diff --git a/salt/qubes-builder/README.md b/salt/qubes-builder/README.md index bc9f1cc5..7a696cb7 100644 --- a/salt/qubes-builder/README.md +++ b/salt/qubes-builder/README.md @@ -69,9 +69,13 @@ Setting the Disposable VM to Dom0 works because it will use the `default_dispvm` preference of `qubes-builder`, which is `dvm-qubes-builder`. If you need to pull new commits, a set of trusted keys is present in -`/home/user/.gnupg/qubes-builder` to be used to verify commits or tags: +`/home/user/.gnupg/qubes-builder`. By default, the provided gitconfig verifies +merges, so pulling new commits will do signature verification of `FETCH_HEAD`: ```sh -GNUPGHOME="$HOME/.gnupg/qubes-builder" git verify-commit "HEAD^{commit}" +GNUPGHOME="$HOME/.gnupg/qubes-builder" git pull +Commit 7c37bb7 has a good GPG signature by Frédéric Pierret (fepitre) + +... ``` There are no further modifications needed to comply with this package. Consult diff --git a/salt/qubes-builder/configure-qubes-executor.sls b/salt/qubes-builder/configure-qubes-executor.sls index f5568ed6..c1b4af8b 100644 --- a/salt/qubes-builder/configure-qubes-executor.sls +++ b/salt/qubes-builder/configure-qubes-executor.sls @@ -11,16 +11,6 @@ include: - dotfiles.copy-sh - dotfiles.copy-x11 -"{{ slsdotpath }}-executor-rpc": - file.recurse: - - name: /usr/local/etc/qubes-rpc/ - - source: salt://{{ slsdotpath }}/files/server/rpc/ - - user: root - - group: root - - dir_mode: '0755' - - file_mode: '0755' - - makedirs: True - "{{ slsdotpath }}-executor-makedir-binded-builder": file.directory: - name: /rw/bind-dirs/builder diff --git a/salt/qubes-builder/files/admin/policy/default.policy b/salt/qubes-builder/files/admin/policy/default.policy index a5ff04f0..a8afc210 100644 --- a/salt/qubes-builder/files/admin/policy/default.policy +++ b/salt/qubes-builder/files/admin/policy/default.policy @@ -22,6 +22,7 @@ admin.vm.Kill * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow target= qubesbuilder.FileCopyIn * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow qubesbuilder.FileCopyOut * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow +qubes.Filecopy * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow qubes.WaitForSession * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow qubes.VMShell * {{ sls_path }} @tag:disp-created-by-{{ sls_path }} allow ## vim:ft=qrexecpolicy diff --git a/salt/qubes-builder/files/server/rpc/qubesbuilder.FileCopyIn b/salt/qubes-builder/files/server/rpc/qubesbuilder.FileCopyIn deleted file mode 100755 index 5cd14754..00000000 --- a/salt/qubes-builder/files/server/rpc/qubesbuilder.FileCopyIn +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/sh - -# SPDX-FileCopyrightText: 2022 - 2023 The Qubes OS Project -# -# SPDX-License-Identifier: GPL-2.0-only - -set -e - -sudo bash -c "mkdir -p /builder/incoming && chown -R user:user /builder" - -id=$(id -u user) - -if test -x /usr/lib/qubes/qfile-unpacker; then - # shellcheck disable=SC2123 - PATH="${PATH+"$PATH:"}/usr/lib/qubes" -fi - -exec qfile-unpacker "$id" "/builder/incoming" diff --git a/salt/qubes-builder/files/server/rpc/qubesbuilder.FileCopyOut b/salt/qubes-builder/files/server/rpc/qubesbuilder.FileCopyOut deleted file mode 100755 index 4fcf2ba3..00000000 --- a/salt/qubes-builder/files/server/rpc/qubesbuilder.FileCopyOut +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/bash - -# SPDX-FileCopyrightText: 2022 - 2023 The Qubes OS Project -# -# SPDX-License-Identifier: GPL-2.0-only - -path="${1//__/\//}" - -exec /usr/lib/qubes/qfile-agent "$path"