Bug#819586: debian-installer-netboot-images: unhelpful handling of GPG errors
Source: debian-installer-netboot-images
Version: 20120712
Severity: serious
Justification: silently ignores failures, creating broken packages
Hi,
Whilst preparing the dini uploads for the upcoming point releases, on
debdiffing the binary packages against the previous versions I noticed
that one of them seemed to have lost all of its files and had an
Installed-Size of 32.
Checking the build log, I found that this was due to one of the Release
file checks failing with:
gpgv: BAD signature from "Debian Archive Automatic Signing Key
(7.0/wheezy) <ftpmaster@debian.org>"
(This appears to have been an issue with a particular mirror, fwiw.)
The checks in get-images.sh do:
if gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg $RELEASE_FILE.gpg $RELEASE_FILE ; then
get_di_built_using $1
get_installer $1
fi
Whilst a failure to verify the Release signature does mean that we don't
attempt to build an image using untrusted inputs, the package build
continues with no sign of a problem having occurred until the binary
packages are examined.
Regards,
Adam
Reply to: