From be99f7b4c1fc622f9c4d4f93d96aec649ff7c543 Mon Sep 17 00:00:00 2001
From: Cyril Brulebois <kibi@debian.org>
Date: Fri, 15 May 2015 04:32:07 +0200
Subject: Add support for --force-check-gpg (Closes: #661501, #733179,
 #775454).

With this option, one can programmatically make sure keyring checks are
used and that no fallback to an https mirror happens.
---
 debian/changelog | 3 +++
 debootstrap      | 8 ++++++++
 debootstrap.8    | 4 ++++
 functions        | 5 ++++-
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index 0350d3c..64bafb7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,9 @@ debootstrap (1.0.69) UNRELEASED; urgency=medium
     issues while counting downloaded packages. The failure path could lead
     to printing some strange integer (Closes: #709751, #768445, #785276).
     This was reported to mostly happen whenever --no-resolve-deps is used.
+  * Add support for --force-check-gpg so that one can programmatically
+    make sure keyring checks are used and that no fallback to an https
+    mirror happens (Closes: #661501, #733179, #775454).
 
  -- Cyril Brulebois <kibi@debian.org>  Thu, 14 May 2015 23:52:52 +0200
 
diff --git a/debootstrap b/debootstrap
index 3d45c9c..e987112 100755
--- a/debootstrap
+++ b/debootstrap
@@ -27,6 +27,7 @@ LANG=C
 USE_COMPONENTS=main
 KEYRING=""
 DISABLE_KEYRING=""
+FORCE_KEYRING=""
 VARIANT=""
 ARCH=""
 HOST_ARCH=""
@@ -104,6 +105,9 @@ usage()
                               scratchbox, minbase)
       --keyring=K            check Release files against keyring K
       --no-check-gpg         avoid checking Release file signatures
+      --force-check-gpg      force checking Release file signatures
+                             (also disables automatic fallback to HTTPS in case
+                             of a missing keyring), aborting otherwise
       --no-resolve-deps      don't try to resolve dependencies automatically
 
       --unpack-tarball=T     acquire .debs from a tarball instead of http
@@ -319,6 +323,10 @@ if [ $# != 0 ] ; then
 			shift 1
 			DISABLE_KEYRING=1
 		;;
+	    --force-check-gpg)
+			shift 1
+			FORCE_KEYRING=1
+		;;
 	    --certificate|--certificate=?*)
 		if [ "$1" = "--certificate" -a -n "$2" ]; then
 			CERTIFICATE="--certificate=$2"
diff --git a/debootstrap.8 b/debootstrap.8
index 2cf44ca..106d172 100644
--- a/debootstrap.8
+++ b/debootstrap.8
@@ -93,6 +93,10 @@ to check signatures of retrieved Release files.
 .IP "\fB\-\-no-check-gpg\fP"
 Disables checking gpg signatures of retrieved Release files.
 .IP
+.IP "\fB\-\-force-check-gpg\fP"
+Forces checking Release file signatures, disabling automatic fallback to
+HTTPS in case of a missing keyring.
+.IP
 .IP "\fB\-\-verbose\fP"
 Produce more info about downloading.
 .IP
diff --git a/functions b/functions
index c8d7787..d697c4f 100644
--- a/functions
+++ b/functions
@@ -200,11 +200,14 @@ keyring () {
 		if [ -e "$1" ]; then
 			KEYRING="$1"
 		elif [ -z "$DISABLE_KEYRING" ]; then
-			if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" ] ; then
+			if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" ] && [ -z "$FORCE_KEYRING" ]; then
 				info KEYRING "Keyring file not available at %s; switching to https mirror %s" "$1" "$DEF_HTTPS_MIRROR"
 				USER_MIRROR="$DEF_HTTPS_MIRROR"
 			else
 				warning KEYRING "Cannot check Release signature; keyring file not available %s" "$1"
+				if [ -n "$FORCE_KEYRING" ]; then
+					error 1 KEYRING "Keyring-based check was requested; aborting accordingly"
+				fi
 			fi
 		fi
 	fi
-- 
cgit v0.12