live-build/scripts/build/bootstrap_archive-keys

#!/bin/sh

## live-build(7) - System Build Scripts
## Copyright (C) 2006-2013 Daniel Baumann <mail@daniel-baumann.ch>
##
## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
## This is free software, and you are welcome to redistribute it
## under certain conditions; see COPYING for details.


set -e

# Including common functions
[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh

# Setting static variables
DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')"
HELP=""
USAGE="${PROGRAM} [--force]"

Arguments "${@}"

# Reading configuration files
Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
Set_defaults

# TODO: allow verification against user-specified keyring
# For now, we'll only validate against debian-keyring

# TODO2: use chrooted validation rather than host system based one

case "${LB_MODE}" in
	progress-linux)
		case "${LB_DISTRIBUTION}" in
			artax)
				_KEYS="1-artax"
				;;

			artax-backports)
				_KEYS="1-artax 1+-artax-backports"
				;;

			baureo)
				_KEYS="2-baureo"
				;;

			baureo-backports)
				_KEYS="2-baureo 2+-baureo-backports"
				;;

			chairon)
				_KEYS="3-chairon"
				;;

			chairon-backports)
				_KEYS="3-chairon 3+-chairon-backports"
				;;
		esac

		_URL="${LB_MIRROR_CHROOT}/project/keys"
		;;
esac

for _KEY in ${_KEYS}
do
	Echo_message "Fetching archive-key ${_KEY}..."

	wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
	wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig

	if [ -e /usr/bin/gpgv ]
	then
		if [ -e /usr/share/keyrings/debian-keyring.gpg ] || [ -e /usr/share/keyrings/debian-maintainers.gpg ]
		then
			_KEY_VALID=""

			for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg
			do
				if [ -e "${_KEYRING}" ]
				then
					Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg | sed -e 's|-keyring||') keyring..."

					set +e
					/usr/bin/gpgv --quiet --keyring ${_KEYRING} chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 && _KEY_VALID="true" && break
					set -e
				fi
			done

			case "${_KEY_VALID}" in
				true)
					Echo_message "Verifying ${_KEY} signature successful."
					;;

				*)
					Echo_error "Verifying ${_KEY} signature failed."
					return 1
					;;
			esac
		else
			Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..."
		fi
	else
		Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..."
	fi

	Echo_message "Importing archive-key ${_KEY}..."

	Chroot chroot "apt-key add key.asc"
	rm -f chroot/key.asc chroot/key.asc.sig
done

Chroot chroot "apt-get update"

# Creating stage file
Create_stagefile .build/bootstrap_archive-keys
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`#!/bin/sh`

			`## live-build(7) - System Build Scripts`
Removing all references to my old email address. 2013-03-10 17:33:05 -01:00			`## Copyright (C) 2006-2013 Daniel Baumann <mail@daniel-baumann.ch>`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`##`
			`## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.`
			`## This is free software, and you are welcome to redistribute it`
			`## under certain conditions; see COPYING for details.`


			`set -e`

			`# Including common functions`
			`[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" \|\| . /usr/lib/live/build.sh`

			`# Setting static variables`
			`DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')"`
			`HELP=""`
			`USAGE="${PROGRAM} [--force]"`

			`Arguments "${@}"`

			`# Reading configuration files`
			`Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source`
			`Set_defaults`

			`# TODO: allow verification against user-specified keyring`
			`# For now, we'll only validate against debian-keyring`

			`# TODO2: use chrooted validation rather than host system based one`

			`case "${LB_MODE}" in`
			`progress-linux)`
			`case "${LB_DISTRIBUTION}" in`
Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`artax)`
Updating versioning scheme references to match new scheme since wheezy. 2013-05-31 11:53:30 +00:00			`_KEYS="1-artax"`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`;;`

Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`artax-backports)`
Updating versioning scheme references to match new scheme since wheezy. 2013-05-31 11:53:30 +00:00			`_KEYS="1-artax 1+-artax-backports"`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`;;`

Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`baureo)`
Updating versioning scheme references to match new scheme since wheezy. 2013-05-31 11:53:30 +00:00			`_KEYS="2-baureo"`
Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`;;`

			`baureo-backports)`
Updating versioning scheme references to match new scheme since wheezy. 2013-05-31 11:53:30 +00:00			`_KEYS="2-baureo 2+-baureo-backports"`
Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`;;`

			`chairon)`
Updating versioning scheme references to match new scheme since wheezy. 2013-05-31 11:53:30 +00:00			`_KEYS="3-chairon"`
Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`;;`

			`chairon-backports)`
Updating versioning scheme references to match new scheme since wheezy. 2013-05-31 11:53:30 +00:00			`_KEYS="3-chairon 3+-chairon-backports"`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`;;`
			`esac`

			`_URL="${LB_MIRROR_CHROOT}/project/keys"`
			`;;`
			`esac`

			`for _KEY in ${_KEYS}`
			`do`
			`Echo_message "Fetching archive-key ${_KEY}..."`

			`wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc`
			`wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig`

Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`if [ -e /usr/bin/gpgv ]`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`then`
Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`if [ -e /usr/share/keyrings/debian-keyring.gpg ] \|\| [ -e /usr/share/keyrings/debian-maintainers.gpg ]`
			`then`
			`_KEY_VALID=""`

			`for _KEYRING in /usr/share/keyrings/debian-keyring.gpg /usr/share/keyrings/debian-maintainers.gpg`
			`do`
			`if [ -e "${_KEYRING}" ]`
			`then`
			`Echo_message "Verifying archive-key ${_KEY} against $(basename ${_KEYRING} .gpg \| sed -e 's\|-keyring\|\|') keyring..."`

			`set +e`
			`/usr/bin/gpgv --quiet --keyring ${_KEYRING} chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 && _KEY_VALID="true" && break`
			`set -e`
			`fi`
			`done`

			`case "${_KEY_VALID}" in`
			`true)`
			`Echo_message "Verifying ${_KEY} signature successful."`
			`;;`

			`*)`
			`Echo_error "Verifying ${_KEY} signature failed."`
			`return 1`
			`;;`
			`esac`
			`else`
			`Echo_warning "Skipping archive-key ${_KEY} verification, debian-keyring not available..."`
			`fi`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`else`
Updating derivatives archive-key signature validiation to look by default at both debian and debian-maintainers keyrings. 2013-04-10 12:00:09 +00:00			`Echo_warning "Skipping archive-key ${_KEY} verification, gpgv not available..."`
Adding bootrap_archive-keys to establish secure trust-chain on top of debian-keyring for derivatives. 2013-01-27 09:16:25 -01:00			`fi`

			`Echo_message "Importing archive-key ${_KEY}..."`

			`Chroot chroot "apt-key add key.asc"`
			`rm -f chroot/key.asc chroot/key.asc.sig`
			`done`

			`Chroot chroot "apt-get update"`

			`# Creating stage file`
			`Create_stagefile .build/bootstrap_archive-keys`