msw/CISS.debian.live.builder
SHA256
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
2b43589fc780089d676d099f9efa44c3dce90b4af61e8a4913e50ceb6be003d8
CISS.debian.live.builder/lib/lib_gnupg.sh
Marc S. Weidner ef87becefe
Some checks failed
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m37s
Details
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m9s
Details
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m0s
Details
V8.13.384.2025.11.06 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-11-06 19:59:22 +01:00

88 lines
3.0 KiB
Bash
Raw Blame History

#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-11-06; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Init GNUPGHOME.
# Globals:
# BASH_SOURCE
# GNUPGHOME
# VAR_CDLB_INSIDE_RUNNER
# VAR_EARLY_DEBUG
# VAR_HANDLER_BUILD_DIR
# VAR_ISO8601
# VAR_SIGNER
# VAR_SIGNING_KEY
# VAR_SIGNING_KEY_FPR
# VAR_SIGNING_KEY_PASS
# VAR_SIGNING_KEY_PASSFILE
# VAR_TMP_SECRET
# VAR_VERIFY_KEYRING
# Arguments:
# None
# Returns:
# 0: on success
#######################################
init_gnupg() {
printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 %s starting ... \e[0m\n" "${BASH_SOURCE[0]}"
if [[ "${VAR_SIGNER}" == "true" ]]; then
__umask=$(umask)
umask 0077
### Avoid collision with Gitea runner workflows.
if [[ ! "${VAR_CDLB_INSIDE_RUNNER}" == "true" ]]; then
declare -grx GNUPGHOME="/dev/shm/cdlb_${VAR_ISO8601}_gnupg"
# shellcheck disable=SC2174
mkdir -p -m 0700 "${GNUPGHOME}"
echo 'allow-loopback-pinentry' >| "${GNUPGHOME}/gpg-agent.conf"
gpgconf --reload gpg-agent || true
fi
gpg --batch --import "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
shred -fzu -n 5 -- "${VAR_TMP_SECRET}/${VAR_SIGNING_KEY}"
gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.chroot/etc/ciss/keys/${VAR_SIGNING_KEY_FPR}_public.gpg"
gpg --batch --export "${VAR_SIGNING_KEY_FPR}" >| "${VAR_HANDLER_BUILD_DIR}/config/includes.binary/0030-verify-checksums_public.gpg"
declare -grx VAR_VERIFY_KEYRING="${GNUPGHOME}/pubring.kbx"
declare -grx VAR_SIGNING_KEY_PASSFILE="${VAR_TMP_SECRET}/${VAR_SIGNING_KEY_PASS}"
### No tracing for security reasons ------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
declare __pw=""
__pw="$(<"${VAR_SIGNING_KEY_PASSFILE}")"; __pw="${__pw%$'\r'}"; printf '%s' "${__pw}" >| "${VAR_SIGNING_KEY_PASSFILE}"
__pw="" && unset __pw
### Turn on tracing again ----------------------------------------------------------------------------------------------------
[[ "${VAR_EARLY_DEBUG}" == "true" ]] && set -x
umask "${__umask}"
__umask=""
fi
printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ %s successfully applied. \e[0m\n" "${BASH_SOURCE[0]}"
return 0
}
### Prevents accidental 'unset -f'.
# shellcheck disable=SC2034
readonly -f init_gnupg
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
Reference in New Issue View Git Blame Copy Permalink