V8.13.408.2025.11.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-13 06:26:44 +01:00
parent a362db3d78
commit 5f370c2cdb
83 changed files with 1422 additions and 877 deletions
--- a/lib/lib_gnupg.sh
+++ b/lib/lib_gnupg.sh
@@ -21,6 +21,8 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   VAR_EARLY_DEBUG
 #   VAR_HANDLER_BUILD_DIR
 #   VAR_SIGNER
+#   VAR_SIGNING_CA
+#   VAR_SIGNING_CA_FPR
 #   VAR_SIGNING_KEY
 #   VAR_SIGNING_KEY_FPR
 #   VAR_SIGNING_KEY_PASS
@@ -43,7 +45,7 @@ init_gnupg() {
    umask 0077

    ### Avoid collision with Gitea runner workflows.
-    if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
+    if [[ "${VAR_CDLB_INSIDE_RUNNER}" != "true" ]]; then

      printf "\e[93m++++ ++++ ++++ ++++ ++++ ++++ ++ 🔐 VAR_CDLB_INSIDE_RUNNER: [%s] \e[0m\n" "${VAR_CDLB_INSIDE_RUNNER}"

@@ -92,14 +94,34 @@ EOF

    fi

+    ### Optionally, import offline GPG CA public keys.
+    if [[ -n "${VAR_SIGNING_CA}" ]]; then
+
+      # shellcheck disable=SC2155
+      declare -gx VAR_SIGNING_CA_FPR="$(
+        gpg --batch --with-colons --import-options show-only --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}" \
+          | awk -F: '$1=="pub"{seen_pub=1; next} seen_pub && $1=="fpr"{print $10; exit}'
+      )"
+
+      if ! gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"; then
+
+        printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ Failed to import CA public key. \e[0m\n"
+        return "${ERR_GPG__AGENT}"
+
+      fi
+
+    fi
+
    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
+    shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_CA}"

    ### Export public key for verification inside ISO / chroot.
    install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys"
    install -d -m 0755 -o root -g root "${VAR_HANDLER_BUILD_DIR}/config/includes.binary"
    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}.gpg"
-    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/unlock_wrapper_pubring.gpg"
-    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums.gpg"
+    gpg --batch --yes --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_KEY_FPR}.gpg"
+    [[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_CA_FPR}.gpg"
+    [[ -n "${VAR_SIGNING_CA}" ]] && gpg --batch --yes --export "${VAR_SIGNING_CA_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/${VAR_SIGNING_CA_FPR}.gpg"

    umask "${__umask}"
    __umask=""