[Qa-jenkins-scm] [jenkins.debian.net] 01/01: reproducible archlinux: use gpg to verify sources

[Holger Levsen]

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch master
in repository jenkins.debian.net.

commit 7ece95bae42f202007345ac3b07908e22787b0a4
Author: Holger Levsen <holger at layer-acht.org>
Date:   Sat Dec 12 12:54:25 2015 +0100

    reproducible archlinux: use gpg to verify sources
---
 TODO                                        | 4 ++--
 bin/reproducible_build_archlinux_pkg.sh     | 4 ++--
 bin/reproducible_setup_archlinux_schroot.sh | 1 +
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/TODO b/TODO
index 99a0c72..1cbe1e2 100644
--- a/TODO
+++ b/TODO
@@ -309,8 +309,8 @@ This is about Debian, below are more todo entries for other projects…
 * arch build.sh:
 ** introduce more variations: USER
 ** confirm the others are really working
-** 'makepkg --skippgpcheck' should be replaced by 'makepkg' and 'echo "keyserver-options auto-key-retrieve" >> ~/.gnupg/gpg.conf'
-*** which should make this obsolete: 'schroot --directory /tmp -c source:jenkins-reproducible-archlinux -- grep  ^validpgpkeys= $PKG/PKGBUILD|cut -d "'" -f2|xargs schroot --directory /tmp -c source:jenkins-reproducible-archlinux -- gpg --recv-keys'
+** 'echo "keyserver-options auto-key-retrieve" >> ~/.gnupg/gpg.conf' is now being used and should make this not needed:
+*** 'schroot --directory /tmp -c source:jenkins-reproducible-archlinux -- grep  ^validpgpkeys= $PKG/PKGBUILD|cut -d "'" -f2|xargs schroot --directory /tmp -c source:jenkins-reproducible-archlinux -- gpg --recv-keys'
 ** on SIGTERM, also ssh to remote host and cleanup there! (via ssh &)
 * put results in a db
 ** graph results
diff --git a/bin/reproducible_build_archlinux_pkg.sh b/bin/reproducible_build_archlinux_pkg.sh
index 8dc5a5d..d6f1a5e 100755
--- a/bin/reproducible_build_archlinux_pkg.sh
+++ b/bin/reproducible_build_archlinux_pkg.sh
@@ -126,7 +126,7 @@ first_build() {
 	echo 'export TZ="/usr/share/zoneinfo/Etc/GMT+12"' | schroot --run-session -c $SESSION --directory /tmp -- tee -a /var/lib/jenkins/.bashrc
 	# nicely run makepkg with a timeout of $TIMEOUT hours
 	timeout -k $TIMEOUT.1h ${TIMEOUT}h /usr/bin/ionice -c 3 /usr/bin/nice \
-		schroot --run-session -c $SESSION --directory $BUILDDIR/$SRCPACKAGE -- bash -l -c 'makepkg --syncdeps --noconfirm --skippgpcheck 2>&1' | tee -a $LOG
+		schroot --run-session -c $SESSION --directory $BUILDDIR/$SRCPACKAGE -- bash -l -c 'makepkg --syncdeps --noconfirm 2>&1' | tee -a $LOG
 	PRESULT=${PIPESTATUS[0]}
 	if [ $PRESULT -eq 124 ] ; then
 		echo "$(date -u) - makepkg was killed by timeout after ${TIMEOUT}h." | tee -a $LOG
@@ -160,7 +160,7 @@ second_build() {
 	__END__
 	# nicely run makepkg with a timeout of $TIMEOUT hours
 	timeout -k $TIMEOUT.1h ${TIMEOUT}h /usr/bin/ionice -c 3 /usr/bin/nice \
-		schroot --run-session -c $SESSION --directory $BUILDDIR/$SRCPACKAGE -- bash -l -c 'makepkg --syncdeps --noconfirm --skippgpcheck 2>&1' | tee -a $LOG
+		schroot --run-session -c $SESSION --directory $BUILDDIR/$SRCPACKAGE -- bash -l -c 'makepkg --syncdeps --noconfirm 2>&1' | tee -a $LOG
 	PRESULT=${PIPESTATUS[0]}
 	if [ $PRESULT -eq 124 ] ; then
 		echo "$(date -u) - makepkg was killed by timeout after ${TIMEOUT}h." | tee -a $LOG
diff --git a/bin/reproducible_setup_archlinux_schroot.sh b/bin/reproducible_setup_archlinux_schroot.sh
index 3e90bdc..d344cbf 100755
--- a/bin/reproducible_setup_archlinux_schroot.sh
+++ b/bin/reproducible_setup_archlinux_schroot.sh
@@ -97,6 +97,7 @@ $ROOTCMD mkdir /var/lib/jenkins
 $ROOTCMD chown -R jenkins:jenkins /var/lib/jenkins
 echo ". /etc/profile.d/proxy.sh" | tee -a $SCHROOT_BASE/$TARGET/var/lib/jenkins/.bashrc
 $USERCMD bash -l -c 'gpg --check-trustdb' # first run will create ~/.gnupg/gpg.conf
+echo "keyserver-options auto-key-retrieve" | $USERCMD tee -a $SCHROOT_BASE/$TARGET/var/lib/jenkins/.gnupg/gpg.conf
 $USERCMD bash -l -c 'gpg --recv-keys 0x091AB856069AAA1C'
 
 echo "schroot $TARGET set up successfully in $SCHROOT_BASE/$TARGET - exiting now."

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/qa/jenkins.debian.net.git