diff options
| author | Julien Cristau <jcristau@debian.org> | 2016-10-18 22:11:26 (GMT) |
|---|---|---|
| committer | Julien Cristau <jcristau@debian.org> | 2016-10-18 22:11:32 (GMT) |
| commit | 8a77b648b1a989962314a7d389a529bdef66cf1d (patch) | |
| tree | 7ea401c143cbe7eb3928d4aad3eb5afff0265e81 /functions | |
| parent | e708b70110a242035067bf2b71be86aa82598c32 (diff) | |
| download | debootstrap-8a77b648b1a989962314a7d389a529bdef66cf1d.zip debootstrap-8a77b648b1a989962314a7d389a529bdef66cf1d.tar.gz debootstrap-8a77b648b1a989962314a7d389a529bdef66cf1d.tar.bz2 | |
Add support for downloading and validating InRelease files
Split up detached signature from signed data, in effect re-creating a
Release and Release.gpg pair that we can verify with gpgv.
Diffstat (limited to 'functions')
| -rw-r--r-- | functions | 29 |
1 files changed, 23 insertions, 6 deletions
@@ -551,15 +551,32 @@ download_release_sig () { download_release_indices () { local m1="${MIRRORS%% *}" local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")" - local relsigdest + local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")" + local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")" progress 0 100 DOWNREL "Downloading Release file" progress_next 100 - get "$m1/dists/$SUITE/Release" "$reldest" nocache || - error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release" - relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")" - progress 100 100 DOWNREL "Downloading Release file" + if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then + sed -n '/^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP SIGNATURE-----$/p' < + "$inreldest" > "$relsigdest" + # We assume \a does not appear in the Release file, and strip + # the last \n through the tr round-trip. + sed '/^-----BEGIN PGP SIGNED MESSAGE-----$/,/^$/ d + /^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP SIGNATURE-----$/ d + ' < "$inreldest" | + tr '\n' '\a' | sed 's/\a$//' | tr '\a' '\n' > "$reldest" + progress 100 100 DOWNREL "Downloading Release file" + info RELEASESIG "Checking Release signature" + # Don't worry about the exit status from gpgv; parsing the output will + # take care of that. + (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \ + "$relsigdest" "$reldest" || true) | read_gpg_status + else + get "$m1/dists/$SUITE/Release" "$reldest" nocache || + error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release" + progress 100 100 DOWNREL "Downloading Release file" - download_release_sig "$m1" "$reldest" "$relsigdest" + download_release_sig "$m1" "$reldest" "$relsigdest" + fi validate_suite "$reldest" |