Package: debootstrap
Version: 0.2.45
Severity: wishlist
Attached is the Ubuntu patch for Release.gpg validation, extracted from
0.2.45ubuntu21 and 0.2.45ubuntu24. I haven't checked it against 0.3 at
all yet, I'm afraid ...
* Suppress untrue "Validating" messages.
* Add --keyring option, allowing verification of Release.gpg against a
given keyring.
Cheers,
--
Colin Watson [EMAIL PROTECTED]
diff -Nru /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/debootstrap
/tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/debootstrap
--- /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/debootstrap 2004-12-30
16:48:11.000000000 +0000
+++ /tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/debootstrap 2005-01-17
13:07:18.000000000 +0000
@@ -18,6 +18,7 @@
LANG=C
USE_COMPONENTS=main
VARIANT=""
+KEYRING=""
DEBCONF_ADMIN_EMAIL=""
export LANG USE_COMPONENTS DEBCONF_ADMIN_EMAIL
@@ -51,6 +52,7 @@
archive
--variant=X use variant X of the bootstrap scripts
(currently supported variants: buildd)
+ --keyring=K check Release files against keyring K
EOF
}
@@ -130,6 +132,13 @@
VARIANT="$(echo "$1" | cut -f2 -d"=")"
shift 1
;;
+ --keyring*)
+ if ! gpgv --version >/dev/null 2>&1; then
+ error 1 NEEDGPGV "gpgv not installed, but required by --keyring option"
+ fi
+ KEYRING="$(echo "$1" | cut -f2 -d"=")"
+ shift 1
+ ;;
*)
break
;;
diff -Nru /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/functions
/tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/functions
--- /tmp/PDJcbO6IKy/debootstrap-0.2.45ubuntu20/functions 2004-12-30
16:48:11.000000000 +0000
+++ /tmp/qvTUmOvpKj/debootstrap-0.2.45ubuntu21/functions 2005-01-17
16:55:40.000000000 +0000
@@ -213,8 +213,9 @@
fi
if [ -e "$2" ]; then
- info VALIDATING "Validating %s" "$displayname"
- if [ "$3" = "" ] || check_md5 $2 $3 $4; then
+ if [ "$3" = "" ] || \
+ (info VALIDATING "Validating %s" "$displayname"
+ check_md5 $2 $3 $4); then
return 0
else
rm -f "$2"
@@ -243,8 +244,9 @@
info RETRIEVING "Retrieving %s" "$displayname"
if ! just_get "$from" "$dest"; then continue; fi
- info VALIDATING "Validating %s" "$displayname"
- if [ "$md5" = "" ] || check_md5 $dest $md5 $siz; then
+ if [ "$md5" = "" ] || \
+ (info VALIDATING "Validating %s" "$displayname"
+ check_md5 $dest $md5 $siz); then
case "$typ" in
"gz") gunzip "$dest" ;;
"bz2") bunzip2 "$dest" ;;
@@ -356,6 +358,52 @@
esac
}
+######################################################## signature checking
+
+read_gpg_status () {
+ badsig=
+ nopubkey=
+ validsig=
+ while read prefix keyword keyid rest; do
+ [ "$prefix" = '[GNUPG:]' ] || continue
+ case $keyword in
+ BADSIG) badsig="$keyid" ;;
+ NO_PUBKEY) nopubkey="$keyid" ;;
+ VALIDSIG) validsig="$keyid" ;;
+ esac
+ done
+ if [ "$validsig" ]; then
+ return 0
+ elif [ "$badsig" ]; then
+ error 1 BADRELSIG "Invalid Release signature (key id %s)" "$badsig"
+ elif [ "$nopubkey" ]; then
+ error 1 UNKNOWNRELSIG "Release signed by unknown key (key id %s)" \
+ "$nopubkey"
+ else
+ error 1 SIGCHECK "Error executing gpgv to check Release signature"
+ fi
+}
+
+download_valid_sig () {
+ local m1="$1"
+ local reldest="$2"
+ local relsigdest="$TARGET/$($DLDEST rel $SUITE $m1 dists/$SUITE/Release.gpg)"
+ if [ "$KEYRING" ]; then
+ progress 0 100 DOWNRELSIG "Downloading Release file signature"
+ progress_next 50
+ get "$m1/dists/$SUITE/Release.gpg" $relsigdest ||
+ error 1 NOGETRELSIG "Failed getting release signature file %s" \
+ "$m1/dists/$SUITE/Release.gpg"
+ progress 50 100 DOWNRELSIG "Downloading Release file signature"
+ info VALIDATING "Validating %s" "${relsigdest##*/}"
+ # Don't worry about the exit status from gpgv; parsing the output will
+ # take care of that.
+ (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+ "$relsigdest" "$reldest" || true) | read_gpg_status
+ progress 100 100 DOWNRELSIG "Downloading Release file signature"
+ fi
+}
+
################################################################## download
get_release_md5 () {
@@ -391,6 +439,8 @@
fi
progress 100 100 DOWNREL "Downloading Release file"
+ download_valid_sig "$m1" "$reldest"
+
local totalpkgs=0
for c in $COMPONENTS; do
local subpath="$c/binary-$ARCH/Packages"
