|
|
cc3383 |
From be021c2328550a9d5b987cb206eda5df90b45acd Mon Sep 17 00:00:00 2001
|
|
|
cc3383 |
From: Evgeny Vereshchagin <evvers@ya.ru>
|
|
|
cc3383 |
Date: Sun, 26 Dec 2021 01:11:00 +0000
|
|
|
cc3383 |
Subject: [PATCH] ci: replace apt-key with signed-by
|
|
|
cc3383 |
|
|
|
cc3383 |
to limit the scope of the key to apt.llvm.org only.
|
|
|
cc3383 |
|
|
|
cc3383 |
This is mostly inspired by https://blog.cloudflare.com/dont-use-apt-key/
|
|
|
cc3383 |
|
|
|
cc3383 |
(cherry picked from commit bfa6bd1be098adc4710e1819b9cd34d65b3855da)
|
|
|
cc3383 |
|
|
|
cc3383 |
Related: #2013213
|
|
|
cc3383 |
---
|
|
|
cc3383 |
.github/workflows/build_test.sh | 7 ++++---
|
|
|
cc3383 |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
cc3383 |
|
|
|
cc3383 |
diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh
|
|
|
cc3383 |
index 5b18784461..549e59b2c9 100755
|
|
|
cc3383 |
--- a/.github/workflows/build_test.sh
|
|
|
cc3383 |
+++ b/.github/workflows/build_test.sh
|
|
|
cc3383 |
@@ -80,9 +80,10 @@ if [[ "$COMPILER" == clang ]]; then
|
|
|
cc3383 |
# llvm package if available in such cases to avoid that.
|
|
|
cc3383 |
if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then
|
|
|
cc3383 |
# Latest LLVM stack deb packages provided by https://apt.llvm.org/
|
|
|
cc3383 |
- # Following snippet was borrowed from https://apt.llvm.org/llvm.sh
|
|
|
cc3383 |
- wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
|
|
|
cc3383 |
- add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main"
|
|
|
cc3383 |
+ # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh
|
|
|
cc3383 |
+ wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg
|
|
|
cc3383 |
+ printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \
|
|
|
cc3383 |
+ "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list
|
|
|
cc3383 |
PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION")
|
|
|
cc3383 |
fi
|
|
|
cc3383 |
elif [[ "$COMPILER" == gcc ]]; then
|