Bug#773775: Fix and improve progress-linux archive key installation

[jnqnfe <jnqnfe@gmail.com>]

Package: live-build
Version: 4.0.4-1
Tags: patch

Attached is a patch to fix and improve the bootstrap_archive-keys script, which installs additional archive keys when building a progress-linux image.

I am not current familiar at all with progress-linux, so this needs review and testing by someone who is.

I think the first three items below suggest that this is important enough to be pushed into jessie. The patch is built upon v4.

Summary of changes:

• Fixed mispelling/old-spelling of cairon (chairon), which would have blocked keys being installed.
  
• Fixed broken urls the keys are being fetched from. This assumes the following link is an example of current and correct location and filenames, where the directory has changed from project/keys to project/pgp, filenames no longer contain version numbers, and 'packages' keys no longer exist, but 'backports' keys now do. http://archive.progress-linux.org/packages/project/pgp/
• Fixed possibly broken key installation ability (or at least location is now more explicit). Previously, the apt-key program was run (under chroot) simply with the name of the key file, no path. Using chroot does not change the working directory afaik, and I am not sure therefore whether it would have actually found the file it needed to add. Now the location is given (/[file]), which fixes this, assuming it was indeed broken.
  
• Allow use of either gpgv or gpgv2 for verification
  
• Allow use of either or both of debian-keyring.gpg (from the keyring package) and debian-archive-keyring.gpg (default key added by debootstrap)
• Disallow gpgv to automatically look for a 'default' keyring (--no-default-keyring param)
• Improved error checking, stopping execution if a problem occurs, enforcing stricter security checks.
• Tidied up the code a bit.

commit 25a02e174f60535dbd4a6de8b56dfe5c6c8a550c
Author: jnqnfe <jnqnfe@gmail.com>
Date:   Tue Dec 23 05:55:43 2014 +0000

    Fix and improve bootstrap_archive-keys

diff --git a/scripts/build/bootstrap_archive-keys b/scripts/build/bootstrap_archive-keys
index 4b9324f..31641b4 100755
--- a/scripts/build/bootstrap_archive-keys
+++ b/scripts/build/bootstrap_archive-keys
@@ -33,45 +33,82 @@ case "${LB_MODE}" in
 	progress-linux)
 		case "${LB_DISTRIBUTION}" in
 			artax*)
-				_KEYS="1.0-artax 1.0-artax-packages"
+				_KEYS="archive-key-artax.asc archive-key-artax-backports.asc"
 				;;
 
 			baureo*)
-				_KEYS="2.0-baureo 2.0-baureo-packages"
+				_KEYS="archive-key-baureo.asc archive-key-baureo-backports.asc"
 				;;
 
-			chairon*)
-				_KEYS="3.0-chairon 3.0-chairon-packages"
+			cairon*)
+				_KEYS="archive-key-cairon.asc archive-key-cairon-backports.asc"
 				;;
 		esac
 
-		_URL="${LB_MIRROR_CHROOT}/project/keys"
+		_URL_BASE="${LB_MIRROR_CHROOT}/project/gpg"
 		;;
 esac
 
-for _KEY in ${_KEYS}
-do
-	Echo_message "Fetching archive-key ${_KEY}..."
-
-	wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
-	wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig
-
-	if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ]
+if [ ! -z "${_KEYS}" ]
+then
+	# Check GPGV program exists
+	if [ -x "$(which gpgv2 2>/dev/null)" ]
 	then
-		Echo_message "Verifying archive-key ${_KEY} against debian-keyring..."
-
-		/usr/bin/gpgv --quiet --keyring /usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature."; return 1;}
+		_GPG_TOOL="gpgv2"
+	elif [ -x "$(which gpgv 2>/dev/null)" ]
+	then
+		_GPG_TOOL="gpgv"
 	else
-		Echo_warning "Skipping archive-key ${_KEY} verification, either gpgv or debian-keyring not available on host system..."
+		Echo_error "gpg verification program (gpgv/gpgv2) does not exist, and archive keys cannot be verified without it! Please install it and try again."
+		exit 1
 	fi
 
-	Echo_message "Importing archive-key ${_KEY}..."
-
-	Chroot chroot "apt-key add key.asc"
-	rm -f chroot/key.asc chroot/key.asc.sig
-done
+	# Compile list of keyrings to use for verification
+	_KEYRINGS=""
+	_DEBIAN_KEYRING="/usr/share/keyrings/debian-keyring.gpg"
+	_DEBIAN_ARCHIVE_KEYRING="/usr/share/keyrings/debian-archive-keyring.gpg"
+	for _KEYRING in "${_DEBIAN_KEYRING}" "${_DEBIAN_ARCHIVE_KEYRING}"
+	do
+		if [ -e "${_KEYRING}" ]
+		then
+			_KEYRINGS="${_KEYRINGS} --keyring ${_KEYRING}"
+		fi
+	done
+	if [ -z "${_KEYRINGS}" ]
+	then
+		Echo_error "no keyrings found for verification of additional archive keys that are to be installed!"
+		exit 1
+	fi
 
-Chroot chroot "apt-get update"
+	# Fetch and install keys
+	for _KEY in ${_KEYS}
+	do
+		Echo_message "Fetching archive-key ${_KEY}..."
+		for _FILE in "${_KEY}" "${_KEY}.sig"
+		do
+			_URL="${_URL_BASE}/${_FILE}"
+			if ! wget -q "${_URL}" -O "chroot/${_FILE}"
+			then
+				Echo_error "failed to download file ${_URL}!"
+				exit 1
+			fi
+		done
+
+		Echo_message "Verifying archive-key ${_KEY}..."
+		if ! ${_GPG_TOOL} --quiet --no-default-keyring ${_KEYRINGS} "chroot/${_KEY}" "chroot/${_KEY}.sig"
+		then
+			Echo_error "archive-key ${_KEY} has invalid signature!"
+			exit 1
+		fi
+
+		Echo_message "Importing archive-key ${_KEY}..."
+		Chroot chroot "apt-key add /${_KEY}"
+
+		rm -f "chroot/${_KEY}" "chroot/${_KEY}.sig"
+	done
+
+	Chroot chroot "apt-get update"
+fi
 
 # Creating stage file
 Create_stagefile .build/bootstrap_archive-keys