diff options
author | Christian Rebischke <Chris.Rebischke@posteo.de> | 2018-08-17 23:46:46 +0200 |
---|---|---|
committer | Christian Rebischke <Chris.Rebischke@posteo.de> | 2018-08-18 01:20:26 +0200 |
commit | a2b204959f280eb43d3a19335a78b1233d009aee (patch) | |
tree | fdf72cdd3c618393d40efe9d968e3bdc0d87921a | |
parent | c42fd65bbb08588adfe5b0237676c1a30c372c97 (diff) |
We need to re-initialize the pacman keyring for every machine,
otherwise every machine would have the same pacman master key. The same
pacman master key opens the possibility for Mitm-attacks.
Signed-off-by: Christian Rebischke <Chris.Rebischke@posteo.de>
-rw-r--r-- | http/install-chroot.sh | 21 | ||||
-rw-r--r-- | http/install.sh | 2 | ||||
-rw-r--r-- | provision/cleanup.sh | 2 |
3 files changed, 24 insertions, 1 deletions
diff --git a/http/install-chroot.sh b/http/install-chroot.sh index 7e71282..8676ce7 100644 --- a/http/install-chroot.sh +++ b/http/install-chroot.sh @@ -47,10 +47,31 @@ Name=eth0 DHCP=ipv4 EOF +# Setup pacman-init.service for clean pacman keyring initialization +cat <<EOF > /etc/systemd/system/pacman-init.service +[Unit] +Description=Initializes Pacman keyring +Wants=haveged.service +After=haveged.service +ConditionFirstBoot=yes + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/pacman-key --init +ExecStart=/usr/bin/pacman-key --populate archlinux + +[Install] +WantedBy=multi-user.target +EOF + # enabling important services +systemctl daemon-reload systemctl enable sshd +systemctl enable haveged systemctl enable systemd-networkd systemctl enable systemd-resolved +systemctl enable pacman-init.service grub-install "$device" sed -i -e 's/^GRUB_TIMEOUT=.*$/GRUB_TIMEOUT=1/' /etc/default/grub diff --git a/http/install.sh b/http/install.sh index 42f7a7b..3ee1fa5 100644 --- a/http/install.sh +++ b/http/install.sh @@ -25,7 +25,7 @@ mkswap "${device}1" mkfs.btrfs -L "rootfs" "${device}2" mount "${device}2" /mnt -pacstrap /mnt base grub openssh sudo polkit btrfs-progs +pacstrap /mnt base grub openssh sudo polkit btrfs-progs haveged swapon "${device}1" genfstab -p /mnt >> /mnt/etc/fstab swapoff "${device}1" diff --git a/provision/cleanup.sh b/provision/cleanup.sh index 0e0e96f..b112d53 100644 --- a/provision/cleanup.sh +++ b/provision/cleanup.sh @@ -7,3 +7,5 @@ set -x yes | sudo pacman -Scc # Remove machine-id: see https://github.com/archlinux/arch-boxes/issues/25 rm /etc/machine-id +# Remove pacman key ring for re-initialization +rm -rf /etc/pacman.d/gnupg/ |