V8.13.392.2025.11.07

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-07 17:12:52 +01:00
parent 4e5bc1aa84
commit 051361abbb
79 changed files with 359 additions and 160 deletions
--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -10,7 +10,7 @@
 # SPDX-PackageName: CISS.debian.live.builder
 # SPDX-Security-Contact: security@coresecret.eu

-guard_sourcing
+guard_sourcing || return "${ERR_GUARD_SRCE}"

 #######################################
 # Init GNUPGHOME.
@@ -51,8 +51,20 @@ init_gnupg() {
      # shellcheck disable=SC2174
      mkdir -p -m 0700 "${GNUPGHOME}"

-      echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
-      gpgconf --reload gpg-agent || true
+      cat << EOF >> "${GNUPGHOME}/gpg-agent.conf"
+allow-loopback-pinentry
+pinentry-program /usr/bin/pinentry-tty
+EOF
+
+      gpgconf --kill gpg-agent || true
+
+      if ! gpgconf --launch gpg-agent >/dev/null 2>&1; then
+
+        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to launch gpg-agent. \e[0m\n"
+        umask "${__umask}"
+        return "${ERR_GPG__AGENT}"
+
+      fi

    else

@@ -60,14 +72,11 @@ init_gnupg() {

    fi

-    gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
-    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
-
-    gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
-    gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
-
+    ### Use pubring as verification keyring reference.
    declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx"
+
    declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
+
    ### No tracing for security reasons ------------------------------------------------------------------------------------------
    [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x

@@ -78,6 +87,20 @@ init_gnupg() {
    ### Turn on tracing again ----------------------------------------------------------------------------------------------------
    [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x

+    if ! gpg --batch --yes --pinentry-mode=loopback --passphrase-file "${VAR_SIGNING_KEY_PASSFILE}" --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"; then
+
+      printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ Failed to import signing key. \e[0m\n"
+      umask "${__umask}"
+      return "${ERR_GPG__AGENT}"
+
+    fi
+
+    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
+
+    ### Export public key for verification inside ISO / chroot.
+    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
+    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
+
    umask "${__umask}"
    __umask=""