Bug#703146: Better debootstrap InRelease handling fix

Tue, 26 Mar 2013 10:33:22 -0700 

Hi,

Pulling gnupg just to extract the cleartext of a PGP signed message
seems a bit too much for me. I stumbled upon this while in
debian-installer, which didn't depend on gnupg, only pgpv, until now.
This looks really overkill. Please find attached a better fix, to me,
only using sed (and compatible with the minimal busybox sed found in
d-i). It should extract anything according to RFC 4880 cleartext signed
message format, according to my reading of it.

I don't reopen this bug as I don't know what is the policy about it
currently, but really consider my solution, please.

Regards,
-- 
Benjamin Cama <benjamin.c...@telecom-bretagne.eu>

>From 169cffe3c20f36947a1604a6e1151d0f31e18de2 Mon Sep 17 00:00:00 2001
From: Benjamin Cama <benjamin.c...@telecom-bretagne.eu>
Date: Tue, 26 Mar 2013 18:08:32 +0100
Subject: [PATCH] Remove dependency on gnupg, extract Release with sed

Get back gnupg to Recommends, as it is only used to extract the clear
text. We can rather do that with sed, furthermore in constrained
environments like in d-i. Should be compatible with RFC 4880 format.

Signed-off-by: Benjamin Cama <benjamin.c...@telecom-bretagne.eu>
---
 debian/control |    4 ++--
 functions      |    9 +++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/debian/control b/debian/control
index 41af2df..0894e08 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Vcs-Git: git://git.debian.org/d-i/debootstrap.git
 
 Package: debootstrap
 Architecture: all
-Depends: ${misc:Depends}, wget, gnupg
-Recommends: ${keyring}
+Depends: ${misc:Depends}, wget
+Recommends: gnupg, ${keyring}
 Description: Bootstrap a basic Debian system
  debootstrap is used to create a Debian base system from scratch,
  without requiring the availability of dpkg or apt. It does this by
diff --git a/functions b/functions
index 1dc0f87..3333f44 100644
--- a/functions
+++ b/functions
@@ -530,8 +530,13 @@ download_release_sig () {
 		warning KEYRING "Cannot check Release signature; keyring file not available %s" "$KEYRING_WANTED"
 	fi
 	if [ "$release_file_variant" = "IN" ]; then
-		rm -f $reldest
-                gpg --output "$reldest" --decrypt --keyring "$KEYRING" --ignore-time-conflict "$relsigdest"
+		sed -n '/^-----BEGIN PGP SIGNED MESSAGE-----$/ { \
+				n \
+				: check_hash /^Hash:/ { n b check_hash } \
+				n # blank line \
+			} \
+			/^-----BEGIN PGP SIGNATURE-----$/ q \
+			p' < "$relsigdest" > "$reldest"
 	fi
 }
 
-- 
1.7.2.5

Reply via email to