Bug#703146: Better debootstrap InRelease handling fix

[Benjamin Cama <benjamin.cama@telecom-bretagne.eu>]

Hi,

Le mercredi 27 mars 2013 à 00:53 +0100, Bernhard R. Link a écrit :
> * Benjamin Cama <benjamin.cama@telecom-bretagne.eu> [130326 18:33]:
> > index 1dc0f87..3333f44 100644
> > --- a/functions
> > +++ b/functions
> > @@ -530,8 +530,13 @@ download_release_sig () {
> >  		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
> >  	fi
> >  	if [ "$release_file_variant" = "IN" ]; then
> > -		rm -f $reldest
> > -                gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
> > +		sed -n '/^-----BEGIN PGP SIGNED MESSAGE-----$/ { \
> > +				n \
> > +				: check_hash /^Hash:/ { n b check_hash } \
> > +				n # blank line \
> > +			} \
> > +			/^-----BEGIN PGP SIGNATURE-----$/ q \
> > +			p' < "$relsigdest" > "$reldest"
> >  	fi
> >  }
> 
> Sorry, but this is not enough to properly extract the contents of a
> inline signed message. You still need to do possible unescaping between
> those lines.

You are right. Furthermore, my version didn't work with GNU sed;
attached version fix both problems (and is based on latest master, after
Julien disabled InRelease support). Please not that it will still print
what's _before_ the BEGIN header, if present (there shouldn't be
anything, but if you really want to be picky…)

Regards,
-- 
Benjamin Cama <benjamin.cama@telecom-bretagne.eu>

>From 38cc6948ad7caff1df5df17cf3a21eb4228e2eda Mon Sep 17 00:00:00 2001
From: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
Date: Wed, 27 Mar 2013 12:51:56 +0100
Subject: [PATCH] Get back InRelease support

We can extract the cleartext with sed. Should be compatible with
RFC 4880 format.

Signed-off-by: Benjamin Cama <benjamin.cama@telecom-bretagne.eu>
---
 functions |   50 ++++++++++++++++++++++++++++++++++++++------------
 1 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/functions b/functions
index 2dc777d..7c7f84a 100644
--- a/functions
+++ b/functions
@@ -503,38 +503,64 @@ download_release_sig () {
 	local m1="$1"
 	local reldest="$2"
 	local relsigdest="$3"
+	local release_file_variant="$4"
 
 	if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
-		progress 0 100 DOWNRELSIG "Downloading Release file signature"
-		progress_next 50
-		get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
-			error 1 NOGETRELSIG "Failed getting release signature file %s" \
-			"$m1/dists/$SUITE/Release.gpg"
-		progress 50 100 DOWNRELSIG "Downloading Release file signature"
+		if [ "$release_file_variant" != "IN" ]; then
+			progress 0 100 DOWNRELSIG "Downloading Release file signature"
+			progress_next 50
+			get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
+				error 1 NOGETRELSIG "Failed getting release signature file %s" \
+				"$m1/dists/$SUITE/Release.gpg"
+			progress 50 100 DOWNRELSIG "Downloading Release file signature"
+		fi
 
 		info RELEASESIG "Checking Release signature"
 		# Don't worry about the exit status from gpgv; parsing the output will
 		# take care of that.
-		(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
-		 "$relsigdest" "$reldest" || true) | read_gpg_status
+		if [ "$release_file_variant" = "IN" ]; then
+			(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+			 "$relsigdest" || true) | read_gpg_status
+		else
+			(gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+			 "$relsigdest" "$reldest" || true) | read_gpg_status
+		fi
 		progress 100 100 DOWNRELSIG "Downloading Release file signature"
 	elif [ -z "$DISABLE_KEYRING" ] && [ -n "$KEYRING_WANTED" ]; then
 		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
 	fi
+	if [ "$release_file_variant" = "IN" ]; then
+		sed -n '/^-----BEGIN PGP SIGNED MESSAGE-----$/ {
+				n
+				: check_hash /^Hash:/ { n ; b check_hash }
+				n # blank line
+			}
+			s/^- //
+			/^-----BEGIN PGP SIGNATURE-----$/ q
+			p' < "$relsigdest" > "$reldest"
+	fi
 }
 
 download_release_indices () {
 	local m1="${MIRRORS%% *}"
 	local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")"
+	local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")"
 	local relsigdest
+	local release_file_variant="IN"
 	progress 0 100 DOWNREL "Downloading Release file"
 	progress_next 100
-	get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
-		error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
-	relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
+	if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
+		relsigdest="$inreldest"
+	else
+		info RETRIEVING "Failed to retrieve InRelease"
+		get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+			error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
+		release_file_variant="GPG"
+		relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
+	fi
 	progress 100 100 DOWNREL "Downloading Release file"
 
-	download_release_sig "$m1" "$reldest" "$relsigdest"
+	download_release_sig "$m1" "$reldest" "$relsigdest" "$release_file_variant"
 
 	extract_release_components $reldest
 
-- 
1.7.2.5