Bug#703431: Annoying GPG error message

To: Raphael Hertzog <hertzog@debian.org>
Cc: 703431@bugs.debian.org
Subject: Bug#703431: Annoying GPG error message
From: Robert Spencer <rspencer@lbsd.net>
Date: Tue, 16 Apr 2013 17:22:00 +0200
Message-id: <[🔎] 516D6C98.7040609@lbsd.net>
Reply-to: Robert Spencer <rspencer@lbsd.net>, 703431@bugs.debian.org
In-reply-to: <[🔎] 20130412085457.GB2176@x230-buxy.home.ouaza.com>
References: <51487904.5030801@lbsd.net> <20130319153451.GD12517@einval.com> <20130328074232.GD28634@x230-buxy.home.ouaza.com> <[🔎] 51658615.4060705@lbsd.net> <[🔎] 20130412085457.GB2176@x230-buxy.home.ouaza.com>

On 12/04/2013 10:54, Raphael Hertzog wrote:

On Wed, 10 Apr 2013, Robert Spencer wrote:

I don't have a non-Debian system to test it on, but I hope the
attached patch file meets your requirements (it's for debian-cd
3.1.12).

I have tested it on my build system and the defaults work.


I applied it. But thinking a bit more about what you did there's
more to improve. First you enable all keyrings in /usr/share/keyrings
which means also /usr/share/keyrings/debian-archive-removed-keys.gpg.
I don't think that we should use this one.

So we should be able to tell that we want to use a specific keyring
and not assume that all those in /usr/share/keyrings/ are OK.


Agreed.

On a related note, should I file a bug on the addition of the
following line to CONF.sh or just provide another patch?

#export DEBOOTSTRAP_OPTS="--keyring
/usr/share/keyrings/debian-archive-keyring.gpg"


I do not understand your question. That line is already in CONF.sh.


My concern was addressed below.

$ grep DEBOOTSTRAP_OPTS CONF.sh
unset DEBOOTSTRAP_OPTS   || true
#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"

But when you see that line it seems obvious that there's room for improvement
here. Why should we have to specify the keyring file twice, once for APT and
once for debootstrap ?

So IMO we should be able to use only two parameters:

ARCHIVE_KEYRING_PACKAGE=debian-archive-package
ARCHIVE_KEYRING_FILE=/usr/share/keyrings/debian-archive-keyring.gpg

And have debian-cd extract the file and pass it around to APT and debootstrap.
And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
unset it to activate the GPG check at the debootstrap level.

Can you implement this ?


Patch file attached. Again it's for debian-cd 3.1.12.

--
Robert Spencer

--- CONF.sh~	2013-03-20 13:32:16.000000000 +0000
+++ CONF.sh	2013-04-16 14:42:46.000000000 +0000
@@ -51,6 +51,8 @@
 unset OMIT_DOC_TOOLS     || true
 unset MAX_PKG_SIZE       || true
 unset DEBOOTSTRAP_OPTS   || true
+unset ARCHIVE_KEYRING_PACKAGE || true
+unset ARCHIVE_KEYRING_FILE    || true
 
 # The debian-cd dir
 # Where I am (hoping I'm in the debian-cd dir)
@@ -179,11 +181,15 @@
 #export amd64_MKISOFS="xorriso"
 #export amd64_MKISOFS_OPTS="-as mkisofs -r -checksum_algorithm_iso md5,sha1"
 
+# Keyring (defaults):
+#ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
+#ARCHIVE_KEYRING_FILE=/usr/share/keyrings/debian-archive-keyring.gpg
+
 # By default we use debootstrap --no-check-gpg to find out the minimal set
 # of packages because there's no reason to not trust the local mirror. But
 # you can be paranoid and then you need to indicate the keyring to use to
 # validate the mirror.
-#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
+#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE"
 
 # ISOLinux support for multiboot on CD1 for i386
 export ISOLINUX=1
--- Makefile~	2013-03-19 15:41:47.000000000 +0000
+++ Makefile	2013-04-15 12:25:53.000000000 +0000
@@ -37,6 +37,12 @@
 ifndef HOOK
 HOOK=$(BASEDIR)/tools/$(CODENAME).hook
 endif
+ifndef ARCHIVE_KEYRING_PACKAGE
+ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
+endif
+ifndef ARCHIVE_KEYRING_FILE
+ARCHIVE_KEYRING_FILE=/usr/share/keyrings/debian-archive-keyring.gpg
+endif
 
 export BUILD_DATE=$(shell date -u +%Y%m%d-%H:%M)
 export ARCHES_NOSRC=$(shell echo $(ARCHES) | sed 's/source//')
@@ -227,12 +233,12 @@
 	:> $(ADIR)/status
 
 	# Set up keyring so apt doesn't complain
-	@echo "Setting up debian-archive-keyring"
-	$(Q)mkdir -p $(TDIR)/debian-archive-keyring
-	$(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) debian-archive-keyring) $(TDIR)/debian-archive-keyring
+	@echo "Setting up archive-keyring"
+	$(Q)mkdir -p $(TDIR)/archive-keyring
+	$(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) $(ARCHIVE_KEYRING_PACKAGE)) $(TDIR)/archive-keyring
 	$(Q)for ARCH in $(ARCHES); do \
 		mkdir -p $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
-		ln -s $(TDIR)/debian-archive-keyring/usr/share/keyrings/* $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
+		ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
 	done
 
 	# Updating the apt database

Reply to:

Follow-Ups:
- Bug#703431: Annoying GPG error message
  - From: Raphael Hertzog <hertzog@debian.org>

References:
- Bug#703431: Annoying GPG error message
  - From: Robert Spencer <rspencer@lbsd.net>
- Bug#703431: Annoying GPG error message
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Re: Bug#704748: Not a practical issue (could even be considered a feature...:-))
Next by Date: Bug#705594: Add further support for missing win32-loader.ini
Previous by thread: Bug#703431: Annoying GPG error message
Next by thread: Bug#703431: Annoying GPG error message
Index(es):
- Date
- Thread