summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoey Hess <joey@kitenet.net>2011-03-25 18:23:24 (GMT)
committerJoey Hess <joey@kitenet.net>2011-03-25 18:23:24 (GMT)
commita83170288740003d23968f8107d1ad32e0dc0452 (patch)
tree12e67976eba33f4a8446b95c7fbc043780ec2a09
parente5c267d5b0d0e153ba6a72eb56e7e76ada15edbc (diff)
downloaddebootstrap-a83170288740003d23968f8107d1ad32e0dc0452.zip
debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.tar.gz
debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.tar.bz2
check keyrings by default, when possible
* Recommend debian-archive-keyring, and if it is installed, default to checking gpg signatures of the Release file against it when bootstrapping sid, squeeze, wheezy, etch, and lenny. Closes: #560038 * Add --no-check-gpg option that can be used to disable release file verification. * Needs base-installer 1.117.
-rw-r--r--debian/changelog12
-rw-r--r--debian/control2
-rwxr-xr-xdebootstrap6
-rw-r--r--debootstrap.88
-rw-r--r--functions8
-rw-r--r--scripts/sid1
6 files changed, 33 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog
index c64cecd..1ad88c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+debootstrap (1.0.30) UNRELEASED; urgency=low
+
+ * Recommend debian-archive-keyring, and if it is installed,
+ default to checking gpg signatures of the Release file against it
+ when bootstrapping sid, squeeze, wheezy, etch, and lenny.
+ Closes: #560038
+ * Add --no-check-gpg option that can be used to disable release file
+ verification.
+ * Needs base-installer 1.117.
+
+ -- Joey Hess <joeyh@debian.org> Fri, 25 Mar 2011 14:12:43 -0400
+
debootstrap (1.0.29) unstable; urgency=low
[ Joey Hess ]
diff --git a/debian/control b/debian/control
index 6bb9ec9..3c68977 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
Package: debootstrap
Architecture: all
Depends: ${misc:Depends}, wget
-Recommends: gnupg
+Recommends: gnupg, debian-archive-keyring
Description: Bootstrap a basic Debian system
debootstrap is used to create a Debian base system from scratch,
without requiring the availability of dpkg or apt. It does this by
diff --git a/debootstrap b/debootstrap
index 2fe633a..0ca832d 100755
--- a/debootstrap
+++ b/debootstrap
@@ -25,6 +25,7 @@ exec 4>&1
LANG=C
USE_COMPONENTS=main
KEYRING=""
+DISABLE_KEYRING=""
VARIANT=""
DEF_MIRROR="http://ftp.us.debian.org/debian"
@@ -82,6 +83,7 @@ usage()
(currently supported variants: buildd, fakechroot,
scratchbox)
--keyring=K check Release files against keyring K
+ --no-check-gpg avoid checking Release file signatures
--no-resolve-deps don't try to resolve dependencies automatically
--unpack-tarball=T acquire .debs from a tarball instead of http
@@ -304,6 +306,10 @@ if [ $# != 0 ] ; then
error 1 NEEDARG "option requires an argument %s" "$1"
fi
;;
+ --no-check-gpg)
+ shift 1
+ DISABLE_KEYRING=1
+ ;;
--certificate|--certificate=?*)
if [ "$1" = "--certificate" -a -n "$2" ]; then
CERTIFICATE="--certificate=$2"
diff --git a/debootstrap.8 b/debootstrap.8
index 4026143..6724908 100644
--- a/debootstrap.8
+++ b/debootstrap.8
@@ -84,9 +84,13 @@ Debian installation in
.IR TARGET .
.IP
.IP "\fB\-\-keyring=KEYRING\fP"
-Download signatures for retrieved Release files and check them against
+Override the default keyring for the distribution being bootstrapped,
+and use
.IR KEYRING .
-By default, Release file signatures are not checked.
+to check signatures of retrieved Release files.
+.IP
+.IP "\fB\-\-no-check-gpg\fP"
+Disables checking gpg signatures of retrieved Release files.
.IP
.IP "\fB\-\-verbose\fP"
Produce more info about downloading.
diff --git a/functions b/functions
index 8b8c889..99e34c5 100644
--- a/functions
+++ b/functions
@@ -191,6 +191,12 @@ download_style () {
esac
}
+keyring () {
+ if [ -z "$KEYRING" ] && [ -e "$1" ]; then
+ KEYRING="$1"
+ fi
+}
+
########################################################## variant handling
doing_variant () {
@@ -456,7 +462,7 @@ download_release_sig () {
local reldest="$2"
local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
- if [ -n "$KEYRING" ]; then
+ if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
progress 0 100 DOWNRELSIG "Downloading Release file signature"
progress_next 50
get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
diff --git a/scripts/sid b/scripts/sid
index 5febdcc..5ab6af3 100644
--- a/scripts/sid
+++ b/scripts/sid
@@ -2,6 +2,7 @@ mirror_style release
download_style apt
finddebs_style from-indices
variants - buildd fakechroot minbase scratchbox
+keyring /usr/share/keyrings/debian-archive-keyring.gpg
if doing_variant fakechroot; then
test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started"