Re: debootstrap InRelease file support

Julien Cristau Fri, 02 Sep 2016 11:36:16 -0700

On Mon, Aug 15, 2016 at 12:12:02 +0200, Ansgar Burchardt wrote:

> If you restore support for `InRelease` and want to use `gpgv`, please
> split `InRelease` into two files, i.e. `Release` and `Release.gpg`, and
> verify that the signature actually covers all of `Release`.
> 
Here's an attempt at doing that.  Only lightly tested.


Cheers,
Julien

diff --git a/debian/changelog b/debian/changelog
index 46b4974..3f0ef23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+debootstrap (1.0.82) UNRELEASED; urgency=medium
+
+  * Add support for downloading and validating InRelease files, by splitting
+    up detached signature from signed data.
+
+ -- Julien Cristau <jcris...@debian.org>  Fri, 02 Sep 2016 20:26:38 +0200
+
 debootstrap (1.0.81) unstable; urgency=medium
 
   [ Luca Falavigna ]
diff --git a/functions b/functions
index 031721f..407cc38 100644
--- a/functions
+++ b/functions
@@ -537,15 +537,30 @@ download_release_sig () {
 download_release_indices () {
        local m1="${MIRRORS%% *}"
        local reldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release")"
-       local relsigdest
+       local inreldest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/InRelease")"
+       local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release.gpg")"
        progress 0 100 DOWNREL "Downloading Release file"
        progress_next 100
-       get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
-               error 1 NOGETREL "Failed getting release file %s" 
"$m1/dists/$SUITE/Release"
-       relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" 
"dists/$SUITE/Release.gpg")"
-       progress 100 100 DOWNREL "Downloading Release file"
+       if get "$m1/dists/$SUITE/InRelease" "$inreldest" nocache; then
+               sed -n '/^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP 
SIGNATURE-----$/p' < "$inreldest" > "$relsigdest"
+               awk 'BEGIN {ORS="" ; first=1}
+                    /^-----BEGIN PGP SIGNED MESSAGE-----$/,/^$/ { next }
+                    /^-----BEGIN PGP SIGNATURE-----$/,/^-----END PGP 
SIGNATURE-----$/ {next}
+                    { if (first) { first=0 } else { printf "\n" } print }' \
+                   < "$inreldest" > "$reldest"
+               progress 100 100 DOWNREL "Downloading Release file"
+               info RELEASESIG "Checking Release signature"
+               # Don't worry about the exit status from gpgv; parsing the 
output will
+               # take care of that.
+               (gpgv --status-fd 1 --keyring "$KEYRING" --ignore-time-conflict 
\
+                "$relsigdest" "$reldest" || true) | read_gpg_status
+       else
+               get "$m1/dists/$SUITE/Release" "$reldest" nocache ||
+                       error 1 NOGETREL "Failed getting release file %s" 
"$m1/dists/$SUITE/Release"
+               progress 100 100 DOWNREL "Downloading Release file"
 
-       download_release_sig "$m1" "$reldest" "$relsigdest"
+               download_release_sig "$m1" "$reldest" "$relsigdest"
+       fi
 
        extract_release_components $reldest

Re: debootstrap InRelease file support

Reply via email to