Control: tag -1 + pending Hi,
On Mon, 07 Dec 2015 21:49:41 +0100 Johannes Schauer <jo...@debian.org> wrote: > Quoting Johannes Schauer (2015-12-07 21:13:10) > > It seems that apt has support for trusted=yes since 0.8.16~exp3, so since > > wheezy. > > keeping support for signing the internal repository is important for as long > as > we want to support squeeze. When running sbuild, then the apt *inside* the > chroot has to support [trusted=yes]. Since today on stretch or unstable we > want > to be able to build packages in a squeeze chroot for old-old-stable, we must > keep the functionality of signing the internal repo until we stop supporting > squeeze. > > So I suggest to add a command line flag like --trust-internal-repo which will > make sbuild not require keys anymore and will set [trusted=yes] in apt's > sources.list. Once we drop support for squeeze we can make that command line > flag a no-op and never use keys for the internal repository by default. > > Does this make sense? I attached a patch which I currently have in my local git and will thus probably become part of the next sbuild release. It will only sign the dummy archive release file and let apt trust the sbuild public key if sbuild-key.pub and sbuild-key.sec exist in /var/lib/sbuild/apt-keys. Otherwise it just will do nothing instead. Additionally, the sources.list entries for the internal dummy repository now unconditionally carry the [trusted=yes] option which will be interpreted by apt in wheezy and later but ignored by apt in squeeze. Thanks! cheers, josch
From 282abf1120d8f46830b56c752399c5692fbd7944 Mon Sep 17 00:00:00 2001
From: Johannes 'josch' Schauer <jo...@mister-muffin.de>
Date: Fri, 25 Dec 2015 12:02:31 +0100
Subject: [PATCH] Set [trusted=yes] for internal dummy repository to make key
generation optional (closes: #801798)
---
lib/Sbuild/ResolverBase.pm | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/lib/Sbuild/ResolverBase.pm b/lib/Sbuild/ResolverBase.pm
index db54289..bfe6bd5 100644
--- a/lib/Sbuild/ResolverBase.pm
+++ b/lib/Sbuild/ResolverBase.pm
@@ -993,7 +993,13 @@ EOF
}
# Sign the release file
- if (!$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
+ # This will only be done if the sbuild keys are present.
+ # Once squeeze is not supported anymore, we want to never sign the
+ # dummy repository anymore but instead make use of apt's support for
+ # [trusted=yes] in wheezy and later.
+ if ((-f $self->get_conf('SBUILD_BUILD_DEPENDS_SECRET_KEY')) &&
+ (-f $self->get_conf('SBUILD_BUILD_DEPENDS_PUBLIC_KEY')) &&
+ !$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
if (!$self->generate_keys()) {
$self->log("Failed to generate archive keys.\n");
$self->cleanup_apt_archive();
@@ -1079,8 +1085,16 @@ EOF
# Write a list file for the dummy archive if one not create yet.
if (! -f $dummy_archive_list_file) {
my ($tmpfh, $tmpfilename) = tempfile(DIR => $session->get('Location') . "/tmp");
- print $tmpfh 'deb file://' . $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
- print $tmpfh 'deb-src file://' . $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
+ # We always trust the dummy apt repositories.
+ # This means that if SBUILD_BUILD_DEPENDS_{SECRET|PUBLIC}_KEY do not
+ # exist and thus the dummy repositories do not get signed, apt will
+ # still trust it. This allows one to run sbuild without generating
+ # keys which is useful on machines with little randomness.
+ # Older apt from squeeze will still require keys to be generated as it
+ # ignores the trusted=yes. Older apt ignoring this is also why we can add
+ # this unconditionally.
+ print $tmpfh 'deb [trusted=yes] file://' . $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
+ print $tmpfh 'deb-src [trusted=yes] file://' . $session->strip_chroot_path($dummy_archive_dir) . " ./\n";
for my $repospec (@{$self->get_conf('EXTRA_REPOSITORIES')}) {
print $tmpfh "$repospec\n";
@@ -1112,7 +1126,9 @@ EOF
unlink $tmpfilename;
}
- if (!$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
+ if ((-f $self->get_conf('SBUILD_BUILD_DEPENDS_SECRET_KEY')) &&
+ (-f $self->get_conf('SBUILD_BUILD_DEPENDS_PUBLIC_KEY')) &&
+ !$self->get_conf('APT_ALLOW_UNAUTHENTICATED')) {
# Add the generated key
$session->run_command(
{ COMMAND => ['apt-key', 'add', $session->strip_chroot_path($dummy_archive_pubkey)],
--
2.5.1
signature.asc
Description: signature
