Bug#754327: mk-sbuild should support --debootsrap-keyring and --debootstrap-no-check-gpg

Wed, 09 Jul 2014 15:27:29 -0700 

Package: ubuntu-dev-tools
Version: 0.153
Tags: patch

Dear Maintainer,

currently there is no way to pass something through from mk-sbuild to
these arguments of debootstrap:

  --keyring=KEYRING
      Override  the  default  keyring for the distribution being
      bootstrapped, and  use  KEYRING  to  check  signatures  of
      retrieved Release files.

  --no-check-gpg
      Disables  checking  gpg  signatures  of  retrieved Release
      files.

The attached patch adds --debootstrap-keyring and
--debootstrap-no-check-gpg, just like for example --debootstrap-exlude
for debootstrap's --exclude.

Additions to usage output and manpage included.

Best regards
Niklas Fiekas

diff --git a/doc/mk-sbuild.1 b/doc/mk-sbuild.1
index 0423a77..32ec936 100644
--- a/doc/mk-sbuild.1
+++ b/doc/mk-sbuild.1
@@ -55,6 +55,15 @@ Pass along a comma separated list of packages to debootstrap's
 \fBWARNING:\fR be careful using this option as you can end up
 excluding essential package. See \fBdebootstrap \fR(8) for more details.
 .TP
+.B \-\-debootstrap\-keyring\fR=\fIkeyring
+Pass along the path to a gpg keyring file to debootsrap's
+\fB\-\-keyring\fR argument. See \fBdebootstrap\fR (8) for more details.
+.TP
+.B \-\-debootstrap\-no\-check\-gpg
+Disable checking gpg signatures of downloaded Release files by using
+debootstrap's \fB\-\-no\-check\-gpg\fR option. See \fBdebootstrap\fR (8)
+for more details.
+.TP
 .B \-\-distro\fR=\fIDISTRO
 Enable distro-specific logic.
 When not provided, the distribution is determined from \fIrelease\fR.
@@ -103,6 +112,14 @@ Comma separated list of packages to include when bootstrapping (same as
 Comma separated list of packages to exclude when bootstrapping (same as
 \fB\-\-debootstrap-exclude\fR; see warning above)
 .TP
+.B DEBOOTSTRAP_KEYRING
+Keyring file to use for checking gpg signatures of retrieved release files
+(same as \fB\-\-debootstrap\-keyring\fR)
+.TP
+.B DEBOOTSTRAP_NO_CHECK_GPG
+Disable gpg verification of retrieved release files (same as
+\fB\-\-debootstrap\-no\-check\-gpg\fR)
+.TP
 .B SOURCE_CHROOTS_DIR
 Use \fBSOURCE_CHROOTS_DIR\fR as home of schroot source directories.
 (default \fB/var/lib/schroot/chroots\fR)
diff --git a/mk-sbuild b/mk-sbuild
index 6ea76c8..299cdee 100755
--- a/mk-sbuild
+++ b/mk-sbuild
@@ -57,6 +57,9 @@ function usage()
     echo "  --debootstrap-include=list Comma separated list of packages to include"
     echo "  --debootstrap-exclude=list Comma separated list of packages to exclude"
     echo "  --debootstrap-proxy=URL    Use PROXY as apt proxy"
+    echo "  --debootstrap-keyring=KEYRING"
+    echo "                             Use KEYRING to check signatures of retrieved Release files"
+    echo "  --debootstrap-no-check-gpg Disables checking gpg signatures of retrieved Release files"
     echo "  --eatmydata                Install and use eatmydata"
     echo "  --distro=DISTRO            Install specific distro:"
     echo "                                 'ubuntu' or 'debian' "
@@ -80,6 +83,8 @@ function usage()
     echo "  DEBOOTSTRAP_INCLUDE        Included packages (same as --debootstrap-include)"
     echo "  DEBOOTSTRAP_EXCLUDE        Excluded packages (same as --debootstrap-exclude)"
     echo "  DEBOOTSTRAP_PROXY          Apt proxy (same as --debootstrap-proxy)"
+    echo "  DEBOOTSTRAP_KEYRING        GPG keyring (same as --debootstrap-keyring)"
+    echo "  DEBOOTSTRAP_NO_CHECK_GPG   Disable GPG verification (same as --debootstrap-no-check-gpg)"
     echo "  EATMYDATA                  Enable --eatmydata"
     echo "  TEMPLATE_SOURCES           A template for sources.list"
     echo "  TEMPLATE_SCHROOTCONF       A template for schroot.conf stanza"
@@ -93,13 +98,14 @@ function usage()
 if [ -z "$1" ]; then
     usage
 fi
-OPTS=`getopt -o 'h' --long "help,debug,skip-updates,skip-proposed,eatmydata,arch:,name:,source-template:,debootstrap-mirror:,debootstrap-include:,debootstrap-exclude:,debootstrap-proxy:,personality:,distro:,vg:,type:,target:" -- "$@"`
+OPTS=`getopt -o 'h' --long "help,debug,skip-updates,skip-proposed,eatmydata,arch:,name:,source-template:,debootstrap-mirror:,debootstrap-include:,debootstrap-exclude:,debootstrap-proxy:,debootstrap-no-check-gpg,debootstrap-keyring:,personality:,distro:,vg:,type:,target:" -- "$@"`
 eval set -- "$OPTS"
 
 VG=""
 DISTRO=""
 name=""
 proxy="_unset_"
+DEBOOTSTRAP_NO_CHECK_GPG=0
 EATMYDATA=0
 
 while :; do
@@ -156,6 +162,15 @@ while :; do
             proxy="$2"
             shift 2
             ;;
+        --debootstrap-keyring)
+            # Store the absolute path because we cd to the root directory later.
+            DEBOOTSTRAP_KEYRING=$(readlink -f "$2")
+            shift 2
+            ;;
+        --debootstrap-no-check-gpg)
+            DEBOOTSTRAP_NO_CHECK_GPG=1
+            shift
+            ;;
         --eatmydata)
             EATMYDATA=1
             shift
@@ -531,6 +546,12 @@ if [ -n "$DEBOOTSTRAP_EXCLUDE" ] ; then
     debootstrap_opts="$debootstrap_opts --exclude=$DEBOOTSTRAP_EXCLUDE"
 fi
 
+if [ $DEBOOTSTRAP_NO_CHECK_GPG -eq 1 ]; then
+    debootstrap_opts="$debootstrap_opts --no-check-gpg"
+elif [ -n "$DEBOOTSTRAP_KEYRING" ]; then
+    debootstrap_opts="$debootstrap_opts --keyring=$DEBOOTSTRAP_KEYRING"
+fi
+
 # if http_proxy is set in the environment (even empty) set 'proxy' to it
 [ "$proxy" = "_unset_" -a "${DEBOOTSTRAP_PROXY-xx}" != "xx" ] &&
     proxy=${DEBOOTSTRAP_PROXY}

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to