Package: live-build
Version: 4.0.4-1
Tags: patch
Attached is a patch to fix and improve the bootstrap_archive-keys
script, which installs additional archive keys when building a
progress-linux image.
I am not current familiar at all with progress-linux, so this needs
review and testing by someone who is.
I think the first three items below suggest that this is important
enough to be pushed into jessie. The patch is built upon v4.
Summary of changes:
* Fixed mispelling/old-spelling of cairon (chairon), which would have
blocked keys being installed.
* Fixed broken urls the keys are being fetched from. This assumes the
following link is an example of current and correct location and
filenames, where the directory has changed from project/keys to
project/pgp, filenames no longer contain version numbers, and
'packages' keys no longer exist, but 'backports' keys now do.
http://archive.progress-linux.org/packages/project/pgp/
* Fixed possibly broken key installation ability (or at least location
is now more explicit). Previously, the apt-key program was run
(under chroot) simply with the name of the key file, no path. Using
chroot does not change the working directory afaik, and I am not
sure therefore whether it would have actually found the file it
needed to add. Now the location is given (/[file]), which fixes
this, assuming it was indeed broken.
* Allow use of either gpgv or gpgv2 for verification
* Allow use of either or both of debian-keyring.gpg (from the keyring
package) and debian-archive-keyring.gpg (default key added by
debootstrap)
* Disallow gpgv to automatically look for a 'default' keyring
(--no-default-keyring param)
* Improved error checking, stopping execution if a problem occurs,
enforcing stricter security checks.
* Tidied up the code a bit.
commit 25a02e174f60535dbd4a6de8b56dfe5c6c8a550c
Author: jnqnfe <jnq...@gmail.com>
Date: Tue Dec 23 05:55:43 2014 +0000
Fix and improve bootstrap_archive-keys
diff --git a/scripts/build/bootstrap_archive-keys
b/scripts/build/bootstrap_archive-keys
index 4b9324f..31641b4 100755
--- a/scripts/build/bootstrap_archive-keys
+++ b/scripts/build/bootstrap_archive-keys
@@ -33,45 +33,82 @@ case "${LB_MODE}" in
progress-linux)
case "${LB_DISTRIBUTION}" in
artax*)
- _KEYS="1.0-artax 1.0-artax-packages"
+ _KEYS="archive-key-artax.asc
archive-key-artax-backports.asc"
;;
baureo*)
- _KEYS="2.0-baureo 2.0-baureo-packages"
+ _KEYS="archive-key-baureo.asc
archive-key-baureo-backports.asc"
;;
- chairon*)
- _KEYS="3.0-chairon 3.0-chairon-packages"
+ cairon*)
+ _KEYS="archive-key-cairon.asc
archive-key-cairon-backports.asc"
;;
esac
- _URL="${LB_MIRROR_CHROOT}/project/keys"
+ _URL_BASE="${LB_MIRROR_CHROOT}/project/gpg"
;;
esac
-for _KEY in ${_KEYS}
-do
- Echo_message "Fetching archive-key ${_KEY}..."
-
- wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
- wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig
-
- if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ]
+if [ ! -z "${_KEYS}" ]
+then
+ # Check GPGV program exists
+ if [ -x "$(which gpgv2 2>/dev/null)" ]
then
- Echo_message "Verifying archive-key ${_KEY} against
debian-keyring..."
-
- /usr/bin/gpgv --quiet --keyring
/usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc >
/dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature.";
return 1;}
+ _GPG_TOOL="gpgv2"
+ elif [ -x "$(which gpgv 2>/dev/null)" ]
+ then
+ _GPG_TOOL="gpgv"
else
- Echo_warning "Skipping archive-key ${_KEY} verification, either
gpgv or debian-keyring not available on host system..."
+ Echo_error "gpg verification program (gpgv/gpgv2) does not
exist, and archive keys cannot be verified without it! Please install it and
try again."
+ exit 1
fi
- Echo_message "Importing archive-key ${_KEY}..."
-
- Chroot chroot "apt-key add key.asc"
- rm -f chroot/key.asc chroot/key.asc.sig
-done
+ # Compile list of keyrings to use for verification
+ _KEYRINGS=""
+ _DEBIAN_KEYRING="/usr/share/keyrings/debian-keyring.gpg"
+ _DEBIAN_ARCHIVE_KEYRING="/usr/share/keyrings/debian-archive-keyring.gpg"
+ for _KEYRING in "${_DEBIAN_KEYRING}" "${_DEBIAN_ARCHIVE_KEYRING}"
+ do
+ if [ -e "${_KEYRING}" ]
+ then
+ _KEYRINGS="${_KEYRINGS} --keyring ${_KEYRING}"
+ fi
+ done
+ if [ -z "${_KEYRINGS}" ]
+ then
+ Echo_error "no keyrings found for verification of additional
archive keys that are to be installed!"
+ exit 1
+ fi
-Chroot chroot "apt-get update"
+ # Fetch and install keys
+ for _KEY in ${_KEYS}
+ do
+ Echo_message "Fetching archive-key ${_KEY}..."
+ for _FILE in "${_KEY}" "${_KEY}.sig"
+ do
+ _URL="${_URL_BASE}/${_FILE}"
+ if ! wget -q "${_URL}" -O "chroot/${_FILE}"
+ then
+ Echo_error "failed to download file ${_URL}!"
+ exit 1
+ fi
+ done
+
+ Echo_message "Verifying archive-key ${_KEY}..."
+ if ! ${_GPG_TOOL} --quiet --no-default-keyring ${_KEYRINGS}
"chroot/${_KEY}" "chroot/${_KEY}.sig"
+ then
+ Echo_error "archive-key ${_KEY} has invalid signature!"
+ exit 1
+ fi
+
+ Echo_message "Importing archive-key ${_KEY}..."
+ Chroot chroot "apt-key add /${_KEY}"
+
+ rm -f "chroot/${_KEY}" "chroot/${_KEY}.sig"
+ done
+
+ Chroot chroot "apt-get update"
+fi
# Creating stage file
Create_stagefile .build/bootstrap_archive-keys
