Commit afaf64e3 authored by intrigeri's avatar intrigeri
Browse files

Move the Upgrader's trusted keyring to tails-upgrade-frontend's $HOME and make...

Move the Upgrader's trusted keyring to tails-upgrade-frontend's $HOME and make it writable by that user (refs: #15279)

This will be needed in order to refresh our signing key before checking
for upgrades.
parent b5eb179b
......@@ -11,4 +11,6 @@ set -e
echo "Creating the tails-upgrade-frontend user"
addgroup --system --quiet --gid 126 tails-upgrade-frontend
adduser --system --quiet --uid 118 --gid 126 --no-create-home tails-upgrade-frontend
adduser --system --quiet --uid 118 --gid 126 \
--home /var/lib/tails-upgrade-frontend \
tails-upgrade-frontend
......@@ -6,9 +6,8 @@ Import_GnuPG_key ()
sudo -H -u "${LIVE_USERNAME}" gpg --batch --import /usr/share/doc/tails/website/*.key
echo "- importing Tails' GnuPG signing key into tails-iuk's trusted keyring"
gpg --batch --homedir /usr/share/tails-iuk/trusted_gnupg_homedir \
--import /usr/share/doc/tails/website/tails-signing.key
chmod -R go+rX /usr/share/tails-iuk
sudo -H -u tails-upgrade-frontend \
gpg --batch --import /usr/share/doc/tails/website/tails-signing.key
echo "- importing Tails help desk's GnuPG key into WhisperBack's keyring"
gpg --batch --no-default-keyring \
......
# Type Path Mode UID GID Age Argument
d /run/tails-upgrader 00775 root tails-upgrade-frontend - -
d /usr/share/tails-iuk/trusted_gnupg_homedir 00700 root root - -
......@@ -34,6 +34,6 @@ tails-persistence-setup:x:115:122::/home/tails-persistence-setup:/usr/sbin/nolog
clearnet:x:114:123::/home/clearnet:/usr/sbin/nologin
htp:x:116:124::/home/htp:/usr/sbin/nologin
tails-iuk-get-target-file:x:117:125::/home/tails-iuk-get-target-file:/usr/sbin/nologin
tails-upgrade-frontend:x:118:126::/home/tails-upgrade-frontend:/usr/sbin/nologin
tails-upgrade-frontend:x:118:126::/var/lib/tails-upgrade-frontend:/usr/sbin/nologin
tor-launcher:x:119:127::/home/tor-launcher:/usr/sbin/nologin
tails-install-iuk:x:120:128::/home/tails-install-iuk:/usr/sbin/nologin
......@@ -66,7 +66,7 @@ has 'running_system' => (
=cut
method _build_trusted_gnupg_homedir () {
my $trusted_gnupg_homedir = path('/usr/share/tails-iuk/trusted_gnupg_homedir');
my $trusted_gnupg_homedir = path('/var/lib/tails-upgrade-frontend/.gnupg');
assert(-d $trusted_gnupg_homedir);
return $trusted_gnupg_homedir;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment