Bug#1003188: bullseye-pu: package mmdebstrap/0.7.5-2.2
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: josch@debian.org
[ Reason ]
Currently, when a user happens to have an ASCII armored key in
/etc/apt/trusted.gpg.d, running mmdebstrap without any special options
will not work. See #1003175 for details.
The problem is fixed in unstable and testing, starting with 0.8.0-1.
[ Impact ]
Users will either have to remove an ASCII armored key from their
/etc/apt/trusted.gpg.d or supply keys to mmdebstrap manually. But either
is unlikely to happen because the error message does not give a clue
about the actual cause of the problem.
[ Tests ]
Me and two users checked that the attached debdiff fixed the
problem. If desired, I can also add a test from the upstream project
to the debdiff but that would double its size. Essentially, the change
is already well tested upstream.
[ Risks ]
In the worst case, GPG key autodetection breaks and one has to pass the
keyring material to mmdebstrap manually. This is what users with ASCII
armored keys in /etc/apt/trusted.gpg.d already have to do today without
this patch.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
GPG is called with --show-keys instead of with --list-keys. The latter
requires "public keyring v4" key material while the former also allows
ASCII armored keys.
[ Other info ]
This is my first upload to a stable release, so stupid mistakes can be
hiding anywhere.
Thanks!
cheers, josch
diff -Nru mmdebstrap-0.7.5/debian/changelog mmdebstrap-0.7.5/debian/changelog
--- mmdebstrap-0.7.5/debian/changelog 2021-05-07 17:30:39.000000000 +0200
+++ mmdebstrap-0.7.5/debian/changelog 2022-01-05 16:05:13.000000000 +0100
@@ -1,3 +1,10 @@
+mmdebstrap (0.7.5-2.2+deb11u1) bullseye; urgency=medium
+
+ * Do not error out with ASCII armored keyrings in /etc/apt/trusted.gpg.d
+ (closes: #1003175)
+
+ -- Johannes Schauer Marin Rodrigues <josch@debian.org> Wed, 05 Jan 2022 16:05:13 +0100
+
mmdebstrap (0.7.5-2.2) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch
--- mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch 1970-01-01 01:00:00.000000000 +0100
+++ mmdebstrap-0.7.5/debian/patches/0001-Do-not-use-gpg-trust-model-always.patch 2022-01-05 16:04:09.000000000 +0100
@@ -0,0 +1,23 @@
+From 91d8be5f9c204f0ee8d524eb1382934e608a9d43 Mon Sep 17 00:00:00 2001
+From: Johannes Schauer Marin Rodrigues <josch@mister-muffin.de>
+Date: Thu, 26 Aug 2021 07:58:27 +0200
+Subject: [PATCH] Do not use gpg --trust-model=always
+
+ - gpg will not create a trustdb when running with --update-trustdb with
+ --trust-model=always:
+ gpg: no need for a trustdb update with 'always' trust model
+ - subsequent gpg calls will fail because there is no trustdb in GPGHOME
+---
+ mmdebstrap | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/mmdebstrap
++++ b/mmdebstrap
+@@ -4861,7 +4861,6 @@ sub main() {
+ '--ignore-time-conflict', '--no-options',
+ '--no-default-keyring', '--homedir',
+ $gpghome, '--no-auto-check-trustdb',
+- '--trust-model', 'always'
+ );
+ my ($ret, $message);
+ {
diff -Nru mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
--- mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch 1970-01-01 01:00:00.000000000 +0100
+++ mmdebstrap-0.7.5/debian/patches/0001-gpg-handle-ASCII-armored-keyrings-as-well.patch 2022-01-05 16:05:13.000000000 +0100
@@ -0,0 +1,75 @@
+From ccd4b5c163d322045c92f734f43bb5e1945fa774 Mon Sep 17 00:00:00 2001
+From: Konstantin Demin <rockdrilla@gmail.com>
+Date: Thu, 15 Apr 2021 03:00:39 +0300
+Subject: [PATCH] gpg: handle ASCII-armored keyrings as well
+
+gpg command "--list-keys" requires input files to be passed with
+option "--keyring" and each file must match type "public keyring v4"
+while gpg command "--show-keys" doesn't require extra options and
+handles also ASCII-armored public keyrings as well.
+
+Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
+---
+ mmdebstrap | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+--- a/mmdebstrap
++++ b/mmdebstrap
+@@ -4880,30 +4880,37 @@ sub main() {
+ . " signed-by value";
+ last;
+ }
++ # initialize gpg trustdb with empty one
++ {
++ `@gpgcmd --update-trustdb >/dev/null 2>/dev/null`;
++ $? == 0 or error "gpg failed to initialize trustdb: $?";
++ }
+ # find all the fingerprints of the keys apt currently
+ # knows about
+- my @keyringopts = ();
++ my @keyrings = ();
+ opendir my $dh, "$options->{apttrustedparts}"
+ or error "cannot read $options->{apttrustedparts}";
+ while (my $filename = readdir $dh) {
+ if ($filename !~ /\.(asc|gpg)$/) {
+ next;
+ }
+- push @keyringopts, '--keyring',
+- "$options->{apttrustedparts}/$filename";
++ $filename = "$options->{apttrustedparts}/$filename";
++ # skip empty keyrings
++ -s "$filename" || next;
++ push @keyrings, "$filename";
+ }
+ closedir $dh;
+- if (-e $options->{apttrusted}) {
+- push @keyringopts, '--keyring', $options->{apttrusted};
++ if (-s $options->{apttrusted}) {
++ push @keyrings, $options->{apttrusted};
+ }
+ my @aptfingerprints = ();
+- if (scalar @keyringopts == 0) {
++ if (scalar @keyrings == 0) {
+ $signedby = " [signed-by=\"$keyring\"]";
+ last;
+ }
+ {
+- open my $fh, '-|', @gpgcmd, @keyringopts, '--with-colons',
+- '--list-keys' // error "failed to fork(): $!";
++ open(my $fh, '-|', @gpgcmd, '--with-colons', '--show-keys',
++ @keyrings) // error "failed to fork(): $!";
+ while (my $line = <$fh>) {
+ if ($line !~ /^fpr:::::::::([^:]+):/) {
+ next;
+@@ -4924,9 +4931,8 @@ sub main() {
+ # the case
+ my @suitefingerprints = ();
+ {
+- open my $fh, '-|', @gpgcmd, '--keyring', $keyring,
+- '--with-colons',
+- '--list-keys' // error "failed to fork(): $!";
++ open(my $fh, '-|', @gpgcmd, '--with-colons', '--show-keys',
++ $keyring) // error "failed to fork(): $!";
+ while (my $line = <$fh>) {
+ if ($line !~ /^fpr:::::::::([^:]+):/) {
+ next;
diff -Nru mmdebstrap-0.7.5/debian/patches/series mmdebstrap-0.7.5/debian/patches/series
--- mmdebstrap-0.7.5/debian/patches/series 2021-05-07 17:30:39.000000000 +0200
+++ mmdebstrap-0.7.5/debian/patches/series 2022-01-05 16:03:59.000000000 +0100
@@ -1,2 +1,4 @@
0001-also-run-unshare-with-propagation-unchanged-in-root-.patch
Pass-extended-attributes-excluding-system-to-tar2sqf.patch
+0001-gpg-handle-ASCII-armored-keyrings-as-well.patch
+0001-Do-not-use-gpg-trust-model-always.patch
Reply to: