Situation
Compiling GnuPG from the Upstream vanilla sources can lead to several surprises depending on the environment. Setting up a controlled, defined and reproducible environment seems to be mandatory to get reproducible results. One of the requirements to make the environment reproducible is the possibility to have a script doing this, and the seed method is chosen to be debootstrap. Even with Debian trixie at the horizon we stick with Debian bookworm since this release doesn't provide all the libraries in modern versions needed to compile the GnuPG devel version 2.5 tree and therefore it is a suitable laboratory. The preparation requires root privileges and we claim the namespace /srv/shimps to build the environment.
Debootstrap
Some redundant variables are introduced to keep the command line short and make it better readable. And we make a local copy of the vanilla debootstrap for later usage. Initializing the debootstrap from a local copy is much faster than network download.
mkdir -p /srv/shimps/debootstrap/debian/bookworm mkdir -p /srv/shimps/laboratory/gnupg/bookworm mount --bind /srv/shimps/laboratory/gnupg/bookworm /mnt CODENAME="bookworm" CN=${CODENAME} ARCH="amd64" AR=${ARCH} MIRROR="http://ftp.debian.org/debian" MI=${MIRROR} LOG="/mnt/debootstrap.log" L=${LOG} { date; time debootstrap --arch ${AR} ${CN} /mnt ${MI}; date; } 2>&1 | tee -a ${L} rsync -a /mnt/ /srv/shimps/debootstrap/debian/bookworm/
Preparing apt
I consider it a bad habit to install recommended packages by apt* automatically. This hides things which might help to learn something. Therefore we switch to an explicit control setup.
mkdir -p /mnt/etc/apt/apt.conf.available touch /mnt/etc/apt/apt.conf.available/shimps--no-recommended cd /mnt/etc/apt/apt.conf.d ln -s ../apt.conf.available/shimps--no-recommended shimps--no-recommended
The content of this file (use an editor for c&p):
$ cat /mnt/etc/apt/apt.conf.available/shimps--no-recommended APT::Cache-Limit "67108864"; APT::Install-Recommends "0"; APT::Install-Suggests "0"; Aptitude::Recommends-Important "false";
Preparing chroot
We need awareness of the system inside the chroot environment.
mount --bind /dev /mnt/dev mount --bind /dev/pts /mnt/dev/pts mount --bind /proc /mnt/proc mount --bind /sys /mnt/sys
The next part is due to SysV init. You might want to read zless /usr/share/doc/init-system-helpers/README.policy-rc.d.gz. Create an executable file with touch /mnt/usr/sbin/policy-rc.d, chmod +x /mnt/usr/sbin/policy-rc.d and content as shown in the next box. Some background is provided in the article ~jpetazzo/Use policy-rc.d to prevent services from starting automatically.
$ cat /mnt/usr/sbin/policy-rc.d # shellcheck disable=SC2148 PATH="${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" RL=$( runlevel ) if [ "${RL}" = "unknown" ] ; then exit 101 else exit 0 fi
If you are unsure, you may omit this step since we are not going to install any daemons which need to be prevented from being started automatically. But I consider it a good habit to prepare the chroot in an universal and complete manner.
It might be a good idea to prepare /mnt/root/.bashrc for bash-completion and maybe /mnt/root/.bash_logout and /mnt/root/.ssh/authorized_keys if you want to have a test environment in a virtual machine later, but this is not required. The latter one will require to have sshd configured for root login, which in itself might raise security issues.
The preparation files regarding apt and policy-rc.d are available in the Codeberg diy-gnupg repository.
Upcoming next time: we jump into the chroot and continue the preparation from inside.
To be continued...