From 32d68a034f21a438185476b73e53670d088d6f2f Mon Sep 17 00:00:00 2001 From: purian23 Date: Sun, 28 Jun 2026 20:36:15 -0400 Subject: [PATCH] void: automate XBPS key registration --- .github/workflows/run-xbps.yml | 51 ++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/.github/workflows/run-xbps.yml b/.github/workflows/run-xbps.yml index cb2276a6..822a927a 100644 --- a/.github/workflows/run-xbps.yml +++ b/.github/workflows/run-xbps.yml @@ -81,32 +81,53 @@ jobs: - name: Configure signing keys and trust run: | - # Write private key; extract and register the public key for - # host and chroot trust (needed to fetch from sibling repos). + # Write private key; extract and register the public key echo "${{ secrets.XBPS_PRIVATE_KEY }}" > /tmp/xbps_privkey.pem chmod 600 /tmp/xbps_privkey.pem + # Extract public key in PEM format openssl rsa -in /tmp/xbps_privkey.pem -pubout -out /tmp/dms-key.pub - rm -f /tmp/xbps_privkey.pem # cleaned up; re-written only for signing step + rm -f /tmp/xbps_privkey.pem + # Compute MD5 fingerprint in colon-separated hex format + FINGERPRINT=$(openssl rsa -pubin -in /tmp/dms-key.pub -outform DER 2>/dev/null | openssl dgst -md5 -c | tr '[:upper:]' '[:lower:]' | awk '{print $NF}') + + # Format key in XML property list (plist) format as expected by xbps + mkdir -p /tmp/keys + cat < "/tmp/keys/${FINGERPRINT}.plist" + + + + public-key + $(base64 -w0 /tmp/dms-key.pub) + public-key-size + 4096 + signature-by + AvengeMedia + + + EOF + + # Copy keys to all host and chroot trust stores sudo mkdir -p /var/db/xbps/keys - sudo cp /tmp/dms-key.pub /var/db/xbps/keys/dms-key.pub + sudo cp "/tmp/keys/${FINGERPRINT}.plist" "/var/db/xbps/keys/${FINGERPRINT}.plist" mkdir -p void-packages/masterdir/var/db/xbps/keys - cp /tmp/dms-key.pub void-packages/masterdir/var/db/xbps/keys/dms-key.pub - rm -f /tmp/dms-key.pub + cp "/tmp/keys/${FINGERPRINT}.plist" "void-packages/masterdir/var/db/xbps/keys/${FINGERPRINT}.plist" + + mkdir -p void-packages/etc/xbps.d/keys + cp "/tmp/keys/${FINGERPRINT}.plist" "void-packages/etc/xbps.d/keys/${FINGERPRINT}.plist" + + mkdir -p void-packages/common/repo-keys + cp "/tmp/keys/${FINGERPRINT}.plist" "void-packages/common/repo-keys/${FINGERPRINT}.plist" + + rm -rf /tmp/keys /tmp/dms-key.pub - name: Configure repositories run: | - # Write repo configuration to host, chroot/masterdir, and template dir to guarantee dependency resolution - sudo mkdir -p /etc/xbps.d - echo "repository=https://avengemedia.github.io/DankLinux/current" | sudo tee /etc/xbps.d/90-danklinux.conf - - sudo mkdir -p void-packages/masterdir/etc/xbps.d - echo "repository=https://avengemedia.github.io/DankLinux/current" | sudo tee void-packages/masterdir/etc/xbps.d/90-danklinux.conf - - mkdir -p void-packages/etc/xbps.d - echo "repository=https://avengemedia.github.io/DankLinux/current" > void-packages/etc/xbps.d/90-danklinux.conf + # Append the repository to repos-remote templates so xbps-src translates it automatically + echo "repository=https://avengemedia.github.io/DankLinux/current" >> void-packages/etc/xbps.d/repos-remote.conf + echo "repository=https://avengemedia.github.io/DankLinux/current" >> void-packages/etc/xbps.d/repos-remote-x86_64-multilib.conf # Add any existing compiled packages to the build cache directory to avoid rebuilds if [ -d "gh-pages-repo/current" ]; then