From 417d8fd5911a0db7721a5905bd31cd240b0d146f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= Date: Fri, 19 Apr 2013 13:03:59 +0000 Subject: [PATCH] Tweak logic to handle keyring for APT and debootstrap Use ARCHIVE_KEYRING_PACKAGE and ARCHIVE_KEYRING_FILE parameters and always use the unpacked keyring instead of the system-wide one. Thanks to Robert Spencer for the patch. --- CONF.sh | 13 ++++++++----- Makefile | 11 +++++++---- debian/changelog | 5 +++-- 3 files changed, 18 insertions(+), 11 deletions(-) diff --git a/CONF.sh b/CONF.sh index e3314c40..74b81d18 100644 --- a/CONF.sh +++ b/CONF.sh @@ -51,6 +51,8 @@ unset OMIT_RELEASE_NOTES || true unset OMIT_DOC_TOOLS || true unset MAX_PKG_SIZE || true unset DEBOOTSTRAP_OPTS || true +unset ARCHIVE_KEYRING_PACKAGE || true +unset ARCHIVE_KEYRING_FILE || true # The debian-cd dir # Where I am (hoping I'm in the debian-cd dir) @@ -179,15 +181,16 @@ export CONTRIB=1 #export amd64_MKISOFS="xorriso" #export amd64_MKISOFS_OPTS="-as mkisofs -r -checksum_algorithm_iso md5,sha1" +# Keyring (defaults): +#ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring +# The path to the keyring file relative to $TDIR/archive-keyring/ +#ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg + # By default we use debootstrap --no-check-gpg to find out the minimal set # of packages because there's no reason to not trust the local mirror. But # you can be paranoid and then you need to indicate the keyring to use to # validate the mirror. -#export DEBOOTSTRAP_OPTS="--keyring /usr/share/keyrings/debian-archive-keyring.gpg" - -# Indicate the package which contains the keyrings needed so that APT -# doesn't complain about unsigned package. -#export ARCHIVE_KEYRING="debian-archive-keyring" +#export DEBOOTSTRAP_OPTS="--keyring $TDIR/archive-keyring/$ARCHIVE_KEYRING_FILE" # ISOLinux support for multiboot on CD1 for i386 export ISOLINUX=1 diff --git a/Makefile b/Makefile index 362d2355..afa72927 100755 --- a/Makefile +++ b/Makefile @@ -37,8 +37,11 @@ endif ifndef HOOK HOOK=$(BASEDIR)/tools/$(CODENAME).hook endif -ifndef ARCHIVE_KEYRING -ARCHIVE_KEYRING=debian-archive-keyring +ifndef ARCHIVE_KEYRING_PACKAGE +ARCHIVE_KEYRING_PACKAGE=debian-archive-keyring +endif +ifndef ARCHIVE_KEYRING_FILE +ARCHIVE_KEYRING_FILE=usr/share/keyrings/debian-archive-keyring.gpg endif export BUILD_DATE=$(shell date -u +%Y%m%d-%H:%M) @@ -232,10 +235,10 @@ $(ADIR)/status: # Set up keyring so apt doesn't complain @echo "Setting up archive-keyring" $(Q)mkdir -p $(TDIR)/archive-keyring - $(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) $(ARCHIVE_KEYRING)) $(TDIR)/archive-keyring + $(Q)dpkg -x $(MIRROR)/$(shell $(which_deb) $(MIRROR) $(CODENAME) $(ARCHIVE_KEYRING_PACKAGE)) $(TDIR)/archive-keyring $(Q)for ARCH in $(ARCHES); do \ mkdir -p $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \ - ln -s $(TDIR)/archive-keyring/usr/share/keyrings/* $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \ + ln -s $(TDIR)/archive-keyring/$(ARCHIVE_KEYRING_FILE) $(ADIR)/$(CODENAME)-$$ARCH/apt/trusted.gpg.d; \ done # Updating the apt database diff --git a/debian/changelog b/debian/changelog index cef64ccf..78464a59 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,9 @@ debian-cd (3.1.13) UNRELEASED; urgency=low [ Robert Spencer ] - * Use ARCHIVE_KEYRING parameter to not hardcode debian-archive-keyring - and let derivatives use their own keyring package. + * Use ARCHIVE_KEYRING_PACKAGE and ARCHIVE_KEYRING_FILE parameters to + not hardcode debian-archive-keyring and let derivatives use their + own keyring. -- Raphaƫl Hertzog Fri, 12 Apr 2013 10:32:56 +0200