I think this is worth putting in because it's useful both when a key
expires and you still need to use old installation media, and when
installing from an unofficial, unsigned mirror, like the one the armel
port is using.
I haven't tested the code yet, but I will before I commit, if people
like the idea of adding this.
Index: manual/en/appendix/preseed.xml
===================================================================
--- manual/en/appendix/preseed.xml (revision 45117)
+++ manual/en/appendix/preseed.xml (working copy)
@@ -838,6 +838,11 @@
#d-i mirror/suite string testing
# Suite to use for loading installer components (optional).
#d-i mirror/udeb/suite string testing
+
+# By default the installer requires that the mirror can be authenticated
+# using a known gpg key. This preseed setting can be used to disable that
+# authentication. Warning: Insecure, not recommended.
+#d-i debian-installer/allowunauthenticated string true
</screen></informalexample>
</sect2>
Index: packages/rootskel/debian/changelog
===================================================================
--- packages/rootskel/debian/changelog (revision 45117)
+++ packages/rootskel/debian/changelog (working copy)
@@ -1,3 +1,11 @@
+rootskel (1.50) UNRELEASED; urgency=low
+
+ * Add new debian-installer/allowunauthenticated template, will be used by
+ choose-mirror and base-installer to allow forcing installation even if
+ the mirror doesn't auth.
+
+ -- Joey Hess <joeyh@debian.org> Thu, 15 Feb 2007 13:51:22 -0500
+
rootskel (1.49) unstable; urgency=low
* Support blacklisting of modules from the boot prompt using the syntax
Index: packages/net-retriever/net-retriever
===================================================================
--- packages/net-retriever/net-retriever (revision 45117)
+++ packages/net-retriever/net-retriever (working copy)
@@ -105,7 +105,7 @@
Release="/tmp/net-retriever-$$-Release"
fetch "dists/$codename/Release" "$Release" || exit $?
# If gpgv and a keyring are installed, authentication is
- # mandatory.
+ # mandatory by default.
if type gpgv >/dev/null && [ -f "$keyring" ]; then
if ! fetch "dists/$codename/Release.gpg" "$Release.gpg"; then
error "dists/$codename/Release is unsigned."
@@ -114,7 +114,11 @@
gpgv --status-fd 1 --keyring "$keyring" \
--ignore-time-conflict \
"$Release.gpg" "$Release" | read_gpg_status; then
- error "Bad signature on $Release."
+ if db_get debian-installer/allowunauthenticated && [ "$RET" = true ]; then
+ log "Ignoring bad signature on $Release."
+ else
+ error "Bad signature on $Release."
+ fi
fi
fi
Index: packages/base-installer/debian/postinst
===================================================================
--- packages/base-installer/debian/postinst (revision 45117)
+++ packages/base-installer/debian/postinst (working copy)
@@ -259,6 +259,15 @@
cat > /target/etc/apt/apt.conf.d/00IgnoreTimeConflict << EOT
Acquire::gpgv::Options { "--ignore-time-conflict"; };
EOT
+
+ if db_get debian-installer/allowunauthenticated && [ "$RET" = true ]; then
+ cat > /target/etc/apt/apt.conf.d/00AllowUnauthenticated << EOT
+# Force apt to ignore auth issues.
+# Warning: This configuration is insecure and not recommended!
+APT::Get::AllowUnauthenticated "true";
+EOT
+ fi
+
# let apt inside the chroot see the cdrom
if [ "$PROTOCOL" = file ] ; then
if [ -n "$DIRECTORY" ]; then
Index: packages/base-installer/debian/changelog
===================================================================
--- packages/base-installer/debian/changelog (revision 45167)
+++ packages/base-installer/debian/changelog (working copy)
@@ -5,8 +5,11 @@
[ Joey Hess ]
* Add support for armel.
+ * If debian-installer/allowunauthenticated exists and is true, write a
+ /etc/apt/apt.conf.d/00AllowUnauthenticated file making apt allow
+ unauthenticated mirrors.
- -- Joey Hess <joeyh@debian.org> Wed, 14 Feb 2007 16:28:10 -0500
+ -- Joey Hess <joeyh@debian.org> Thu, 15 Feb 2007 13:58:34 -0500
base-installer (1.72) unstable; urgency=low
--
see shy jo
Attachment:
signature.asc
Description: Digital signature