#!/bin/sh -e sinfo() { echo ${BASH:+-e} "\033[1;33;41m$@\033[0m" } # Must have root directory as an argument if [ -z "$1" -o \( -n "$2" -a "$2" != fresh \) ]; then echo "$0 [fresh]" exit 1 fi # Variables FROM=`dirname $0` LIVECD=$1 # MIRROR=http://mirrors.kernel.org/gentoo MIRROR=http://distfiles.gentoo.org stage3base=${MIRROR}/releases/x86/autobuilds portage=${MIRROR}/snapshots/portage-latest.tar.bz2 # GPG keys used at bulid-time gpg_keys=`sed '/^#/d; /^$/d; s/ //g' ${FROM}/conf/pubkeys` if [ "$2" != fresh -a -d ${LIVECD}/src ]; then sinfo "Skipping overwrite of ${LIVECD}/src (use \"fresh\")" exit fi # Extract stage3 + portage snapshot to fresh directory # Download stage3 + portage snapshot mkdir -p ${LIVECD}/mirror/stage3 ${LIVECD}/mirror/portage mkdir -p -m 700 ${LIVECD}/mirror/gnupg sinfo "Testing for required utilities" if ! type gpg 1>/dev/null 2>&1; then echo "Please install GnuPG" exit 1 fi sinfo "Testing security labels and user xattrs support" touch ${LIVECD}/mirror/fs-test if ! setcap cap_net_raw+i ${LIVECD}/mirror/fs-test || \ ! setfattr -n user.test ${LIVECD}/mirror/fs-test; then echo "Filesystem does not support extended attributes." echo "Try ext4 with EXT4_FS_SECURITY and -o user_xattr" echo "(make sure attr / libpcap are installed)" exit 1 fi rm ${LIVECD}/mirror/fs-test # latest-stage3-i686.txt contains YYYYMMDD/stage3-i686-YYYYMMDD.tar.bz2 sinfo "Fetching latest-stage3.txt" wget -N -nv -P ${LIVECD}/mirror/stage3 ${stage3base}/latest-stage3-i686.txt stage3=`grep stage3-i686 ${LIVECD}/mirror/stage3/latest-stage3-i686.txt` stage3file=`basename ${stage3}` # If a new stage3 is available, remove old mirrors if [ ! -e ${LIVECD}/mirror/stage3/${stage3file} ]; then rm -f ${LIVECD}/mirror/stage3/stage3-i686-*.tar.bz2* fi sinfo "Downloading ${stage3file}" wget -c -nv -P ${LIVECD}/mirror/stage3 \ ${stage3base}/${stage3}.DIGESTS.asc \ ${stage3base}/${stage3}.CONTENTS \ ${stage3base}/${stage3} sinfo "Downloading portage-latest.tar.bz2" wget -N -nv -P ${LIVECD}/mirror/portage ${portage}.gpgsig ${portage} sinfo "Verifying PGP keys fingerprints" for key in ${gpg_keys}; do org=`echo ${key} | cut -d: -f1` fpr=`echo ${key} | cut -d: -f2` keyid=`echo -n ${fpr} | tail -c -8` gpg -q --homedir ${LIVECD}/mirror/gnupg --no-default-keyring \ --keyring ${org}.gpg --import ${FROM}/conf/certs/${org}-${keyid}.asc fpr2=`gpg -q --homedir ${LIVECD}/mirror/gnupg --keyring ${org}.gpg \ --fingerprint --with-colons 0x${fpr} | sed -n '/^fpr:/p' | cut -d: -f10` if [ ${fpr} != "${fpr2}" ]; then echo "Fingerprint mismatch: [${fpr}] != [${fpr2}]" exit 1 fi done for keyring in `echo "${gpg_keys}" | cut -d: -f1 | sort -u`; do keyids=`gpg -q -k --homedir ${LIVECD}/mirror/gnupg --keyring ${keyring}.gpg \ --fingerprint --with-colons | sed -n '/^fpr:/p' | cut -d: -f10 | sort` expids=`echo "${gpg_keys}" | sed -n "/^${keyring}:/p" | cut -d: -f2 | sort` if [ "${keyids}" != "${expids}" ]; then echo "Unexpected public keys in keyring ${keyring}.gpg" exit 1 fi done sinfo "Verifying stage3 and portage snapshot PGP signatures" gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \ --verify ${LIVECD}/mirror/stage3/${stage3file}.DIGESTS.asc gpg -q --homedir ${LIVECD}/mirror/gnupg --trust-model always --keyring gentoo.gpg \ --verify ${LIVECD}/mirror/portage/portage-latest.tar.bz2.gpgsig \ ${LIVECD}/mirror/portage/portage-latest.tar.bz2 sinfo "Verifying stage3 SHA512 digests" sed '/^# WHIRLPOOL HASH$/{N; s/.*/\n/}' ${LIVECD}/mirror/stage3/${stage3file}.DIGESTS.asc \ | (cd ${LIVECD}/mirror/stage3; sha512sum -c) sinfo "Removing ${LIVECD}/src" chattr -f -a ${LIVECD}/src/tmp/.private || : rm -rf --one-file-system ${LIVECD}/src mkdir -m 755 ${LIVECD}/src sinfo "Extracting stage3 to ${LIVECD}/src" tar -xpSjf ${LIVECD}/mirror/stage3/${stage3file} -C ${LIVECD}/src --exclude './dev/*' sinfo "Extracting portage to ${LIVECD}/src/usr" tar -xpSjf ${LIVECD}/mirror/portage/portage-latest.tar.bz2 -C ${LIVECD}/src/usr sinfo "Done."