Can't check gpg signature when building rootfs

Question

Can't check gpg signature when building rootfs

jonglezb opened this issue 4 years ago · comments

I tried building a rootfs for the latest 19.07 release with:

$ BRANCH=19.07.3 ./docker-rootfs.sh

However it failed to check the gpg signature:

+ export GNUPGHOME=/keys/gpg/
+ GNUPGHOME=/keys/gpg/
+ export USIGNHOME=/keys/usign/
+ USIGNHOME=/keys/usign/
+ curl https://downloads.openwrt.org/releases/19.07.3/targets/x86/64/sha256sums -fs -o sha256sums
+ curl https://downloads.openwrt.org/releases/19.07.3/targets/x86/64/sha256sums.asc -fs -o sha256sums.asc
+ curl https://downloads.openwrt.org/releases/19.07.3/targets/x86/64/sha256sums.sig -fs -o sha256sums.sig
+ '[' '!' -f sha256sums.asc ']'
+ '[' '!' -f sha256sums.asc ']'
+ gpg --with-fingerprint --verify sha256sums.asc sha256sums
gpg: keyblock resource `/keys/gpg//pubring.gpg': file open error
gpg: Signature made Sun 17 May 2020 02:42:57 AM CEST using RSA key ID 2074BE7A
gpg: Can't check signature: public key not found
+ exit 1

Are those /keys/ paths supposed to be on the host system? Obviously it doesn't work in my case because I don't run the script as root...

Paul Spooren · Answer 1 · Thu May 21 2020 05:52:19 GMT+0800 (China Standard Time)

Please test #55 and set GNUPGHOME and USIGNHOME to something accessible by your current user.

Also you have to run docker-common.sh first to download the required keys.

Baptiste Jonglez · Answer 2 · Thu May 21 2020 16:18:03 GMT+0800 (China Standard Time)

Thanks, that worked, except that USIGNHOME needs a trailing slash otherwise this part fails:

+ for KEY in '"$USIGNHOME"*'
+ echo 'Trying keys/usign...'

Is there anything preventing using local dirs (keys/gpg/ and keys/usign/) by default?

Paul Spooren · Answer 3 · Thu May 21 2020 16:31:24 GMT+0800 (China Standard Time)

I think some folder switching I used absolute path, however please try and create a PR