Bug#703431: Annoying GPG error message
On 18/04/2013 14:15, Raphael Hertzog wrote:
On Tue, 16 Apr 2013, Robert Spencer wrote:
And have debian-cd extract the file and pass it around to APT and debootstrap.
And then DEBOOTSTRAP_OPTS would default to "--no-check-gpg" and we would just
unset it to activate the GPG check at the debootstrap level.
Can you implement this ?
Patch file attached. Again it's for debian-cd 3.1.12.
Thanks, but there's a small misunderstanding left here:
# By default we use debootstrap --no-check-gpg to find out the minimal set
# of packages because there's no reason to not trust the local mirror. But
# you can be paranoid and then you need to indicate the keyring to use to
# validate the mirror.
-#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
+#export DEBOOTSTRAP_OPTS="--keyring $ARCHIVE_KEYRING_FILE"
This still requires that the keyring be installed on the system whereas
we're already extracting it from the binary package in debian-cd.
I'm sorry, I didn't misunderstand you. I made a bad assumption.
I hope the attached patch file is satisfactory.
--
Robert Spencer
--- CONF.sh~ 2013-03-20 13:32:16.000000000 +0000
+++ CONF.sh 2013-04-19 09:24:11.000000000 +0000
@@ -51,6 +51,8 @@
unset OMIT_DOC_TOOLS || true
unset MAX_PKG_SIZE || true
unset DEBOOTSTRAP_OPTS || true
+unset ARCHIVE_KEYRING_PACKAGE || true
+unset ARCHIVE_KEYRING_FILE || true
# The debian-cd dir
# Where I am (hoping I'm in the debian-cd dir)
@@ -179,11 +181,16 @@
#export amd64_MKISOFS="xorriso"
#export amd64_MKISOFS_OPTS="-as mkisofs -r -checksum_algorithm_iso md5,sha1"
+# Keyring (defaults):
+#ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
+# The path to the keyring file relative to $TDIR/archive-keyring/
+#ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg
+
# By default we use debootstrap --no-check-gpg to find out the minimal set
# of packages because there's no reason to not trust the local mirror. But
# you can be paranoid and then you need to indicate the keyring to use to
# validate the mirror.
-#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg"
+#export DEBOOTSTRAP_OPTS="--keyring $TDIR/archive-keyring/$ARCHIVE_KEYRING_FILE"
# ISOLinux support for multiboot on CD1 for i386
export ISOLINUX=1
--- Makefile~ 2013-03-19 15:41:47.000000000 +0000
+++ Makefile 2013-04-19 09:11:55.000000000 +0000
@@ -37,6 +37,12 @@
ifndef HOOK
HOOK=$(BASEDIR)/tools/$(CODENAME).hook
endif
+ifndef ARCHIVE_KEYRING_PACKAGE
+ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring
+endif
+ifndef ARCHIVE_KEYRING_FILE
+ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg
+endif
export BUILD_DATE=$(shell date -u +%Y%m%d-%H:%M)
export ARCHES_NOSRC=$(shell echo $(ARCHES) | sed 's/source//')
@@ -227,12 +233,12 @@
:> $(ADIR)/status
# Set up keyring so apt doesn't complain
- @echo "Setting up debian-archive-keyring"
- $(Q)mkdir -p $(TDIR)/debian-archive-keyring
- $(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) debian-archive-keyring) $(TDIR)/debian-archive-keyring
+ @echo "Setting up archive-keyring"
+ $(Q)mkdir -p $(TDIR)/archive-keyring
+ $(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) $(ARCHIVE_KEYRING_PACKAGE)) $(TDIR)/archive-keyring
$(Q)for ARCH in $(ARCHES); do \
mkdir -p $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
- ln -s $(TDIR)/debian-archive-keyring/usr/share/keyrings/* $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
+ ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \
done
# Updating the apt database
Reply to: