Bug#773775: marked as done (improve bootstrapping of derivative archive keys)
Your message dated Fri, 02 Dec 2016 22:49:02 +0000
with message-id <E1cCwda-000EZz-Lp@fasolo.debian.org>
and subject line Bug#773775: fixed in live-build 1:20161202
has caused the Debian Bug report #773775,
regarding improve bootstrapping of derivative archive keys
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
773775: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773775
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: Fix and improve progress-linux archive key installation
- From: jnqnfe <jnqnfe@gmail.com>
- Date: Tue, 23 Dec 2014 06:00:06 +0000
- Message-id: <549904E6.4030503@gmail.com>
Package: live-build
Version: 4.0.4-1
Tags: patch
Attached is a patch to fix and improve the bootstrap_archive-keys
script, which installs additional archive keys when building a
progress-linux image.
I am not current familiar at all with progress-linux, so this needs
review and testing by someone who is.
I think the first three items below suggest that this is important
enough to be pushed into jessie. The patch is built upon v4.
Summary of changes:
- Fixed mispelling/old-spelling of cairon (chairon), which would
have blocked keys being installed.
- Fixed broken urls the keys are being fetched from. This
assumes the following link is an example of current and correct
location and filenames, where the directory has changed from
project/keys to project/pgp, filenames no longer contain version
numbers, and 'packages' keys no longer exist, but 'backports'
keys now do.
http://archive.progress-linux.org/packages/project/pgp/
- Fixed possibly broken key installation ability (or at least
location is now more explicit). Previously, the apt-key program
was run (under chroot) simply with the name of the key file, no
path. Using chroot does not change the working directory afaik,
and I am not sure therefore whether it would have actually found
the file it needed to add. Now the location is given (/[file]),
which fixes this, assuming it was indeed broken.
- Allow use of either gpgv or gpgv2 for verification
- Allow use of either or both of debian-keyring.gpg (from the
keyring package) and debian-archive-keyring.gpg (default key
added by debootstrap)
- Disallow gpgv to automatically look for a 'default' keyring
(--no-default-keyring param)
- Improved error checking, stopping execution if a problem
occurs, enforcing stricter security checks.
- Tidied up the code a bit.
|
commit 25a02e174f60535dbd4a6de8b56dfe5c6c8a550c
Author: jnqnfe <jnqnfe@gmail.com>
Date: Tue Dec 23 05:55:43 2014 +0000
Fix and improve bootstrap_archive-keys
diff --git a/scripts/build/bootstrap_archive-keys b/scripts/build/bootstrap_archive-keys
index 4b9324f..31641b4 100755
--- a/scripts/build/bootstrap_archive-keys
+++ b/scripts/build/bootstrap_archive-keys
@@ -33,45 +33,82 @@ case "${LB_MODE}" in
progress-linux)
case "${LB_DISTRIBUTION}" in
artax*)
- _KEYS="1.0-artax 1.0-artax-packages"
+ _KEYS="archive-key-artax.asc archive-key-artax-backports.asc"
;;
baureo*)
- _KEYS="2.0-baureo 2.0-baureo-packages"
+ _KEYS="archive-key-baureo.asc archive-key-baureo-backports.asc"
;;
- chairon*)
- _KEYS="3.0-chairon 3.0-chairon-packages"
+ cairon*)
+ _KEYS="archive-key-cairon.asc archive-key-cairon-backports.asc"
;;
esac
- _URL="${LB_MIRROR_CHROOT}/project/keys"
+ _URL_BASE="${LB_MIRROR_CHROOT}/project/gpg"
;;
esac
-for _KEY in ${_KEYS}
-do
- Echo_message "Fetching archive-key ${_KEY}..."
-
- wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
- wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig
-
- if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ]
+if [ ! -z "${_KEYS}" ]
+then
+ # Check GPGV program exists
+ if [ -x "$(which gpgv2 2>/dev/null)" ]
then
- Echo_message "Verifying archive-key ${_KEY} against debian-keyring..."
-
- /usr/bin/gpgv --quiet --keyring /usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature."; return 1;}
+ _GPG_TOOL="gpgv2"
+ elif [ -x "$(which gpgv 2>/dev/null)" ]
+ then
+ _GPG_TOOL="gpgv"
else
- Echo_warning "Skipping archive-key ${_KEY} verification, either gpgv or debian-keyring not available on host system..."
+ Echo_error "gpg verification program (gpgv/gpgv2) does not exist, and archive keys cannot be verified without it! Please install it and try again."
+ exit 1
fi
- Echo_message "Importing archive-key ${_KEY}..."
-
- Chroot chroot "apt-key add key.asc"
- rm -f chroot/key.asc chroot/key.asc.sig
-done
+ # Compile list of keyrings to use for verification
+ _KEYRINGS=""
+ _DEBIAN_KEYRING="/usr/share/keyrings/debian-keyring.gpg"
+ _DEBIAN_ARCHIVE_KEYRING="/usr/share/keyrings/debian-archive-keyring.gpg"
+ for _KEYRING in "${_DEBIAN_KEYRING}" "${_DEBIAN_ARCHIVE_KEYRING}"
+ do
+ if [ -e "${_KEYRING}" ]
+ then
+ _KEYRINGS="${_KEYRINGS} --keyring ${_KEYRING}"
+ fi
+ done
+ if [ -z "${_KEYRINGS}" ]
+ then
+ Echo_error "no keyrings found for verification of additional archive keys that are to be installed!"
+ exit 1
+ fi
-Chroot chroot "apt-get update"
+ # Fetch and install keys
+ for _KEY in ${_KEYS}
+ do
+ Echo_message "Fetching archive-key ${_KEY}..."
+ for _FILE in "${_KEY}" "${_KEY}.sig"
+ do
+ _URL="${_URL_BASE}/${_FILE}"
+ if ! wget -q "${_URL}" -O "chroot/${_FILE}"
+ then
+ Echo_error "failed to download file ${_URL}!"
+ exit 1
+ fi
+ done
+
+ Echo_message "Verifying archive-key ${_KEY}..."
+ if ! ${_GPG_TOOL} --quiet --no-default-keyring ${_KEYRINGS} "chroot/${_KEY}" "chroot/${_KEY}.sig"
+ then
+ Echo_error "archive-key ${_KEY} has invalid signature!"
+ exit 1
+ fi
+
+ Echo_message "Importing archive-key ${_KEY}..."
+ Chroot chroot "apt-key add /${_KEY}"
+
+ rm -f "chroot/${_KEY}" "chroot/${_KEY}.sig"
+ done
+
+ Chroot chroot "apt-get update"
+fi
# Creating stage file
Create_stagefile .build/bootstrap_archive-keys
--- End Message ---
--- Begin Message ---
Source: live-build
Source-Version: 1:20161202
We believe that the bug you reported is fixed in the latest version of
live-build, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 773775@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated live-build package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 02 Dec 2016 23:33:45 +0100
Source: live-build
Binary: live-build
Architecture: source
Version: 1:20161202
Distribution: unstable
Urgency: medium
Maintainer: Debian Live <debian-live@lists.debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description:
live-build - Live System Build Components
Closes: 731709 773775 773833 774730 774807 775989 790033 801379 801712 806782 808048 809699 816204 818916 831379 832998
Changes:
live-build (1:20161202) unstable; urgency=medium
.
[ Raphaël Hertzog ]
* Officially adopt the package. Closes: #808048
* Better handle empty package lists.
* Drop ixp4xx from available armel flavors, the image has been gone since
linux 3.17.
* Add symlinks for libgpl.c32 and libmenu.c32 which are required by
the "Hardware Detection Tool (HDT)" menu entry that live-build adds
in the advanced menu.
* Add EFI boot support with grub-efi, thanks to Adrian Gibanel Lopez.
Closes: #731709
* Fix usage of config/packages.chroot/*.deb that has been broken by the
switch to GnuPG2 by default by no longer using GnuPG but relying
on APT's trusted=yes attribute instead.
Thus we no longer have remaining key in /etc/apt/trusted.gpg
after building. Closes: #816204
* Try to reuse /isolinux/splash.png in default grub configuration.
* Drop debian/source/{local-options,options} as they are no longer needed.
* Pass components to debootstrap --second-stage. Closes: #806782
Thanks to Sjoerd Simons <sjoerd.simons@collabora.co.uk> for the patch.
* Fix behaviour of (undocumented) "#nif" conditional test. Closes: #801379
Thanks to Erik Cumps <erik.cumps@esaturnus.com> for the patch.
* Export SOURCE_DATE_EPOCH when running chroot commands. Closes: #832998
Thanks to Chris Lamb <lamby@debian.org> for the patch.
* Set xorriso's "modification time" to SOURCE_DATE_EPOCH. Closes: #831379
Thanks to Chris Lamb <lamby@debian.org> for the patch.
* Support “lb config --debootstrap-script <script>” to use an alternate
bootstrap script when running debootstrap. Thanks to Sjoerd Simons
<sjoerd@debian.org> for the initial patch. Closes: #790033
* Manual pages updates by jnqnfe. Closes: #774730
* Drop left-over translation files for removed lb_testroot command.
* Get rid of useless bootstrap_archive-keys script. Closes: #773775
* Drop an optimization in chroot_archives that has undesired side-effects.
Thanks to jnqnfe for the patch. Closes: #775989
* Drop gpgv and debian-keyring from Suggests.
* Fix Check_installed function when checking against host. Thanks to jnqnfe
for the report. Closes: #774807
* Bump debhelper compat level to 10.
* Bump Standards-Version to 3.9.8.
* Use a grub theme that integrates reasonably well with the current
background picture.
* Default for LB_UNION_FILESYSTEM is now "overlay" just like in live-boot.
* Update the way we generate the version of live-build that is displayed by
lb --version.
* Instead of renaming kernel for syslinux, create hardlinks.
* Simplify grub configuration code to use only long kernel names. Put
advanced options in a submenu. Use distro-agnostic labels.
.
[ Kristian Klausen ]
* Include ext{3,4} journal size when calculating image size. Closes: #801712
* Switch d-i.debian.org URIs from http to https. Closes: #809699
* Fix typo in binary_syslinux. Closes: #818916
* Correct syslinux/extlinux mbr.bin path. Closes: #773833
Checksums-Sha1:
e783fa6b0d05665b6f469a129c9879fd09bd7eaa 1369 live-build_20161202.dsc
aafba09d63b5272b406faeb78f29c0693ad2403f 352376 live-build_20161202.tar.xz
Checksums-Sha256:
794d5ac54770ee627c1e65c3a97db626f426d3e0414045fa7f4ee34e888b3ecc 1369 live-build_20161202.dsc
e3930f826ecd3a3b8b49df56f7c130c087c9268fe8dda16aa340be15b1c9b148 352376 live-build_20161202.tar.xz
Files:
b0b7bc9164340ae43a2fe2654692fa29 1369 misc optional live-build_20161202.dsc
39cb06ac14afe4e6c8de32aeeac6e08a 352376 misc optional live-build_20161202.tar.xz
-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog
iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAlhB9vcACgkQA4gdq+vC
mrnfbQf+K+CbLMaL6+aCMvN7UI9JtDOvB6K9wu8dDnNUNLJcRqgvdx+03DfU08oD
X3UhZWJGhxVUvVIM+HSt/JXi9KKCfOxG4WnCiEzj1ewYihjgD2SICh1OrsL/SswS
dCwNAPGJYfWOFwvESBbf3Q6XdVuKqj17ImjICtYfsirD/1vuQU4bCepi1ZJShXrs
RdDpeVbzsti4hJlMax9xTxmmmercVq2fm81X5CHSnGh/IRIc77akJH5D+vRhZSM1
aAEQANEzof4TySnk7I62QJn0ik/Uykuk2w8DoRH6f3fZCOxagnm0bHW9WzhP6Zu/
dtD4kG3TrZAikkCeStx6hxGZxhFD8A==
=vy9F
-----END PGP SIGNATURE-----
--- End Message ---
Reply to: