[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#819586: debian-installer-netboot-images: unhelpful handling of GPG errors

Source: debian-installer-netboot-images
Version: 20120712
Severity: serious
Justification: silently ignores failures, creating broken packages


Whilst preparing the dini uploads for the upcoming point releases, on
debdiffing the binary packages against the previous versions I noticed
that one of them seemed to have lost all of its files and had an
Installed-Size of 32.

Checking the build log, I found that this was due to one of the Release
file checks failing with:

gpgv: BAD signature from "Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster@debian.org>"

(This appears to have been an issue with a particular mirror, fwiw.)

The checks in get-images.sh do:

if gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg $RELEASE_FILE.gpg $RELEASE_FILE ; then
	get_di_built_using $1
	get_installer $1

Whilst a failure to verify the Release signature does mean that we don't
attempt to build an image using untrusted inputs, the package build
continues with no sign of a problem having occurred until the binary
packages are examined.



Reply to: