Bug#595428: apt again lost support for Apt::GPGV::TrustedKeyring
2010/9/4 Joey Hess <joeyh@debian.org>:
> David Kalnischkies wrote:
> I assume getting apt 0.8.0 into testing is not currently in the cards.
> It should at least not get in before the next d-i upload. Up to you
> whether you leave this bug RC or not.
0.8.0 is already in testing since yesterday after 9 days of transition…
Michael prepared also a 0.8.1 bugfix release yesterday, maybe we should
get a fixed 0.8.2 armed and ready for testing a bit faster than usual,
lets see what we can do on Monday…
> (/etc/apt/trusted.gpg)
>> I honestly don't know why 600 - APT doesn't seem to set a mod on it
>> so it should be gpg at the time the first keyring is inserted…
>
> gpg does make keyrings 600 by default. On older systems, the file was
> created by something else, so its mode can vary. I think that is a bug
> by itself -- it should be possible for regular users to verify things
> against the system's apt's trust keyring. The only reason d-i's build
> overrides the keyring in the first place, really, is because the
> build process does not run as root.
So, do you would recommend that APT ensures that the file has 644
instead as it does for other files it works with?
Best regards
David Kalnischkies
=== modified file 'apt-pkg/indexcopy.cc'
--- apt-pkg/indexcopy.cc 2010-08-18 22:04:05 +0000
+++ apt-pkg/indexcopy.cc 2010-09-04 08:06:14 +0000
@@ -661,7 +661,7 @@
{
string const gpgvpath = _config->Find("Dir::Bin::gpg", "/usr/bin/gpgv");
// FIXME: remove support for deprecated APT::GPGV setting
- string const trustedFile = _config->FindFile("Dir::Etc::Trusted");
+ string const trustedFile = _config->Find("APT::GPGV::TrustedKeyring", _config->FindFile("Dir::Etc::Trusted"));
string const trustedPath = _config->FindDir("Dir::Etc::TrustedParts");
bool const Debug = _config->FindB("Debug::Acquire::gpgv", false);
=== modified file 'apt-pkg/init.cc'
--- apt-pkg/init.cc 2010-08-18 22:04:05 +0000
+++ apt-pkg/init.cc 2010-09-04 08:04:37 +0000
@@ -70,8 +70,7 @@
Cnf.Set("Dir::Etc::parts","apt.conf.d");
Cnf.Set("Dir::Etc::preferences","preferences");
Cnf.Set("Dir::Etc::preferencesparts","preferences.d");
- string const deprecated = _config->Find("APT::GPGV::TrustedKeyring");
- Cnf.Set("Dir::Etc::trusted", deprecated.empty() ? "trusted.gpg" : deprecated);
+ Cnf.Set("Dir::Etc::trusted", "trusted.gpg");
Cnf.Set("Dir::Etc::trustedparts","trusted.gpg.d");
Cnf.Set("Dir::Bin::methods","/usr/lib/apt/methods");
Cnf.Set("Dir::Media::MountPath","/media/apt");
=== modified file 'cmdline/apt-key'
--- cmdline/apt-key 2010-06-09 09:51:21 +0000
+++ cmdline/apt-key 2010-09-04 13:22:01 +0000
@@ -147,11 +147,13 @@
#echo "generate list"
TRUSTEDFILE="/etc/apt/trusted.gpg"
eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
+ eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
if [ -r "$TRUSTEDFILE" ]; then
GPG="$GPG --keyring $TRUSTEDFILE"
fi
GPG="$GPG --primary-keyring $TRUSTEDFILE"
TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
+ eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
if [ -d "$TRUSTEDPARTS" ]; then
#echo "parts active"
for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do
=== modified file 'debian/changelog'
--- debian/changelog 2010-09-03 17:34:36 +0000
+++ debian/changelog 2010-09-04 13:28:39 +0000
@@ -7,8 +7,14 @@
* apt-pkg/deb/dpkgpm.cc:
- create Dir::Log if needed to support /var/log as tmpfs or similar,
inspired by Thomas Bechtold, thanks! (Closes: #523919, LP: #220239)
+ * apt-pkg/indexcopy.cc:
+ - support really still the APT::GPGV::TrustedKeyring setting,
+ as it breaks d-i badly otherwise (Closes: #595428)
+ * cmdline/apt-key:
+ - support also Dir::Etc::Trusted so that apt-key works in the same
+ way as the library part which works with the trusted files
- -- David Kalnischkies <kalnischkies@gmail.com> Fri, 03 Sep 2010 19:29:01 +0200
+ -- David Kalnischkies <kalnischkies@gmail.com> Sat, 04 Sep 2010 15:25:10 +0200
apt (0.8.1) unstable; urgency=low
Reply to: