Re: debootstrap InRelease file support
On Mon, Aug 15, 2016 at 12:12:02 +0200, Ansgar Burchardt wrote:
> If you restore support for `InRelease` and want to use `gpgv`, please
> split `InRelease` into two files, i.e. `Release` and `Release.gpg`, and
> verify that the signature actually covers all of `Release`.
>
Here's an attempt at doing that. Only lightly tested.
Cheers,
Julien
diff --git a/debian/changelog b/debian/changelog
index 46b4974..3f0ef23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.82) UNRELEASED; urgency=medium
+
+ * Add support for downloading and validating InRelease files, by splitting
+ up detached signature from signed data.
+
+ -- Julien Cristau <jcristau@debian.org> Fri, 02 Sep 2016 20:26:38 +0200
+
debootstrap (1.0.81) unstable; urgency=medium
[ Luca Falavigna ]
diff --git a/functions b/functions
index 031721f..407cc38 100644
--- a/functions
+++ b/functions
@@ -537,15 +537,30 @@ download_release_sig () {
download_release_indices () {
local m1="${MIRRORS%% *}"
local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release")"
- local relsigdest
+ local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/InRelease")"
+ local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
progress 0 100 DOWNREL "Downloading Release file"
progress_next 100
- get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
- error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
- relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
- progress 100 100 DOWNREL "Downloading Release file"
+ if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
+ sed -n '/^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP SIGNATURE-----$/p' < "$inreldest" > "$relsigdest"
+ awk 'BEGIN {ORS="" ; first=1}
+ /^-----BEGIN PGP SIGNED MESSAGE-----$/,/^$/ { next }
+ /^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP SIGNATURE-----$/ {next}
+ { if (first) { first=0 } else { printf "\n" } print }' \
+ < "$inreldest" > "$reldest"
+ progress 100 100 DOWNREL "Downloading Release file"
+ info RELEASESIG "Checking Release signature"
+ # Don't worry about the exit status from gpgv; parsing the output will
+ # take care of that.
+ (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict \
+ "$relsigdest" "$reldest" || true) | read_gpg_status
+ else
+ get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+ error 1 NOGETREL "Failed getting release file %s" "$m1/dists/$SUITE/Release"
+ progress 100 100 DOWNREL "Downloading Release file"
- download_release_sig "$m1" "$reldest" "$relsigdest"
+ download_release_sig "$m1" "$reldest" "$relsigdest"
+ fi
extract_release_components $reldest
Reply to: