pkgbase: fix pkg keys dir for base_latest/weekly

2026-01-04 12:03:35 +01:00 · 2025-12-03 16:10:48 -07:00
parent 4fafea8c6c
commit ff06eabf6f
4 changed files with 46 additions and 35 deletions
--- a/usr/local/share/bastille/bootstrap.sh
+++ b/usr/local/share/bastille/bootstrap.sh
@@ -320,31 +320,34 @@ bootstrap_release_pkgbase() {
    if [ "${PLATFORM_OS}" = "FreeBSD" ]; then

        local abi="${PLATFORM_OS}:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
-        local host_fingerprintsdir="/usr/share/keys/pkgbase-${MAJOR_VERSION}"
-        local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
+        local repo_dir="${bastille_sharedir}/pkgbase"
        if [ "${FREEBSD_BRANCH}" = "release" ]; then
            local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
+            local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
+            local host_fingerprintsdir="/usr/share/keys/pkgbase-${MAJOR_VERSION}"
+            local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
        elif [ "${FREEBSD_BRANCH}" = "current" ]; then
            local repo_name="FreeBSD-base-latest"
+            local release_fingerprintsdir="${bastille_releasesdir}/${RELEASE}/usr/share/keys"
+            local host_fingerprintsdir="/usr/share/keys/pkg"
+            local fingerprints="${bastille_releasesdir}/${RELEASE}/usr/share/keys/pkg"
        fi
-        local repo_dir="${bastille_sharedir}/pkgbase"

        # Verify trusted pkg keys
-        if [ ! -f "${host_fingerprintsdir}/trusted/awskms-${MAJOR_VERSION}" ]; then
-            if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/awskms-${MAJOR_VERSION}
-            then
-                ERRORS=$((ERRORS + 1))
-                error_notify "[ERROR]: Failed to fetch trusted pkg keys."
-                return 1
+        if [ "${FREEBSD_BRANCH}" = "release" ]; then
+            if [ ! -f "${host_fingerprintsdir}/trusted/awskms-${MAJOR_VERSION}" ]; then
+                if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/awskms-${MAJOR_VERSION}; then
+                    ERRORS=$((ERRORS + 1))
+                    error_notify "[ERROR]: Failed to fetch trusted pkg keys."
+                    return 1
+                fi
            fi
-        fi
-        if [ ! -f "${host_fingerprintsdir}/trusted/backup-signing-${MAJOR_VERSION}" ]; then
-            if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/backup-signing-${MAJOR_VERSION}
-            then
-                ERRORS=$((ERRORS + 1))
-                error_notify "[ERROR]: Failed to fetch trusted backup pkg keys."
-                return 1
+            if [ ! -f "${host_fingerprintsdir}/trusted/backup-signing-${MAJOR_VERSION}" ]; then
+                if ! fetch -o "${host_fingerprintsdir}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${MAJOR_VERSION}/trusted/backup-signing-${MAJOR_VERSION}; then
+                    ERRORS=$((ERRORS + 1))
+                    error_notify "[ERROR]: Failed to fetch trusted backup pkg keys."
+                    return 1
+                fi
            fi
        fi

@@ -504,6 +507,7 @@ bootstrap_template() {
 # Handle options.
 PKGBASE=0
 ERRORS=0
+FETCH_PKG_KEYS=0
 while [ "$#" -gt 0 ]; do
    case "${1}" in
        -h|--help|help)
--- a/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
+++ b/usr/local/share/bastille/pkgbase/FreeBSD-base.conf
@@ -2,14 +2,14 @@ FreeBSD-base-latest: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
+  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
 }
 FreeBSD-base-weekly: {
  url: "pkg+https://pkg.FreeBSD.org/${ABI}/base_weekly",
  mirror_type: "srv",
  signature_type: "fingerprints",
-  fingerprints: "/usr/share/keys/pkgbase-${VERSION_MAJOR}",
+  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
 }
 FreeBSD-base-release-0: {
--- a/usr/local/share/bastille/update.sh
+++ b/usr/local/share/bastille/update.sh
@@ -196,13 +196,14 @@ jail_update_pkgbase() {

        local jailpath="${bastille_jailsdir}/${TARGET}/root"
        local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${jailpath}/usr/share/keys/pkg"
+        local repo_dir="${bastille_sharedir}/pkgbase"
        if [ "${FREEBSD_BRANCH}" = "release" ]; then
            local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
+            local fingerprints="${jailpath}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
        elif [ "${FREEBSD_BRANCH}" = "current" ]; then
            local repo_name="FreeBSD-base-latest"
+            local fingerprints="${jailpath}/usr/share/keys/pkg"
        fi
-        local repo_dir="${bastille_sharedir}/pkgbase"

        # Update repo (pkgbase)
        if ! pkg --rootdir "${jailpath}" \
@@ -330,21 +331,24 @@ release_update() {
 release_update_pkgbase() {

    if [ "${RELEASE_PLATFORM_OS}" = "FreeBSD" ]; then
-
+	
        local release_dir="${bastille_releasesdir}/${TARGET}"
        local abi="FreeBSD:${MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${release_dir}/usr/share/keys/pkg"
+        local repo_dir="${bastille_sharedir}/pkgbase"
        if [ "${FREEBSD_BRANCH}" = "release" ]; then
            local repo_name="FreeBSD-base-release-${MINOR_VERSION}"
+            local fingerprints="${release_dir}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
        elif [ "${FREEBSD_BRANCH}" = "current" ]; then
            local repo_name="FreeBSD-base-latest"
+            local fingerprints="${release_dir}/usr/share/keys/pkg"
        fi
-        local repo_dir="${bastille_sharedir}/pkgbase"

        # Update repo (pkgbase)
        if ! pkg --rootdir "${release_dir}" \
                 --repo-conf-dir "${repo_dir}" \
                  -o IGNORE_OSVERSION="yes" \
+                  -o VERSION_MAJOR="${MAJOR_VERSION}" \
+                  -o VERSION_MINOR="${MINOR_VERSION}" \
                  -o ABI="${abi}" \
                  -o ASSUME_ALWAYS_YES="yes" \
                  -o FINGERPRINTS="${fingerprints}" \
@@ -357,6 +361,8 @@ release_update_pkgbase() {
        if ! pkg --rootdir "${release_dir}" \
                 --repo-conf-dir "${repo_dir}" \
                  -o IGNORE_OSVERSION="yes" \
+                  -o VERSION_MAJOR="${MAJOR_VERSION}" \
+                  -o VERSION_MINOR="${MINOR_VERSION}" \
                  -o ABI="${abi}" \
                  -o ASSUME_ALWAYS_YES="yes" \
                  -o FINGERPRINTS="${fingerprints}" \
--- a/usr/local/share/bastille/upgrade.sh
+++ b/usr/local/share/bastille/upgrade.sh
@@ -317,27 +317,28 @@ jail_upgrade_pkgbase() {

        local jailpath="${bastille_jailsdir}/${TARGET}/root"
        local abi="FreeBSD:${NEW_MAJOR_VERSION}:${HW_MACHINE_ARCH}"
-        local fingerprints="${jailpath}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
+        local repo_dir="${bastille_sharedir}/pkgbase"
        if [ "${FREEBSD_BRANCH}" = "release" ]; then
            local repo_name="FreeBSD-base-release-${NEW_MINOR_VERSION}"
+            local fingerprints="${jailpath}/usr/share/keys/pkgbase-${MAJOR_VERSION}"
        elif [ "${FREEBSD_BRANCH}" = "current" ]; then
            local repo_name="FreeBSD-base-latest"
+            local fingerprints="${jailpath}/usr/share/keys/pkg"
        fi
-        local repo_dir="${bastille_sharedir}/pkgbase"

        info "\n[${TARGET}]:"

        # Verify trusted pkg keys
-        if [ ! -f "${fingerprints}/trusted/awskms-${NEW_MAJOR_VERSION}" ]; then
-            if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/awskms-${NEW_MAJOR_VERSION}
-            then
-                error_exit "[ERROR]: Failed to fetch trusted pkg keys."
+        if [ "${FREEBSD_BRANCH}" = "release" ]; then
+            if [ ! -f "${fingerprints}/trusted/awskms-${NEW_MAJOR_VERSION}" ]; then
+                if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/awskms-${NEW_MAJOR_VERSION}; then
+                    error_exit "[ERROR]: Failed to fetch trusted pkg keys."
+                fi
            fi
-        fi
-        if [ ! -f "${fingerprints}/trusted/backup-signing-${NEW_MAJOR_VERSION}" ]; then
-            if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/backup-signing-${NEW_MAJOR_VERSION}
-            then
-                error_exit "[ERROR]: Failed to fetch trusted backup pkg keys."
+            if [ ! -f "${fingerprints}/trusted/backup-signing-${NEW_MAJOR_VERSION}" ]; then
+                if ! fetch -o "${fingerprints}/trusted" https://cgit.freebsd.org/src/tree/share/keys/pkgbase-${NEW_MAJOR_VERSION}/trusted/backup-signing-${NEW_MAJOR_VERSION}; then
+                    error_exit "[ERROR]: Failed to fetch trusted backup pkg keys."
+                fi
            fi
        fi