Move depot keys to repos/gems/sculpt/depot

This change keeps the version-controlled 'pubkey' and 'download' files
separate from files generated via depot/create or downloaded via
depot/download. So one can remove the entire depot/ directory without
interfering with git.

Furthermore, depot keys can now be hosted in supplemental repositories
independent from Genode's main repository.

Fixes #4364

repos/gems/run/depot_download.run

@@ -50,10 +50,10 @@ set config {
 	<default caps="100"/>}
 
 proc depot_user_download { user } {
-	return [exec cat [genode_dir]/depot/$user/download] }
+	return [exec cat [select_from_repositories sculpt/depot/$user/download]] }
 
 proc depot_user_pubkey { user } {
-	return [exec cat [genode_dir]/depot/$user/pubkey] }
+	return [exec cat [select_from_repositories sculpt/depot/$user/pubkey]] }
 
 append config {
 	<start name="timer">

repos/gems/run/sculpt.run

@@ -687,7 +687,7 @@ foreach user $depot_selection {
 	lappend depot_users_files [file join depot $user pubkey] \
 	                          [file join depot $user download] }
 
-exec sh -c "tar cf [run_dir]/genode/depot_users.tar -C [genode_dir] \
+exec sh -c "tar cf [run_dir]/genode/depot_users.tar -C [genode_dir]/repos/gems/sculpt \
                    [join $depot_users_files]"
 
 

repos/ports/run/vbox5_genode_usb_hid_raw.run

@@ -244,7 +244,7 @@ exec -ignorestderr \
      --cross-dev-prefix "[cross_dev_prefix]" \
      --include boot_dir/nova \
      --include image/iso \
-     --include [repository_contains /run/usb_hid_raw.run]/run/usb_hid_raw.run
+     --include [repository_contains run/usb_hid_raw.run]/run/usb_hid_raw.run
 
 exec ln -sf ${genode_dir}/repos/ports/run/vm_genode_usb_hid_raw.vbox bin/
 exec ln -sf ../../usb_hid_raw.iso bin/

repos/ports/run/verify.run

@@ -50,7 +50,7 @@ build { app/verify }
 
 exec tar cf [run_dir]/genode/test.tar -C [genode_dir]/repos/ports/src/app/verify/test .
 
-copy_file [genode_dir]/depot/nfeske/pubkey [run_dir]/genode/pubkey
+copy_file [select_from_repositories sculpt/depot/nfeske/pubkey] [run_dir]/genode/pubkey
 
 build_boot_image { verify libc.lib.so vfs.lib.so }
 

tool/depot/mk/downloader

@@ -40,7 +40,7 @@ ARCHIVES := $(MAKECMDGOALS)
 include $(GENODE_DIR)/tool/depot/mk/gpg.inc
 
 $(DEPOT_DIR)/% : $(PUBLIC_DIR)/%.tar.xz $(PUBLIC_DIR)/%.tar.xz.sig
-	$(VERBOSE)pubkey_file=$(DEPOT_DIR)/$(call archive_user,$*)/pubkey; \
+	$(VERBOSE)pubkey_file=$(call pubkey_path,$*); \
 	          $(GPG) --yes -o $$pubkey_file.dearmored --dearmor $$pubkey_file; \
 	          ( $(GPG) --no-tty --no-default-keyring \
 	                --keyring $$pubkey_file.dearmored \
@@ -75,15 +75,22 @@ endif
 
 ORIGINS := $(sort $(foreach A,$(ARCHIVES),$(call archive_user,$A)))
 
+# return 'download' file located side by side of a given 'pubkey' file
+url_file_for_pubkey_file = $(wildcard $(1:pubkey=download))
+
+# return path to 'download' file for a given archive
+url_file_path = $(call url_file_for_pubkey_file,$(call pubkey_path,$1))
+
 quotation_sanitized = $(subst ',,$(strip $1))
 
+
 $(foreach O,$(ORIGINS),\
    $(eval URL($O) := \
       $(call quotation_sanitized,\
-         $(call file_content,$(DEPOT_DIR)/$O/download))))
+         $(call file_content,$(call url_file_path,$O)))))
 
 MISSING_DOWNLOAD_LOCATIONS := $(sort $(foreach O,$(ORIGINS),\
-                                        $(if ${URL($O)},,$(DEPOT_DIR)/$O/download)))
+                                        $(if ${URL($O)},,$O)))
 
 ifneq ($(MISSING_DOWNLOAD_LOCATIONS),)
 $(DOWNLOADED_FILES): missing_download_locations

tool/depot/mk/front_end.inc

@@ -13,6 +13,9 @@ REPOSITORIES ?= $(shell find $(GENODE_DIR)/repos -follow -mindepth 1 -maxdepth 1
 # list of all repositories that contain depot recipes
 REP_RECIPES_DIRS := $(wildcard $(addsuffix /recipes,$(REPOSITORIES)))
 
+# list of possible locations of pubkey/download files
+REP_SCULPT_DEPOT_DIRS := $(wildcard $(addsuffix /sculpt/depot,$(REPOSITORIES)))
+
 DEPOT_DIR ?= $(GENODE_DIR)/depot
 
 usage:

tool/depot/mk/gpg.inc

@@ -8,7 +8,10 @@
 GPG ?= gpg
 
 pubkey_filename = $(call archive_user,$1)/pubkey
-pubkey_path     = $(wildcard $(DEPOT_DIR)/$(call pubkey_filename,$1))
+
+pubkey_path = $(firstword \
+                 $(wildcard $(addsuffix /$(call pubkey_filename,$1), \
+                               $(REP_SCULPT_DEPOT_DIRS))))
 
 # obtain key ID of 'depot/<user>/pubkey' to be used to select signing key
 pubkey_id = $(shell pubkey_file=$(call pubkey_path,$1); \
@@ -20,9 +23,9 @@ pubkey_id = $(shell pubkey_file=$(call pubkey_path,$1); \
 MISSING_PUBKEY_FILES := $(sort \
                            $(foreach A,$(ARCHIVES),\
                               $(if $(call pubkey_path,$A),,\
-                                 $(DEPOT_DIR)/$(call pubkey_filename,$A))))
+                                 $(call archive_user,$A))))
 
 missing_pubkey_files:
-	@echo "Error: missing public-key files:";\
+	@echo "Error: missing public-key files for:";\
 	 for i in $(MISSING_PUBKEY_FILES); do echo "       $$i"; done; false
 

tool/depot/publish

@@ -90,7 +90,7 @@ include $(GENODE_DIR)/tool/depot/mk/gpg.inc
 MISSING_PUBKEY_FILES := $(sort \
                            $(foreach A,$(ARCHIVES),\
                               $(if $(call pubkey_path,$A),,\
-                                 $(DEPOT_DIR)/$(call pubkey_filename,$A))))
+                                 $(call pubkey_filename,$A))))
 
 $(PUBLIC_DIR)/%.xz.sig : $(PUBLIC_DIR)/%.xz
 	$(VERBOSE)$(GPG) --detach-sign --digest-algo SHA256 --no-tty --use-agent \

tool/run/run

@@ -572,14 +572,32 @@ proc installed_command {command} {
 ##
 # Return first repository containing the given path
 #
-proc repository_contains {path} {
+proc repository_contains { rep_rel_path } {
+
 	global repositories;
-	foreach i $repositories {
-		if {[file exists $i/$path]} { return $i }
+
+	foreach rep $repositories {
+		if {[file exists [file join $rep $rep_rel_path]]} {
+			return $rep }
 	}
 }
 
 
+##
+# Return path to first file found in the available repositories
+#
+proc select_from_repositories { rep_rel_path } {
+
+	set rep_dir [repository_contains $rep_rel_path]
+
+	if {[llength $rep_dir]} {
+		return [file join $rep_dir $rep_rel_path] }
+
+	puts stderr "Error: $rep_rel_path not present in any repository"
+	exit -8
+}
+
+
 ##
 ## Utilities for performing steps that are the same on several platforms
 ##