[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

debian-archive-keyring/experimental: fragments instead of symlinks?

Hi *,

I think the idea of using a symlink in debian-archive-keyring/experimental
isn't that great, and here is why:

APT has the lovely bug #558784 who complains about re-adding the keys
from the debian-archive-keyring all the time. The situation is that a user
removes keys which are still active for debian, but not needed anymore for
him like for example lenny keys currently.

Currently this means he gets the keys back on apt or debian-archive-keyring
updated (= apt-key update); with this experimental version he will only get
them back on debian-archive-keyring updates (then apt has dropped the
apt-key update), but in his first step, he will modify a file in /usr/share/
to remove the key(s)…

After all, the whole idea of trusted.gpg.d was to get closer to the point of
fixing this. So attached is a diff against the experimental version to split
up the keyring into fragment-files and drop these into trusted.gpg.d handled
as config files so that it is save to remove them and make it stick.

It also adds a fitting break for apt pre-squeeze versions to ensure apt will
be able to use them, depends only on gpgv and only recommends gnupg as gpgv
is enough to check Release files and gnupg is only needed if you want to
manage the keys - or to run the postinst cleanup of the trusted.gpg file.
Upgrades should have gnupg installed this way, new installs doesn't need it,
but feel free to raise to Depends if that is a problem.

Further more I changed the code in postinst to cleanup the trusted.gpg file.
I agree that apt-key is crappy and thats why we want to push slowly for
trusted.gpg.d so apt-key isn't required anymore for this important operation,
but partly reimplementing it doesn't seem to be that much less-crappy…

Beware, I haven't tested the code so far and it includes two fixmes,
so it's more of a proof of concept to get the ball rolling…

Best regards

David Kalnischkies, who wanted to send that months ago…

P.S.: I am not subscribed to release-lists, so feel free to cc me. Thanks.
diff -ru debian-archive-keyring-2011.10.23/debian/changelog debian-archive-keyring-2011.10.23+nmu1/debian/changelog
--- debian-archive-keyring-2011.10.23/debian/changelog	2011-10-23 07:12:10.000000000 -0500
+++ debian-archive-keyring-2011.10.23+nmu1/debian/changelog	2011-10-31 09:23:12.472901631 -0500
@@ -1,3 +1,14 @@
+debian-archive-keyring (2011.10.23+nmu1) experimental; urgency=low
+  * Non-maintainer upload.
+  * ship each active key in a separate keyring in /etc/apt/trusted.gpg.d/
+    as conffiles for simpler usage of apt-secure(8)
+  * remove all active keys from /etc/apt/trusted.gpg as they are shipped
+    now as fragments file
+  * depend on gpgv and only recommend gnupg (Closes: #387688)
+ -- David Kalnischkies <kalnischkies@gmail.com>  Mon, 31 Oct 2011 09:21:39 -0500
 debian-archive-keyring (2011.10.23) experimental; urgency=low
   * Team upload.
diff -ru debian-archive-keyring-2011.10.23/debian/control debian-archive-keyring-2011.10.23+nmu1/debian/control
--- debian-archive-keyring-2011.10.23/debian/control	2011-10-21 05:45:38.000000000 -0500
+++ debian-archive-keyring-2011.10.23+nmu1/debian/control	2011-10-31 09:34:30.632047155 -0500
@@ -7,7 +7,9 @@
 Package: debian-archive-keyring
 Priority: important
 Architecture: all
-Depends: gnupg, ${misc:Depends}
+Depends: gpgv, ${misc:Depends}
+Recommends: gnupg
+Breaks: apt (<<
 Description: GnuPG archive keys of the Debian archive
  The Debian project digitally signs its Release files. This package
  contains the archive keys used for that.
diff -ru debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.install debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.install
--- debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.install	2011-10-21 05:37:22.000000000 -0500
+++ debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.install	2011-10-31 09:16:27.691918480 -0500
@@ -1 +1,2 @@
diff -ru debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.postinst debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.postinst
--- debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.postinst	2011-10-23 07:14:08.000000000 -0500
+++ debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.postinst	2011-10-31 09:24:52.894897337 -0500
@@ -2,32 +2,18 @@
 set -e
-export GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
-case "$1" in
-  configure)
-    if dpkg --compare-versions "$2" lt "2011.10.21"
-    then
-      if [ -n "$2" -a -e /etc/apt/trusted.gpg ]
-      then
-        if which gpg >/dev/null 2>&1
-        then
-          # Remove old keys from /etc/apt/trusted.gpg
-          for keyid in $($GPG_CMD /etc/apt/trusted.gpg | sed -n -r -e 's,pub .*/([0-9A-F]+).*,\1,p' | grep -x -E 'F42584E6|55BE302B|6D849617|B98321F9|473041FA')
-          do
-            echo "Removing trusted apt key $keyid from /etc/apt/trusted.gpg ..."
-            $GPG_CMD --primary-keyring /etc/apt/trusted.gpg \
-                     --quiet --batch --delete-key --yes "$keyid"
-          done
-        fi
-      fi
-      # Install the symlink upon first installation
-      ln -sf /usr/share/keyrings/debian-archive-keyring.gpg \
-             /etc/apt/trusted.gpg.d/debian-archive-keyring.gpg
-      echo "Installed debian-archive-keyring as a trusted apt keyring."
-    fi
-    ;;
+if [ "$1" = 'configure' ]; then
+	# remove keys from the trusted.gpg file as they are now shipped in fragment files in trusted.gpg.d
+	if dpkg --compare-versions '2010.08.28' '>=' "$2" && which gpg > /dev/null; then
+		TRUSTEDFILE='/etc/apt/trusted.gpg'
+		eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
+		eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
+		if [ -e "$TRUSTEDFILE" ]; then
+			for KEY in F42584E6 55BE302B 6D849617 B98321F9 473041FA; do
+				apt-key --keyring "$TRUSTEDFILE" del $KEY 2> /dev/null || :
+			done
+		fi
+	fi
Nur in debian-archive-keyring-2011.10.23/debian: debian-archive-keyring.postrm.
diff -ru debian-archive-keyring-2011.10.23/Makefile debian-archive-keyring-2011.10.23+nmu1/Makefile
--- debian-archive-keyring-2011.10.23/Makefile	2011-10-21 05:34:45.000000000 -0500
+++ debian-archive-keyring-2011.10.23+nmu1/Makefile	2011-10-31 10:01:09.112920074 -0500
@@ -1,4 +1,8 @@
-build: verify-indices keyrings/debian-archive-keyring.gpg keyrings/debian-archive-removed-keys.gpg verify-results
+TRUSTED-LIST := $(patsubst active-keys/add-%,trusted.gpg/debian-archive-%.gpg,$(wildcard active-keys/add-*))
+# FIXME: find a better place for storing intermediate files?
+TMPRING := trusted.gpg/build-area
+build: verify-indices keyrings/debian-archive-keyring.gpg keyrings/debian-archive-removed-keys.gpg verify-results $(TRUSTED-LIST)
 verify-indices: keyrings/team-members.gpg
 	gpg --no-default-keyring --keyring keyrings/team-members.gpg \
@@ -13,6 +17,8 @@
 	gpg --no-default-keyring --keyring keyrings/team-members.gpg --verify \
 		 keyrings/debian-archive-removed-keys.gpg.asc \
+	#FIXME: Do we need to verify the created keyrings in trusted.gpg.d, too?
+	#	Maybe "just" checking that no key is added if we merge, but how…
 keyrings/debian-archive-keyring.gpg: active-keys/index
 	jetring-build -I $@ active-keys
@@ -23,6 +29,13 @@
 keyrings/team-members.gpg: team-members/index
 	jetring-build -I $@ team-members
+$(TRUSTED-LIST) :: trusted.gpg/debian-archive-%.gpg : active-keys/add-% active-keys/index
+	mkdir -p $(TMPRING) trusted.gpg
+	grep -F $(shell basename $<) -- active-keys/index > $(TMPRING)/index
+	cp $< $(TMPRING)
+	jetring-build -I $@ $(TMPRING)
+	rm -rf $(TMPRING)
 	rm -f keyrings/debian-archive-keyring.gpg \
@@ -30,11 +43,13 @@
 	rm -f keyrings/team-members.gpg \
+	rm -rf $(TMPRING) trusted.gpg
 install: build
 	install -d $(DESTDIR)/usr/share/keyrings/
 	cp keyrings/debian-archive-keyring.gpg $(DESTDIR)/usr/share/keyrings/
 	cp keyrings/debian-archive-removed-keys.gpg $(DESTDIR)/usr/share/keyrings/
+	install -d $(DESTDIR)/etc/apt/trusted.gpg.d/
+	cp $(shell find trusted.gpg/ -name '*.gpg' -type f) $(DESTDIR)/etc/apt/trusted.gpg.d/
-.PHONY: verify-indices clean
+.PHONY: verify-indices verify-results clean build install
diff -ru debian-archive-keyring-2011.10.23/README debian-archive-keyring-2011.10.23+nmu1/README
--- debian-archive-keyring-2011.10.23/README	2010-08-28 17:32:18.000000000 -0500
+++ debian-archive-keyring-2011.10.23+nmu1/README	2011-10-31 09:25:14.185896978 -0500
@@ -10,14 +10,14 @@
 A quick overview about this package:
-* This keyrings are used by "apt" versions 0.6 and later. They 
-  will be used with the apt-key command.
-* Normally (i.e. if the apt-key binary is found), the keys contained in
-  the debian-archive-keyring package will be automatically installed into
-  apt's trusted keyring by the package's postinst script and keys that are 
-  in the debian-archive-keyring-removed will be automatically removed.
-* If the automatic installation of the keys fails, then the user can run
-  "apt-key update" manually.
+* a keyring including all actively used keys to sign Release files in
+  different supported releases is shipped in /usr/share/keyrings
+* in the same location can a keyring be found including keys used by
+  previous releases which are no longer used to sign Release files
+* each actively used key is also placed in /etc/apt/trusted.gpg.d/ to
+  be used by "apt" and its apt-key command in versions 0.6 and later
+  to check the signature of acquired Release files
-More information about the archive authentication feature can be found 
-here: http://wiki.debian.org/SecureApt
+More information about the archive authentication feature can be found
+in manpage apt-secure(8) and online here: http://wiki.debian.org/SecureApt

Reply to: