On Wed, Oct 14, 2015 at 06:53:56PM +0200, Helmut Grohne wrote:
> I would like to be able to use sbuild without having to create a gpg key
> for it. I understand that creating a key is required for operating as a
> buildd, but sbuild can be used in other scenarios as well. This bug is
> supposed to summarize a discussion I had with Johannes Schauer and
> Wookey.
Johannes Schauer asked me to clarify why this change is useful.
Currently, every setup of sbuild requires running sbuild-update
--keygen. This step is not done from a maintainer script and thus prone
to be forgotten. It also takes up to an hour to execute on virtual
machines that lack proper random sources.
I am attaching a basic and untested patch that implements the following
change: If sbuild fails to find the keys (for instance because
sbuild-update --keygen has not been run), it no longer errors out, but
adds "[ trusted=yes ]" to the generated sources.list. Thus existing
installations (with existing keys) will keep operating like they did and
new installations may skip the key generation step. The patch is meant
to sketch the desired behaviour.
Helmut
--- sbuild-0.66.0.orig/lib/Sbuild/ResolverBase.pm
+++ sbuild-0.66.0/lib/Sbuild/ResolverBase.pm
@@ -992,8 +992,12 @@ EOF
return 0;
}
+ my $trust_apt_archive = '';
+
# Sign the release file
- if (!$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
+ if ((-f $self->get_conf('SBUILD_BUILD_DEPENDS_SECRET_KEY')) &&
+ (-f $self->get_conf('SBUILD_BUILD_DEPENDS_PUBLIC_KEY')) &&
+ !$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
if (!$self->generate_keys()) {
$self->log("Failed to generate archive keys.\n");
$self->cleanup_apt_archive();
@@ -1022,6 +1026,9 @@ EOF
$self->cleanup_apt_archive();
return 0;
}
+ } elsif (!$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
+ # Keys are missing and we don't allow unauthenticated.
+ $trust_apt_archive = ' [ trusted=yes ]';
}
# Now, we'll add in any provided OpenPGP keys into the archive, so that
@@ -1079,8 +1086,10 @@ EOF
# Write a list file for the dummy archive if one not create yet.
if (! -f $dummy_archive_list_file) {
my ($tmpfh, $tmpfilename) = tempfile(DIR => $session->get('Location') . "/tmp");
- print $tmpfh 'deb file://' . $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
- print $tmpfh 'deb-src file://' . $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
+ print $tmpfh 'deb' . $trust_apt_archive . ' file://' .
+ $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
+ print $tmpfh 'deb-src' . $trust_apt_archive . ' file://' .
+ $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
for my $repospec (@{$self->get_conf('EXTRA_REPOSITORIES')}) {
print $tmpfh "$repospec\n";
@@ -1112,7 +1121,7 @@ EOF
unlink $tmpfilename;
}
- if (!$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
+ if ($trust_apt_archive eq '' && !$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
# Add the generated key
$session->run_command(
{ COMMAND => ['apt-key', 'add', $session->strip_chroot_path($dummy_archive_pubkey)],
