From 766f0fa30f782acfe5dabd9c11296590961b7f47 Mon Sep 17 00:00:00 2001
From: Wolfgang Bumiller <w.bumiller@proxmox.com>
Date: Mon, 31 Aug 2015 10:37:40 +0200
Subject: [PATCH] using a weak key for pacman-key --init

---
 PVE/AAB.pm | 43 +++++++++++++++++++++++++++++++++++++++----
 aab        |  6 ++++++
 2 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/PVE/AAB.pm b/PVE/AAB.pm
index 0289ba0..fb5749b 100644
--- a/PVE/AAB.pm
+++ b/PVE/AAB.pm
@@ -521,10 +521,7 @@ sub bootstrap {
     }
 
     print "Populating keyring...\n";
-    $self->run_command(['mount', '-t', 'devtmpfs', '-o', 'mode=0755,nosuid', 'udev', "$root/dev"]);
-    $self->run_command(['unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--init']);
-    $self->run_command(['unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--populate']);
-    $self->run_command(['umount', "$root/dev"]);
+    $self->populate_keyring();
 
     print "Starting container...\n";
     $self->start_container();
@@ -533,6 +530,44 @@ sub bootstrap {
     $self->ve_command(['pacman', '-S', '--needed', '--noconfirm', '--', @$packages]);
 }
 
+sub populate_keyring {
+    my ($self) = @_;
+    my $root = $self->{rootfs};
+
+    # devices needed for gnupg to function:
+    my $devs = {
+	'/dev/null'    => ['c', '1', '3'],
+	'/dev/random'  => ['c', '1', '9'], # fake /dev/random (really urandom)
+	'/dev/urandom' => ['c', '1', '9'],
+	'/dev/tty'     => ['c', '5', '0'],
+    };
+
+    my $cleanup_dev = sub {
+	# remove temporary device files
+	unlink "${root}$_" foreach keys %$devs;
+    };
+    local $SIG{INT} = $SIG{TERM} = $cleanup_dev;
+
+    # at least /dev/null exists as regular file after installing the filesystem package,
+    # and we want to replace /dev/random, so delete devices first
+    &$cleanup_dev();
+
+    foreach my $dev (keys %$devs) {
+	my ($type, $major, $minor) = @{$devs->{$dev}};
+	system('mknod', "${root}${dev}", $type, $major, $minor);
+    }
+
+    # generate weak master key and populate the keyring
+    system('unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--init') == 0
+	or die "failed to initialize keyring: $?";
+    system('unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--populate') == 0
+	or die "failed to populate keyring: $?";
+
+    &$cleanup_dev();
+    # reset to original state
+    system('touch', "$root/dev/null");
+}
+
 sub install {
     my ($self, $pkglist) = @_;
 
diff --git a/aab b/aab
index 6e02d51..6d62445 100755
--- a/aab
+++ b/aab
@@ -56,6 +56,12 @@ eval {
 	$aab->ve_init() if !$keep;
 	$aab->bootstrap();
 
+    } elsif ($cmd eq 'keyring') {
+	# for debugging:
+
+	die "command '$cmd' expects no arguments.\n" if scalar (@ARGV) != 0;
+	$aab->populate_keyring();
+
     } elsif ($cmd eq 'basedir') {
 
 	die "command '$cmd' expects no arguments.\n" if scalar (@ARGV) != 0;