using a weak key for pacman-key --init
This commit is contained in:
Wolfgang Bumiller
parent
da8dfe0b95
commit
766f0fa30f
43
PVE/AAB.pm
43
PVE/AAB.pm
|
|
@ -521,10 +521,7 @@ sub bootstrap {
|
||||||
}
|
}
|
||||||
|
|
||||||
print "Populating keyring...\n";
|
print "Populating keyring...\n";
|
||||||
$self->run_command(['mount', '-t', 'devtmpfs', '-o', 'mode=0755,nosuid', 'udev', "$root/dev"]);
|
$self->populate_keyring();
|
||||||
$self->run_command(['unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--init']);
|
|
||||||
$self->run_command(['unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--populate']);
|
|
||||||
$self->run_command(['umount', "$root/dev"]);
|
|
||||||
|
|
||||||
print "Starting container...\n";
|
print "Starting container...\n";
|
||||||
$self->start_container();
|
$self->start_container();
|
||||||
|
|
@ -533,6 +530,44 @@ sub bootstrap {
|
||||||
$self->ve_command(['pacman', '-S', '--needed', '--noconfirm', '--', @$packages]);
|
$self->ve_command(['pacman', '-S', '--needed', '--noconfirm', '--', @$packages]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub populate_keyring {
|
||||||
|
my ($self) = @_;
|
||||||
|
my $root = $self->{rootfs};
|
||||||
|
|
||||||
|
# devices needed for gnupg to function:
|
||||||
|
my $devs = {
|
||||||
|
'/dev/null' => ['c', '1', '3'],
|
||||||
|
'/dev/random' => ['c', '1', '9'], # fake /dev/random (really urandom)
|
||||||
|
'/dev/urandom' => ['c', '1', '9'],
|
||||||
|
'/dev/tty' => ['c', '5', '0'],
|
||||||
|
};
|
||||||
|
|
||||||
|
my $cleanup_dev = sub {
|
||||||
|
# remove temporary device files
|
||||||
|
unlink "${root}$_" foreach keys %$devs;
|
||||||
|
};
|
||||||
|
local $SIG{INT} = $SIG{TERM} = $cleanup_dev;
|
||||||
|
|
||||||
|
# at least /dev/null exists as regular file after installing the filesystem package,
|
||||||
|
# and we want to replace /dev/random, so delete devices first
|
||||||
|
&$cleanup_dev();
|
||||||
|
|
||||||
|
foreach my $dev (keys %$devs) {
|
||||||
|
my ($type, $major, $minor) = @{$devs->{$dev}};
|
||||||
|
system('mknod', "${root}${dev}", $type, $major, $minor);
|
||||||
|
}
|
||||||
|
|
||||||
|
# generate weak master key and populate the keyring
|
||||||
|
system('unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--init') == 0
|
||||||
|
or die "failed to initialize keyring: $?";
|
||||||
|
system('unshare', '--fork', '--pid', 'chroot', "$root", 'pacman-key', '--populate') == 0
|
||||||
|
or die "failed to populate keyring: $?";
|
||||||
|
|
||||||
|
&$cleanup_dev();
|
||||||
|
# reset to original state
|
||||||
|
system('touch', "$root/dev/null");
|
||||||
|
}
|
||||||
|
|
||||||
sub install {
|
sub install {
|
||||||
my ($self, $pkglist) = @_;
|
my ($self, $pkglist) = @_;
|
||||||
|
|
||||||
|
|
|
||||||
6
aab
6
aab
|
|
@ -56,6 +56,12 @@ eval {
|
||||||
$aab->ve_init() if !$keep;
|
$aab->ve_init() if !$keep;
|
||||||
$aab->bootstrap();
|
$aab->bootstrap();
|
||||||
|
|
||||||
|
} elsif ($cmd eq 'keyring') {
|
||||||
|
# for debugging:
|
||||||
|
|
||||||
|
die "command '$cmd' expects no arguments.\n" if scalar (@ARGV) != 0;
|
||||||
|
$aab->populate_keyring();
|
||||||
|
|
||||||
} elsif ($cmd eq 'basedir') {
|
} elsif ($cmd eq 'basedir') {
|
||||||
|
|
||||||
die "command '$cmd' expects no arguments.\n" if scalar (@ARGV) != 0;
|
die "command '$cmd' expects no arguments.\n" if scalar (@ARGV) != 0;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue