diff options
| author | Joey Hess <joey@kitenet.net> | 2011-03-25 18:23:24 (GMT) |
|---|---|---|
| committer | Joey Hess <joey@kitenet.net> | 2011-03-25 18:23:24 (GMT) |
| commit | a83170288740003d23968f8107d1ad32e0dc0452 (patch) | |
| tree | 12e67976eba33f4a8446b95c7fbc043780ec2a09 | |
| parent | e5c267d5b0d0e153ba6a72eb56e7e76ada15edbc (diff) | |
| download | debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.zip debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.tar.gz debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.tar.bz2 | |
check keyrings by default, when possible
* Recommend debian-archive-keyring, and if it is installed,
default to checking gpg signatures of the Release file against it
when bootstrapping sid, squeeze, wheezy, etch, and lenny.
Closes: #560038
* Add --no-check-gpg option that can be used to disable release file
verification.
* Needs base-installer 1.117.
| -rw-r--r-- | debian/changelog | 12 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rwxr-xr-x | debootstrap | 6 | ||||
| -rw-r--r-- | debootstrap.8 | 8 | ||||
| -rw-r--r-- | functions | 8 | ||||
| -rw-r--r-- | scripts/sid | 1 |
6 files changed, 33 insertions, 4 deletions
diff --git a/debian/changelog b/debian/changelog index c64cecd..1ad88c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +debootstrap (1.0.30) UNRELEASED; urgency=low + + * Recommend debian-archive-keyring, and if it is installed, + default to checking gpg signatures of the Release file against it + when bootstrapping sid, squeeze, wheezy, etch, and lenny. + Closes: #560038 + * Add --no-check-gpg option that can be used to disable release file + verification. + * Needs base-installer 1.117. + + -- Joey Hess <joeyh@debian.org> Fri, 25 Mar 2011 14:12:43 -0400 + debootstrap (1.0.29) unstable; urgency=low [ Joey Hess ] diff --git a/debian/control b/debian/control index 6bb9ec9..3c68977 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git Package: debootstrap Architecture: all Depends: ${misc:Depends}, wget -Recommends: gnupg +Recommends: gnupg, debian-archive-keyring Description: Bootstrap a basic Debian system debootstrap is used to create a Debian base system from scratch, without requiring the availability of dpkg or apt. It does this by diff --git a/debootstrap b/debootstrap index 2fe633a..0ca832d 100755 --- a/debootstrap +++ b/debootstrap @@ -25,6 +25,7 @@ exec 4>&1 LANG=C USE_COMPONENTS=main KEYRING="" +DISABLE_KEYRING="" VARIANT="" DEF_MIRROR="http://ftp.us.debian.org/debian" @@ -82,6 +83,7 @@ usage() (currently supported variants: buildd, fakechroot, scratchbox) --keyring=K check Release files against keyring K + --no-check-gpg avoid checking Release file signatures --no-resolve-deps don't try to resolve dependencies automatically --unpack-tarball=T acquire .debs from a tarball instead of http @@ -304,6 +306,10 @@ if [ $# != 0 ] ; then error 1 NEEDARG "option requires an argument %s" "$1" fi ;; + --no-check-gpg) + shift 1 + DISABLE_KEYRING=1 + ;; --certificate|--certificate=?*) if [ "$1" = "--certificate" -a -n "$2" ]; then CERTIFICATE="--certificate=$2" diff --git a/debootstrap.8 b/debootstrap.8 index 4026143..6724908 100644 --- a/debootstrap.8 +++ b/debootstrap.8 @@ -84,9 +84,13 @@ Debian installation in .IR TARGET . .IP .IP "\fB\-\-keyring=KEYRING\fP" -Download signatures for retrieved Release files and check them against +Override the default keyring for the distribution being bootstrapped, +and use .IR KEYRING . -By default, Release file signatures are not checked. +to check signatures of retrieved Release files. +.IP +.IP "\fB\-\-no-check-gpg\fP" +Disables checking gpg signatures of retrieved Release files. .IP .IP "\fB\-\-verbose\fP" Produce more info about downloading. @@ -191,6 +191,12 @@ download_style () { esac } +keyring () { + if [ -z "$KEYRING" ] && [ -e "$1" ]; then + KEYRING="$1" + fi +} + ########################################################## variant handling doing_variant () { @@ -456,7 +462,7 @@ download_release_sig () { local reldest="$2" local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")" - if [ -n "$KEYRING" ]; then + if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then progress 0 100 DOWNRELSIG "Downloading Release file signature" progress_next 50 get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache || diff --git a/scripts/sid b/scripts/sid index 5febdcc..5ab6af3 100644 --- a/scripts/sid +++ b/scripts/sid @@ -2,6 +2,7 @@ mirror_style release download_style apt finddebs_style from-indices variants - buildd fakechroot minbase scratchbox +keyring /usr/share/keyrings/debian-archive-keyring.gpg if doing_variant fakechroot; then test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started" |