From be99f7b4c1fc622f9c4d4f93d96aec649ff7c543 Mon Sep 17 00:00:00 2001 From: Cyril Brulebois Date: Fri, 15 May 2015 04:32:07 +0200 Subject: Add support for --force-check-gpg (Closes: #661501, #733179, #775454). With this option, one can programmatically make sure keyring checks are used and that no fallback to an https mirror happens. --- debian/changelog | 3 +++ debootstrap | 8 ++++++++ debootstrap.8 | 4 ++++ functions | 5 ++++- 4 files changed, 19 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 0350d3c..64bafb7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,9 @@ debootstrap (1.0.69) UNRELEASED; urgency=medium issues while counting downloaded packages. The failure path could lead to printing some strange integer (Closes: #709751, #768445, #785276). This was reported to mostly happen whenever --no-resolve-deps is used. + * Add support for --force-check-gpg so that one can programmatically + make sure keyring checks are used and that no fallback to an https + mirror happens (Closes: #661501, #733179, #775454). -- Cyril Brulebois Thu, 14 May 2015 23:52:52 +0200 diff --git a/debootstrap b/debootstrap index 3d45c9c..e987112 100755 --- a/debootstrap +++ b/debootstrap @@ -27,6 +27,7 @@ LANG=C USE_COMPONENTS=main KEYRING="" DISABLE_KEYRING="" +FORCE_KEYRING="" VARIANT="" ARCH="" HOST_ARCH="" @@ -104,6 +105,9 @@ usage() scratchbox, minbase) --keyring=K check Release files against keyring K --no-check-gpg avoid checking Release file signatures + --force-check-gpg force checking Release file signatures + (also disables automatic fallback to HTTPS in case + of a missing keyring), aborting otherwise --no-resolve-deps don't try to resolve dependencies automatically --unpack-tarball=T acquire .debs from a tarball instead of http @@ -319,6 +323,10 @@ if [ $# != 0 ] ; then shift 1 DISABLE_KEYRING=1 ;; + --force-check-gpg) + shift 1 + FORCE_KEYRING=1 + ;; --certificate|--certificate=?*) if [ "$1" = "--certificate" -a -n "$2" ]; then CERTIFICATE="--certificate=$2" diff --git a/debootstrap.8 b/debootstrap.8 index 2cf44ca..106d172 100644 --- a/debootstrap.8 +++ b/debootstrap.8 @@ -93,6 +93,10 @@ to check signatures of retrieved Release files. .IP "\fB\-\-no-check-gpg\fP" Disables checking gpg signatures of retrieved Release files. .IP +.IP "\fB\-\-force-check-gpg\fP" +Forces checking Release file signatures, disabling automatic fallback to +HTTPS in case of a missing keyring. +.IP .IP "\fB\-\-verbose\fP" Produce more info about downloading. .IP diff --git a/functions b/functions index c8d7787..d697c4f 100644 --- a/functions +++ b/functions @@ -200,11 +200,14 @@ keyring () { if [ -e "$1" ]; then KEYRING="$1" elif [ -z "$DISABLE_KEYRING" ]; then - if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" ] ; then + if [ -n "$DEF_HTTPS_MIRROR" ] && [ -z "$USER_MIRROR" ] && [ -z "$FORCE_KEYRING" ]; then info KEYRING "Keyring file not available at %s; switching to https mirror %s" "$1" "$DEF_HTTPS_MIRROR" USER_MIRROR="$DEF_HTTPS_MIRROR" else warning KEYRING "Cannot check Release signature; keyring file not available %s" "$1" + if [ -n "$FORCE_KEYRING" ]; then + error 1 KEYRING "Keyring-based check was requested; aborting accordingly" + fi fi fi fi -- cgit v0.12