chmod’ed the ~/.gnupg folder 744.

To help anyone else in the future wanting to sign an iso, here is what I needed to do for the whole setup.

  1. Create the ~/.config/manjaro-tools/pgpkey folder.
  2. Place the “secret”.asc key I wanted to use in ~/.config/manjaro-tools/pgpkey then reboot.
  3. Add -q “key Id” to the build command.
  4. Watch the iso build and be ready to sign each of the 3 squashed filesystems. The timeout is short to enter the passphrase. If you dont do it in time the build will error out.

I am not sure that leaving the ~/.gnupg folder readable is a good idea. I use scripts to build iso’s and move then rename the files. I am likely going to add chmod lines to the scripts that make the ~/.gnupg readable for everyone during the build, then make it unreadable for others once its done.

4

There is no need for putting the key in any special location - all you need is to do it right.

The argument you mention is only informational - to validate the settings used to build the ISO

-q                 Query settings and pretend build

To actually sign the squashed filesystems - you use the -g argument of buildiso

-g <key>           The gpg key for sfs signing

You can either insert the keyid in your ~/.config/manjaro-tools/manjaro-tools.conf or supply it on the commandline.

Example using commandline which - by the way - will always override the key set in manjaro-tools.conf

buildiso -g 17C752B61B2F2E90 -p openbox -k linux513 -b unstable

You will get information messages - which can be ignored

gpg: WARNING: unsafe permissions on homedir '/tmp/mkinitcpio.sk5dy3/root/gpg'
gpg: keybox '/tmp/mkinitcpio.sk5dy3/root/gpg/pubring.kbx' created
gpg: key 17C752B61B2F2E90: 8 signatures not checked due to missing keys
gpg: /tmp/mkinitcpio.sk5dy3/root/gpg/trustdb.gpg: trustdb created
gpg: key 17C752B61B2F2E90: public key "Frede Hundewadt <fh@manjaro.org>" imported
gpg: key 17C752B61B2F2E90: 7 signatures not checked due to missing keys
gpg: key 17C752B61B2F2E90: "Frede Hundewadt <fh@manjaro.org>" not changed
gpg: Total number processed: 2
gpg:               imported: 1
gpg:              unchanged: 1
gpg: no ultimately trusted keys found
  -> Running build hook: [miso_loop_mnt]
  -> Running build hook: [miso_pxe_common]
==> WARNING: Possibly missing firmware for module: softing_cs
  -> Running build hook: [miso_pxe_http]
  -> Running build hook: [miso_pxe_nbd]
  -> Running build hook: [miso_pxe_nfs]
  -> Running build hook: [miso_kms]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [filesystems]
  -> Running build hook: [keyboard]
  -> Running build hook: [keymap]
==> Generating module dependencies
==> Creating xz-compressed initcpio image: /boot/initramfs.img
: gpg/S.gpg-agent: pax format cannot archive sockets: gpg/S.gpg-agent.browser: pax format cannot archive sockets: gpg/S.gpg-agent.extra: pax format cannot archive sockets: gpg/S.gpg-agent.ssh: pax format cannot archive sockets==> Image generation successful

After a while you will be prompted for your keyphrase to unlock the signing key - using the pinentry dialog for the environment.

When you unlocked your key the process continues - the unlocking is only done once

gpg: using "17C752B61B2F2E90" as default secret key for signing

Subsequent signing will be commenced using the gpg-agent launched earlier.

When you are done building your iso - navigate to the folder containg the ISO and run signiso with no arguments. This will create a signature and checksums for the complete ISO.

Now your ISO is verified several places - inside the iso with signatures for the sfs and outside.

Screenshot mounted ISO

image
image884×572 67.4 KB

2 Likes
5

Thank you very much for the detailed info.