From a83170288740003d23968f8107d1ad32e0dc0452 Mon Sep 17 00:00:00 2001
From: Joey Hess <joey@kitenet.net>
Date: Fri, 25 Mar 2011 14:23:24 -0400
Subject: check keyrings by default, when possible

* Recommend debian-archive-keyring, and if it is installed,
  default to checking gpg signatures of the Release file against it
  when bootstrapping sid, squeeze, wheezy, etch, and lenny.
  Closes: #560038
* Add --no-check-gpg option that can be used to disable release file
  verification.
* Needs base-installer 1.117.
---
 debian/changelog | 12 ++++++++++++
 debian/control   |  2 +-
 debootstrap      |  6 ++++++
 debootstrap.8    |  8 ++++++--
 functions        |  8 +++++++-
 scripts/sid      |  1 +
 6 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index c64cecd..1ad88c3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+debootstrap (1.0.30) UNRELEASED; urgency=low
+
+  * Recommend debian-archive-keyring, and if it is installed,
+    default to checking gpg signatures of the Release file against it
+    when bootstrapping sid, squeeze, wheezy, etch, and lenny.
+    Closes: #560038
+  * Add --no-check-gpg option that can be used to disable release file
+    verification.
+  * Needs base-installer 1.117.
+
+ -- Joey Hess <joeyh@debian.org>  Fri, 25 Mar 2011 14:12:43 -0400
+
 debootstrap (1.0.29) unstable; urgency=low
 
   [ Joey Hess ]
diff --git a/debian/control b/debian/control
index 6bb9ec9..3c68977 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
 Package: debootstrap
 Architecture: all
 Depends: ${misc:Depends}, wget
-Recommends: gnupg
+Recommends: gnupg, debian-archive-keyring
 Description: Bootstrap a basic Debian system
  debootstrap is used to create a Debian base system from scratch,
  without requiring the availability of dpkg or apt. It does this by
diff --git a/debootstrap b/debootstrap
index 2fe633a..0ca832d 100755
--- a/debootstrap
+++ b/debootstrap
@@ -25,6 +25,7 @@ exec 4>&1
 LANG=C
 USE_COMPONENTS=main
 KEYRING=""
+DISABLE_KEYRING=""
 VARIANT=""
 
 DEF_MIRROR="http://ftp.us.debian.org/debian"
@@ -82,6 +83,7 @@ usage()
                              (currently supported variants: buildd, fakechroot,
                               scratchbox)
       --keyring=K            check Release files against keyring K
+      --no-check-gpg         avoid checking Release file signatures
       --no-resolve-deps      don't try to resolve dependencies automatically
 
       --unpack-tarball=T     acquire .debs from a tarball instead of http
@@ -304,6 +306,10 @@ if [ $# != 0 ] ; then
 			error 1 NEEDARG "option requires an argument %s" "$1"
 		fi
 		;;
+	    --no-check-gpg)
+			shift 1
+			DISABLE_KEYRING=1
+		;;
 	    --certificate|--certificate=?*)
 		if [ "$1" = "--certificate" -a -n "$2" ]; then
 			CERTIFICATE="--certificate=$2"
diff --git a/debootstrap.8 b/debootstrap.8
index 4026143..6724908 100644
--- a/debootstrap.8
+++ b/debootstrap.8
@@ -84,9 +84,13 @@ Debian installation in
 .IR TARGET .
 .IP
 .IP "\fB\-\-keyring=KEYRING\fP"
-Download signatures for retrieved Release files and check them against
+Override the default keyring for the distribution being bootstrapped,
+and use
 .IR KEYRING .
-By default, Release file signatures are not checked.
+to check signatures of retrieved Release files.
+.IP
+.IP "\fB\-\-no-check-gpg\fP"
+Disables checking gpg signatures of retrieved Release files.
 .IP
 .IP "\fB\-\-verbose\fP"
 Produce more info about downloading.
diff --git a/functions b/functions
index 8b8c889..99e34c5 100644
--- a/functions
+++ b/functions
@@ -191,6 +191,12 @@ download_style () {
 	esac
 }
 
+keyring () {
+	if [ -z "$KEYRING" ] && [ -e "$1" ]; then
+		KEYRING="$1"
+	fi
+}
+
 ########################################################## variant handling
 
 doing_variant () {
@@ -456,7 +462,7 @@ download_release_sig () {
 	local reldest="$2"
 	local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
 
-	if [ -n "$KEYRING" ]; then
+	if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
 		progress 0 100 DOWNRELSIG "Downloading Release file signature"
 		progress_next 50
 		get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
diff --git a/scripts/sid b/scripts/sid
index 5febdcc..5ab6af3 100644
--- a/scripts/sid
+++ b/scripts/sid
@@ -2,6 +2,7 @@ mirror_style release
 download_style apt
 finddebs_style from-indices
 variants - buildd fakechroot minbase scratchbox
+keyring /usr/share/keyrings/debian-archive-keyring.gpg
 
 if doing_variant fakechroot; then
 	test "$FAKECHROOT" = "true" || error 1 FAKECHROOTREQ "This variant requires fakechroot environment to be started"
-- 
cgit v0.12