key-init: If time resets, tell user to set it, but allow skipping

The 'warn' message was not very effective, because change-time.sh clears the screen right after. Prompt with whiptail instead, which also lets the user know what's happening before we drop them into a series of prompts. Let the user skip changing time if they really want to. While they usually should set the time, it's rather frustrating if Heads forces them to go through these prompts when they don't want to. Signed-off-by: Jonathon Hall <[email protected]> Signed-off-by: Thierry Laurion <[email protected]>
linuxboot · Sep 6, 2024 · 25fb26c · 25fb26c
1 parent 5bf8981
commit 25fb26c
Showing 1 changed file with 22 additions and 6 deletions.
diff --git a/initrd/bin/key-init b/initrd/bin/key-init
@@ -1,19 +1,35 @@
 #!/bin/bash
 set -e -o pipefail
 . /etc/functions
+. /etc/gui_functions
 
 TRACE_FUNC
 
 # Post processing of keys
 
-# Import user's keys
-gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || true
+# Good system clock is required for GPG to work properly.
+# if system year is less then 2024, prompt user to set correct time
+if [ "$(date +%Y)" -lt 2024 ]; then
+    if whiptail_warning --title "System Time Incorrect" \
+        --yesno "The system time is incorrect. Please set the correct time." \
+        0 80 --yes-button Continue --no-button Skip --clear; then
+        change-time.sh
+    fi
+fi
+
+# Import user's keys if they exist
+if [ -d /.gnupg/keys ]; then
+    # This is legacy location for user's keys. cbfs-init takes for granted that keyring and trustdb are in /.gnupg
+    #  oem-factory-reset generates keyring and trustdb which cbfs-init dumps to /.gnupg
+    # TODO: Remove individual key imports. This is still valid for distro keys only below.
+    gpg --import /.gnupg/keys/*.key  /.gnupg/keys/*.asc 2>/dev/null || warn "Importing user's keys failed"
+fi
 
 # Import trusted distro keys allowed for ISO signing
-gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || true
+gpg --homedir=/etc/distro/ --import /etc/distro/keys/* 2>/dev/null || warn "Importing distro keys failed"
 #Set distro keys trust level to ultimate (trust anything that was signed with these keys)
-gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || true
-gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || true
+gpg --homedir=/etc/distro/ --list-keys --fingerprint --with-colons|sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' |gpg --homedir=/etc/distro/ --import-ownertrust 2>/dev/null || warn "Setting distro keys ultimate trust failed"
+gpg --homedir=/etc/distro/ --update-trust 2>/dev/null || warn "Updating distro keys trust failed"
 
 # Add user's keys to the list of trusted keys for ISO signing
-gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || true
+gpg --export | gpg --homedir=/etc/distro/ --import 2>/dev/null || warn "Adding user's keys to distro keys failed"