aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJunichi Uekawa <dancer@netfort.gr.jp>2010-07-05 22:18:05 +0900
committerJunichi Uekawa <dancer@netfort.gr.jp>2010-07-05 22:18:05 +0900
commitd5e06cb5cae17d5f8b6ce1954e35443b2c7a7df3 (patch)
tree26c07d628f60b2872ad7c18a68880c130388523e
parent68c7f72fd56e20ddb6a2e83bdd355c46af9620ea (diff)
downloadpbuilder-d5e06cb5cae17d5f8b6ce1954e35443b2c7a7df3.tar
pbuilder-d5e06cb5cae17d5f8b6ce1954e35443b2c7a7df3.tar.gz
Add an option to verify key signatures. (closes: #579028)
By unsetting APTGETOPT, and setting PBUILDERSATISFYDEPENDSOPT=('--check-key'), the user now has an option of verifying the key signature of each package against the installed keyring.
-rw-r--r--examples/B90lintian2
-rw-r--r--examples/B91debc2
-rw-r--r--examples/B91dpkg-i4
-rw-r--r--examples/B92test-pkg4
-rw-r--r--examples/C10shell2
-rwxr-xr-xexamples/C11screen2
-rwxr-xr-xexamples/execute_installtest.sh2
-rw-r--r--examples/pbuilder-test/000_prepinstall2
-rw-r--r--pbuilder-buildpackage-funcs4
-rwxr-xr-xpbuilder-createbuildenv4
-rwxr-xr-xpbuilder-satisfydepends-aptitude2
-rwxr-xr-xpbuilder-satisfydepends-checkparams11
-rwxr-xr-xpbuilder-satisfydepends-classic4
-rwxr-xr-xpbuilder-satisfydepends-experimental4
-rw-r--r--pbuilder-satisfydepends-gdebi2
-rwxr-xr-xpbuilder-updatebuildenv6
-rw-r--r--pbuilderrc6
-rw-r--r--pbuilderrc.511
-rw-r--r--pdebuild-internal4
19 files changed, 53 insertions, 25 deletions
diff --git a/examples/B90lintian b/examples/B90lintian
index f2c692f..83f39c3 100644
--- a/examples/B90lintian
+++ b/examples/B90lintian
@@ -3,7 +3,7 @@
set -e
install_packages() {
- apt-get -y --force-yes install "$@"
+ apt-get -y "${APTGETOPT[@]}" install "$@"
}
install_packages lintian
diff --git a/examples/B91debc b/examples/B91debc
index b52620f..98c6a47 100644
--- a/examples/B91debc
+++ b/examples/B91debc
@@ -3,7 +3,7 @@
#
# 343894: a script to run debc command, contributed from q-funk.
-apt-get install -y --force-yes devscripts
+apt-get install -y "${APTGETOPT[@]}" devscripts
cd /tmp/buildd/*/debian
cd ..
debc
diff --git a/examples/B91dpkg-i b/examples/B91dpkg-i
index ee031bb..00f2561 100644
--- a/examples/B91dpkg-i
+++ b/examples/B91dpkg-i
@@ -18,11 +18,11 @@ dpkg -i /tmp/buildd/*.deb
dpkg --purge $PKGNAMES
# upgrade-remove check
-apt-get install -y --force-yes $PKGNAMES || true
+apt-get install -y "${APTGETOPT[@]}" $PKGNAMES || true
dpkg -i /tmp/buildd/*.deb
dpkg --remove $PKGNAMES
# upgrade-purge check
-apt-get install -y --force-yes $PKGNAMES || true
+apt-get install -y "${APTGETOPT[@]}" $PKGNAMES || true
dpkg -i /tmp/buildd/*.deb
dpkg --purge $PKGNAMES
diff --git a/examples/B92test-pkg b/examples/B92test-pkg
index 1325e50..53703f4 100644
--- a/examples/B92test-pkg
+++ b/examples/B92test-pkg
@@ -10,13 +10,13 @@ set -e
echo "Installing the prerequisites"
# ignore the failures since they are not the prime interest
for PKG in $(ls /tmp/buildd/*.deb | sed -e's,.*/,,;s,_.*,,' ); do
- apt-get install -y --force-yes "$PKG" || true
+ apt-get install -y "${APTGETOPT[@]}" "$PKG" || true
apt-get remove -y "$PKG" || true
done
# install the single package, then try to satisfy dependencies.
dpkg -i /tmp/buildd/*.deb || true
-apt-get install -y -f --force-yes
+apt-get install -y -f "${APTGETOPT[@]}"
if chmod a+x /tmp/buildd/*/debian/pbuilder-test/*; then
:
diff --git a/examples/C10shell b/examples/C10shell
index 0a13d10..017cb0e 100644
--- a/examples/C10shell
+++ b/examples/C10shell
@@ -2,6 +2,6 @@
# example file to be used with --hookdir
#
# invoke shell if build fails.
-apt-get install -y --force-yes vim less
+apt-get install -y "${APTGETOPT[@]}" vim less
cd /tmp/buildd/*/debian/..
/bin/bash < /dev/tty > /dev/tty 2> /dev/tty
diff --git a/examples/C11screen b/examples/C11screen
index 45f8a66..9b1d30f 100755
--- a/examples/C11screen
+++ b/examples/C11screen
@@ -4,6 +4,6 @@
# invoke GNU screen if build fails.
export debian_chroot="pbuilder"
-apt-get install -y --force-yes screen vim less
+apt-get install -y "${APTGETOPT[@]}" screen vim less
cd /tmp/buildd/*/debian/..
screen </dev/tty > /dev/tty 2> /dev/tty
diff --git a/examples/execute_installtest.sh b/examples/execute_installtest.sh
index 13f14f0..2e903a7 100755
--- a/examples/execute_installtest.sh
+++ b/examples/execute_installtest.sh
@@ -17,7 +17,7 @@ INSTALLTESTPID=$$
( sleep 1h ; kill $INSTALLTESTPID ) &
KILLPID=$!
-apt-get install -y --force-yes "$@" < /dev/null
+apt-get install -y "${APTGETOPT[@]}" "$@" < /dev/null
kill $KILLPID
diff --git a/examples/pbuilder-test/000_prepinstall b/examples/pbuilder-test/000_prepinstall
index 493bc59..24c4016 100644
--- a/examples/pbuilder-test/000_prepinstall
+++ b/examples/pbuilder-test/000_prepinstall
@@ -3,7 +3,7 @@
# prepare environment for further testing.
apt-get update
-apt-get -y --force-yes install binfmtc sudo
+apt-get -y "${APTGETOPT[@]}" install binfmtc sudo
# add users if required.
diff --git a/pbuilder-buildpackage-funcs b/pbuilder-buildpackage-funcs
index 39f1e71..0c19dc7 100644
--- a/pbuilder-buildpackage-funcs
+++ b/pbuilder-buildpackage-funcs
@@ -37,7 +37,7 @@ function checkbuilddep () {
yes) BUILDOPT="--binary-arch";;
*) ;;
esac
- if "$PBUILDERSATISFYDEPENDSCMD" --control "$1" --chroot "${BUILDPLACE}" --internal-chrootexec "${CHROOTEXEC}" "${BUILDOPT}" ; then
+ if "$PBUILDERSATISFYDEPENDSCMD" --control "$1" --chroot "${BUILDPLACE}" --internal-chrootexec "${CHROOTEXEC}" "${BUILDOPT}" "${PBUILDERSATISFYDEPENDSOPT[@]}"; then
:
else
# If asked to preserve the build place, and pbuilder-satisfydepends
@@ -50,7 +50,7 @@ function checkbuilddep () {
fi
# install extra packages to the chroot
if [ -n "$EXTRAPACKAGES" ]; then
- $CHROOTEXEC usr/bin/apt-get -q -y --force-yes install ${EXTRAPACKAGES}
+ $CHROOTEXEC usr/bin/apt-get -q -y "${APTGETOPT[@]}" install ${EXTRAPACKAGES}
fi
}
diff --git a/pbuilder-createbuildenv b/pbuilder-createbuildenv
index bbd49e4..6c69f98 100755
--- a/pbuilder-createbuildenv
+++ b/pbuilder-createbuildenv
@@ -110,8 +110,8 @@ if [ -n "$REMOVEPACKAGES" ]; then
$CHROOTEXEC /usr/bin/dpkg --purge $REMOVEPACKAGES
fi
recover_aptcache
-$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes "${FORCE_CONFNEW[@]}" dist-upgrade
-$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes install build-essential dpkg-dev $EXTRAPACKAGES
+$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" "${FORCE_CONFNEW[@]}" dist-upgrade
+$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" install build-essential dpkg-dev $EXTRAPACKAGES
save_aptcache
executehooks "E"
diff --git a/pbuilder-satisfydepends-aptitude b/pbuilder-satisfydepends-aptitude
index 9ddabee..43d8693 100755
--- a/pbuilder-satisfydepends-aptitude
+++ b/pbuilder-satisfydepends-aptitude
@@ -89,7 +89,7 @@ EOF
$CHROOTEXEC sh -c "cat \"$BUILD_DEP_DEB_CONTROL\""
$CHROOTEXEC sh -c "dpkg-deb -b \"$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy\""
$CHROOTEXEC dpkg -i "$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy.deb" || true
- $CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false -o Aptitude::CmdLine::Ignore-Trust-Violations=true -o Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy
+ $CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false "${PBUILDER_APTITUDE_CHECK_OPTS[$@]}" -o Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy
# check whether the aptitude's resolver kept the package
if ! $CHROOTEXEC dpkg -l pbuilder-satisfydepends-dummy 2>/dev/null | grep -q ^ii; then
echo "Aptitude couldn't satisfy the build dependencies"
diff --git a/pbuilder-satisfydepends-checkparams b/pbuilder-satisfydepends-checkparams
index 16e418d..58ce976 100755
--- a/pbuilder-satisfydepends-checkparams
+++ b/pbuilder-satisfydepends-checkparams
@@ -27,6 +27,12 @@ FORCEVERSION=""
CONTINUE_FAIL="no"
CHROOTEXEC_AFTER_INTERNAL_CHROOTEXEC=no
+# aptitude flag to ignore key verification
+PBUILDER_APTITUDE_CHECK_OPTS=('-o' \
+ 'Aptitude::CmdLine::Ignore-Trust-Violations=true')
+# apt flag to ignore key verification
+PBUILDER_APT_GET_CHECK_OPTS="--force-yes"
+
while [ -n "$1" ]; do
case "$1" in
--control|-c)
@@ -72,6 +78,11 @@ while [ -n "$1" ]; do
FORCEVERSION="yes"
shift;
;;
+ --check-key)
+ unset PBUILDER_APTITUDE_CHECK_OPTS
+ unset PBUILDER_APT_GET_CHECK_OPTS
+ shift;
+ ;;
--help|-h|*)
print_help
exit 1
diff --git a/pbuilder-satisfydepends-classic b/pbuilder-satisfydepends-classic
index c38e139..20f481a 100755
--- a/pbuilder-satisfydepends-classic
+++ b/pbuilder-satisfydepends-classic
@@ -128,10 +128,10 @@ checkbuilddep_internal() {
# now actually install the packages
echo " -> Installing $INSTALLPKGLIST"
- if ! $CHROOTEXEC apt-get -y --force-yes install $APTFLAG $INSTALLPKGLIST; then
+ if ! $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" install $APTFLAG $INSTALLPKGLIST; then
echo " -> Trying to fix apt error"
# Work around an apt bug which causes configure to fail.
- if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y --force-yes install $APTFLAG $INSTALLPKGLIST; then
+ if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" install $APTFLAG $INSTALLPKGLIST; then
echo " -> Apt bug workaround succeeded"
elif [ "$CONTINUE_FAIL" != "yes" ]; then
echo "E: Unrecoverable error installing build-dependencies." >&2
diff --git a/pbuilder-satisfydepends-experimental b/pbuilder-satisfydepends-experimental
index 534d19a..b1de1c7 100755
--- a/pbuilder-satisfydepends-experimental
+++ b/pbuilder-satisfydepends-experimental
@@ -124,10 +124,10 @@ function checkbuilddep_internal () {
# now actually install the packages
echo " -> Installing $INSTALLPKGLIST"
- if ! $CHROOTEXEC apt-get -y --force-yes $APTFLAG install $INSTALLPKGLIST; then
+ if ! $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" $APTFLAG install $INSTALLPKGLIST; then
echo " -> Trying to fix apt error"
# Work around an apt bug which causes configure to fail.
- if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y --force-yes $APTFLAG install $INSTALLPKGLIST; then
+ if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" $APTFLAG install $INSTALLPKGLIST; then
echo " -> Apt bug workaround succeeded"
elif [ "$CONTINUE_FAIL" != "yes" ]; then
echo "E: Unrecoverable error installing build-dependencies." >&2
diff --git a/pbuilder-satisfydepends-gdebi b/pbuilder-satisfydepends-gdebi
index b12aa87..bdf812d 100644
--- a/pbuilder-satisfydepends-gdebi
+++ b/pbuilder-satisfydepends-gdebi
@@ -36,7 +36,7 @@ function checkbuilddep_internal () {
fi
INSTALL=$(/usr/bin/gdebi --quiet --root $CHROOT --apt-line $NO_RECOMMENDS $DEBIAN_CONTROL)
- $CHROOTEXEC /usr/bin/apt-get install -y --force-yes $INSTALL
+ $CHROOTEXEC /usr/bin/apt-get install -y "${APTGETOPT[@]}" $INSTALL
}
. /usr/lib/pbuilder/pbuilder-satisfydepends-checkparams
diff --git a/pbuilder-updatebuildenv b/pbuilder-updatebuildenv
index eafa3e4..cdcc22c 100755
--- a/pbuilder-updatebuildenv
+++ b/pbuilder-updatebuildenv
@@ -64,12 +64,12 @@ fi
recover_aptcache
$TRAP saveaptcache_umountproc_cleanbuildplace_trap exit sighup
-$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes "${FORCE_CONFNEW[@]}" dist-upgrade
+$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" "${FORCE_CONFNEW[@]}" dist-upgrade
# autoremove: Ignore error in case of etch because apt in etch doesn't
# support autoremove. TODO: Do not ignore error when etch is no longer
# supported.
-$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes autoremove || true
-$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes install build-essential dpkg-dev $EXTRAPACKAGES
+$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" autoremove || true
+$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" install build-essential dpkg-dev $EXTRAPACKAGES
save_aptcache
# optionally auto-clean apt-cache
diff --git a/pbuilderrc b/pbuilderrc
index d05a3ff..350028a 100644
--- a/pbuilderrc
+++ b/pbuilderrc
@@ -53,6 +53,12 @@ PBUILDERROOTCMD="sudo -E"
# not support unsigned APT repositories
PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends"
+# You can optionally make pbuilder check key by setting the following flags
+# PBUILDERSATISFYDEPENDSOPT=('--check-key')
+# unset PBUILDERSATISFYDEPENDSOPT
+# option to pass to apt-get always.
+export APTGETOPT=('--force-yes')
+
#Command-line option passed on to dpkg-buildpackage.
#DEBBUILDOPTS="-IXXX -iXXX"
DEBBUILDOPTS=""
diff --git a/pbuilderrc.5 b/pbuilderrc.5
index 7c54c36..e6123d6 100644
--- a/pbuilderrc.5
+++ b/pbuilderrc.5
@@ -316,6 +316,17 @@ used until 0.172.
The default is now "aptitude".
.TP
+.BI "PBUILDERSATISFYDEPENDSOPT=" "('--check-key')"
+Array of flags to give to pbuilder-satisfydepends.
+Specifying --check-key here will try to verify key signatures.
+
+.TP
+.BI "APTGETOPT=" "('--force-yes')"
+Extra flags to give to apt-get.
+Default is --force-yes, which will skip key verification of packages
+to be installed. Unset if you want to enable key verification.
+
+.TP
.BI "REMOVEPACKAGES=" "lilo"
Specify the packages to be removed on creation of
.B base.tgz
diff --git a/pdebuild-internal b/pdebuild-internal
index 4d07a48..0c4fb99 100644
--- a/pdebuild-internal
+++ b/pdebuild-internal
@@ -30,7 +30,7 @@ set -e
# I am probably running as root; make sure I have pbuilder installed here.
# passwd is needed as well because of useradd and groupadd calls.
-apt-get install -q -y --force-yes pbuilder passwd
+apt-get install -q -y "${APTGETOPT[@]}" pbuilder passwd
# I'm not going to have the same LOGNAME as outside, I'm root.
export LOGNAME=root
@@ -101,7 +101,7 @@ fi
executehooks "D"
export PBCURRENTCOMMANDLINEOPERATION="pdebuild"
"$PBUILDERSATISFYDEPENDSCMD"
-apt-get install -q -y --force-yes fakeroot
+apt-get install -q -y "${APTGETOPT[@]}" fakeroot
# set home directory to ..