diff options
author | Julien Cristau <jcristau@debian.org> | 2016-10-18 22:11:26 (GMT) |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2016-10-18 22:11:32 (GMT) |
commit | 8a77b648b1a989962314a7d389a529bdef66cf1d (patch) | |
tree | 7ea401c143cbe7eb3928d4aad3eb5afff0265e81 | |
parent | e708b70110a242035067bf2b71be86aa82598c32 (diff) | |
download | debootstrap-8a77b648b1a989962314a7d389a529bdef66cf1d.zip debootstrap-8a77b648b1a989962314a7d389a529bdef66cf1d.tar.gz debootstrap-8a77b648b1a989962314a7d389a529bdef66cf1d.tar.bz2 |
Add support for downloading and validating InRelease files
Split up detached signature from signed data, in effect re-creating a
Release and Release.gpg pair that we can verify with gpgv.
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | functions | 29 |
2 files changed, 30 insertions, 6 deletions
diff --git a/debian/changelog b/debian/changelog index ee9e43f..56a85d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +debootstrap (1.0.85) UNRELEASED; urgency=medium + + * Add support for downloading and validating InRelease files, by splitting + up detached signature from signed data. + + -- Julien Cristau <jcristau@debian.org> Fri, 02 Sep 2016 20:26:38 +0200 + debootstrap (1.0.84) unstable; urgency=medium [ Ansgar Burchardt ] @@ -551,15 +551,32 @@ download_release_sig () { download_release_indices () { local m1="${MIRRORS%% *}" local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")" - local relsigdest + local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")" + local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")" progress 0 100 DOWNREL "Downloading Release file" progress_next 100 - get "$m1/dists/$SUITE/Release" "$reldest" nocache || - error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release" - relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")" - progress 100 100 DOWNREL "Downloading Release file" + if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then + sed -n '/^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP SIGNATURE-----$/p' < + "$inreldest" > "$relsigdest" + # We assume \a does not appear in the Release file, and strip + # the last \n through the tr round-trip. + sed '/^-----BEGIN PGP SIGNED MESSAGE-----$/,/^$/ d + /^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP SIGNATURE-----$/ d + ' < "$inreldest" | + tr '\n' '\a' | sed 's/\a$//' | tr '\a' '\n' > "$reldest" + progress 100 100 DOWNREL "Downloading Release file" + info RELEASESIG "Checking Release signature" + # Don't worry about the exit status from gpgv; parsing the output will + # take care of that. + (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \ + "$relsigdest" "$reldest" || true) | read_gpg_status + else + get "$m1/dists/$SUITE/Release" "$reldest" nocache || + error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release" + progress 100 100 DOWNREL "Downloading Release file" - download_release_sig "$m1" "$reldest" "$relsigdest" + download_release_sig "$m1" "$reldest" "$relsigdest" + fi validate_suite "$reldest" |