diff options
author | Junichi Uekawa <dancer@netfort.gr.jp> | 2010-07-05 22:18:05 +0900 |
---|---|---|
committer | Junichi Uekawa <dancer@netfort.gr.jp> | 2010-07-05 22:18:05 +0900 |
commit | d5e06cb5cae17d5f8b6ce1954e35443b2c7a7df3 (patch) | |
tree | 26c07d628f60b2872ad7c18a68880c130388523e | |
parent | 68c7f72fd56e20ddb6a2e83bdd355c46af9620ea (diff) | |
download | pbuilder-d5e06cb5cae17d5f8b6ce1954e35443b2c7a7df3.tar pbuilder-d5e06cb5cae17d5f8b6ce1954e35443b2c7a7df3.tar.gz |
Add an option to verify key signatures. (closes: #579028)
By unsetting APTGETOPT, and setting
PBUILDERSATISFYDEPENDSOPT=('--check-key'), the user now has an option
of verifying the key signature of each package against the installed
keyring.
-rw-r--r-- | examples/B90lintian | 2 | ||||
-rw-r--r-- | examples/B91debc | 2 | ||||
-rw-r--r-- | examples/B91dpkg-i | 4 | ||||
-rw-r--r-- | examples/B92test-pkg | 4 | ||||
-rw-r--r-- | examples/C10shell | 2 | ||||
-rwxr-xr-x | examples/C11screen | 2 | ||||
-rwxr-xr-x | examples/execute_installtest.sh | 2 | ||||
-rw-r--r-- | examples/pbuilder-test/000_prepinstall | 2 | ||||
-rw-r--r-- | pbuilder-buildpackage-funcs | 4 | ||||
-rwxr-xr-x | pbuilder-createbuildenv | 4 | ||||
-rwxr-xr-x | pbuilder-satisfydepends-aptitude | 2 | ||||
-rwxr-xr-x | pbuilder-satisfydepends-checkparams | 11 | ||||
-rwxr-xr-x | pbuilder-satisfydepends-classic | 4 | ||||
-rwxr-xr-x | pbuilder-satisfydepends-experimental | 4 | ||||
-rw-r--r-- | pbuilder-satisfydepends-gdebi | 2 | ||||
-rwxr-xr-x | pbuilder-updatebuildenv | 6 | ||||
-rw-r--r-- | pbuilderrc | 6 | ||||
-rw-r--r-- | pbuilderrc.5 | 11 | ||||
-rw-r--r-- | pdebuild-internal | 4 |
19 files changed, 53 insertions, 25 deletions
diff --git a/examples/B90lintian b/examples/B90lintian index f2c692f..83f39c3 100644 --- a/examples/B90lintian +++ b/examples/B90lintian @@ -3,7 +3,7 @@ set -e install_packages() { - apt-get -y --force-yes install "$@" + apt-get -y "${APTGETOPT[@]}" install "$@" } install_packages lintian diff --git a/examples/B91debc b/examples/B91debc index b52620f..98c6a47 100644 --- a/examples/B91debc +++ b/examples/B91debc @@ -3,7 +3,7 @@ # # 343894: a script to run debc command, contributed from q-funk. -apt-get install -y --force-yes devscripts +apt-get install -y "${APTGETOPT[@]}" devscripts cd /tmp/buildd/*/debian cd .. debc diff --git a/examples/B91dpkg-i b/examples/B91dpkg-i index ee031bb..00f2561 100644 --- a/examples/B91dpkg-i +++ b/examples/B91dpkg-i @@ -18,11 +18,11 @@ dpkg -i /tmp/buildd/*.deb dpkg --purge $PKGNAMES # upgrade-remove check -apt-get install -y --force-yes $PKGNAMES || true +apt-get install -y "${APTGETOPT[@]}" $PKGNAMES || true dpkg -i /tmp/buildd/*.deb dpkg --remove $PKGNAMES # upgrade-purge check -apt-get install -y --force-yes $PKGNAMES || true +apt-get install -y "${APTGETOPT[@]}" $PKGNAMES || true dpkg -i /tmp/buildd/*.deb dpkg --purge $PKGNAMES diff --git a/examples/B92test-pkg b/examples/B92test-pkg index 1325e50..53703f4 100644 --- a/examples/B92test-pkg +++ b/examples/B92test-pkg @@ -10,13 +10,13 @@ set -e echo "Installing the prerequisites" # ignore the failures since they are not the prime interest for PKG in $(ls /tmp/buildd/*.deb | sed -e's,.*/,,;s,_.*,,' ); do - apt-get install -y --force-yes "$PKG" || true + apt-get install -y "${APTGETOPT[@]}" "$PKG" || true apt-get remove -y "$PKG" || true done # install the single package, then try to satisfy dependencies. dpkg -i /tmp/buildd/*.deb || true -apt-get install -y -f --force-yes +apt-get install -y -f "${APTGETOPT[@]}" if chmod a+x /tmp/buildd/*/debian/pbuilder-test/*; then : diff --git a/examples/C10shell b/examples/C10shell index 0a13d10..017cb0e 100644 --- a/examples/C10shell +++ b/examples/C10shell @@ -2,6 +2,6 @@ # example file to be used with --hookdir # # invoke shell if build fails. -apt-get install -y --force-yes vim less +apt-get install -y "${APTGETOPT[@]}" vim less cd /tmp/buildd/*/debian/.. /bin/bash < /dev/tty > /dev/tty 2> /dev/tty diff --git a/examples/C11screen b/examples/C11screen index 45f8a66..9b1d30f 100755 --- a/examples/C11screen +++ b/examples/C11screen @@ -4,6 +4,6 @@ # invoke GNU screen if build fails. export debian_chroot="pbuilder" -apt-get install -y --force-yes screen vim less +apt-get install -y "${APTGETOPT[@]}" screen vim less cd /tmp/buildd/*/debian/.. screen </dev/tty > /dev/tty 2> /dev/tty diff --git a/examples/execute_installtest.sh b/examples/execute_installtest.sh index 13f14f0..2e903a7 100755 --- a/examples/execute_installtest.sh +++ b/examples/execute_installtest.sh @@ -17,7 +17,7 @@ INSTALLTESTPID=$$ ( sleep 1h ; kill $INSTALLTESTPID ) & KILLPID=$! -apt-get install -y --force-yes "$@" < /dev/null +apt-get install -y "${APTGETOPT[@]}" "$@" < /dev/null kill $KILLPID diff --git a/examples/pbuilder-test/000_prepinstall b/examples/pbuilder-test/000_prepinstall index 493bc59..24c4016 100644 --- a/examples/pbuilder-test/000_prepinstall +++ b/examples/pbuilder-test/000_prepinstall @@ -3,7 +3,7 @@ # prepare environment for further testing. apt-get update -apt-get -y --force-yes install binfmtc sudo +apt-get -y "${APTGETOPT[@]}" install binfmtc sudo # add users if required. diff --git a/pbuilder-buildpackage-funcs b/pbuilder-buildpackage-funcs index 39f1e71..0c19dc7 100644 --- a/pbuilder-buildpackage-funcs +++ b/pbuilder-buildpackage-funcs @@ -37,7 +37,7 @@ function checkbuilddep () { yes) BUILDOPT="--binary-arch";; *) ;; esac - if "$PBUILDERSATISFYDEPENDSCMD" --control "$1" --chroot "${BUILDPLACE}" --internal-chrootexec "${CHROOTEXEC}" "${BUILDOPT}" ; then + if "$PBUILDERSATISFYDEPENDSCMD" --control "$1" --chroot "${BUILDPLACE}" --internal-chrootexec "${CHROOTEXEC}" "${BUILDOPT}" "${PBUILDERSATISFYDEPENDSOPT[@]}"; then : else # If asked to preserve the build place, and pbuilder-satisfydepends @@ -50,7 +50,7 @@ function checkbuilddep () { fi # install extra packages to the chroot if [ -n "$EXTRAPACKAGES" ]; then - $CHROOTEXEC usr/bin/apt-get -q -y --force-yes install ${EXTRAPACKAGES} + $CHROOTEXEC usr/bin/apt-get -q -y "${APTGETOPT[@]}" install ${EXTRAPACKAGES} fi } diff --git a/pbuilder-createbuildenv b/pbuilder-createbuildenv index bbd49e4..6c69f98 100755 --- a/pbuilder-createbuildenv +++ b/pbuilder-createbuildenv @@ -110,8 +110,8 @@ if [ -n "$REMOVEPACKAGES" ]; then $CHROOTEXEC /usr/bin/dpkg --purge $REMOVEPACKAGES fi recover_aptcache -$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes "${FORCE_CONFNEW[@]}" dist-upgrade -$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes install build-essential dpkg-dev $EXTRAPACKAGES +$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" "${FORCE_CONFNEW[@]}" dist-upgrade +$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" install build-essential dpkg-dev $EXTRAPACKAGES save_aptcache executehooks "E" diff --git a/pbuilder-satisfydepends-aptitude b/pbuilder-satisfydepends-aptitude index 9ddabee..43d8693 100755 --- a/pbuilder-satisfydepends-aptitude +++ b/pbuilder-satisfydepends-aptitude @@ -89,7 +89,7 @@ EOF $CHROOTEXEC sh -c "cat \"$BUILD_DEP_DEB_CONTROL\"" $CHROOTEXEC sh -c "dpkg-deb -b \"$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy\"" $CHROOTEXEC dpkg -i "$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy.deb" || true - $CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false -o Aptitude::CmdLine::Ignore-Trust-Violations=true -o Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy + $CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false "${PBUILDER_APTITUDE_CHECK_OPTS[$@]}" -o Aptitude::ProblemResolver::StepScore=100 install pbuilder-satisfydepends-dummy # check whether the aptitude's resolver kept the package if ! $CHROOTEXEC dpkg -l pbuilder-satisfydepends-dummy 2>/dev/null | grep -q ^ii; then echo "Aptitude couldn't satisfy the build dependencies" diff --git a/pbuilder-satisfydepends-checkparams b/pbuilder-satisfydepends-checkparams index 16e418d..58ce976 100755 --- a/pbuilder-satisfydepends-checkparams +++ b/pbuilder-satisfydepends-checkparams @@ -27,6 +27,12 @@ FORCEVERSION="" CONTINUE_FAIL="no" CHROOTEXEC_AFTER_INTERNAL_CHROOTEXEC=no +# aptitude flag to ignore key verification +PBUILDER_APTITUDE_CHECK_OPTS=('-o' \ + 'Aptitude::CmdLine::Ignore-Trust-Violations=true') +# apt flag to ignore key verification +PBUILDER_APT_GET_CHECK_OPTS="--force-yes" + while [ -n "$1" ]; do case "$1" in --control|-c) @@ -72,6 +78,11 @@ while [ -n "$1" ]; do FORCEVERSION="yes" shift; ;; + --check-key) + unset PBUILDER_APTITUDE_CHECK_OPTS + unset PBUILDER_APT_GET_CHECK_OPTS + shift; + ;; --help|-h|*) print_help exit 1 diff --git a/pbuilder-satisfydepends-classic b/pbuilder-satisfydepends-classic index c38e139..20f481a 100755 --- a/pbuilder-satisfydepends-classic +++ b/pbuilder-satisfydepends-classic @@ -128,10 +128,10 @@ checkbuilddep_internal() { # now actually install the packages echo " -> Installing $INSTALLPKGLIST" - if ! $CHROOTEXEC apt-get -y --force-yes install $APTFLAG $INSTALLPKGLIST; then + if ! $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" install $APTFLAG $INSTALLPKGLIST; then echo " -> Trying to fix apt error" # Work around an apt bug which causes configure to fail. - if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y --force-yes install $APTFLAG $INSTALLPKGLIST; then + if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" install $APTFLAG $INSTALLPKGLIST; then echo " -> Apt bug workaround succeeded" elif [ "$CONTINUE_FAIL" != "yes" ]; then echo "E: Unrecoverable error installing build-dependencies." >&2 diff --git a/pbuilder-satisfydepends-experimental b/pbuilder-satisfydepends-experimental index 534d19a..b1de1c7 100755 --- a/pbuilder-satisfydepends-experimental +++ b/pbuilder-satisfydepends-experimental @@ -124,10 +124,10 @@ function checkbuilddep_internal () { # now actually install the packages echo " -> Installing $INSTALLPKGLIST" - if ! $CHROOTEXEC apt-get -y --force-yes $APTFLAG install $INSTALLPKGLIST; then + if ! $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" $APTFLAG install $INSTALLPKGLIST; then echo " -> Trying to fix apt error" # Work around an apt bug which causes configure to fail. - if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y --force-yes $APTFLAG install $INSTALLPKGLIST; then + if $CHROOTEXEC dpkg --configure --pending && $CHROOTEXEC apt-get -y "${APTGETOPT[@]}" $APTFLAG install $INSTALLPKGLIST; then echo " -> Apt bug workaround succeeded" elif [ "$CONTINUE_FAIL" != "yes" ]; then echo "E: Unrecoverable error installing build-dependencies." >&2 diff --git a/pbuilder-satisfydepends-gdebi b/pbuilder-satisfydepends-gdebi index b12aa87..bdf812d 100644 --- a/pbuilder-satisfydepends-gdebi +++ b/pbuilder-satisfydepends-gdebi @@ -36,7 +36,7 @@ function checkbuilddep_internal () { fi INSTALL=$(/usr/bin/gdebi --quiet --root $CHROOT --apt-line $NO_RECOMMENDS $DEBIAN_CONTROL) - $CHROOTEXEC /usr/bin/apt-get install -y --force-yes $INSTALL + $CHROOTEXEC /usr/bin/apt-get install -y "${APTGETOPT[@]}" $INSTALL } . /usr/lib/pbuilder/pbuilder-satisfydepends-checkparams diff --git a/pbuilder-updatebuildenv b/pbuilder-updatebuildenv index eafa3e4..cdcc22c 100755 --- a/pbuilder-updatebuildenv +++ b/pbuilder-updatebuildenv @@ -64,12 +64,12 @@ fi recover_aptcache $TRAP saveaptcache_umountproc_cleanbuildplace_trap exit sighup -$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes "${FORCE_CONFNEW[@]}" dist-upgrade +$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" "${FORCE_CONFNEW[@]}" dist-upgrade # autoremove: Ignore error in case of etch because apt in etch doesn't # support autoremove. TODO: Do not ignore error when etch is no longer # supported. -$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes autoremove || true -$CHROOTEXEC /usr/bin/apt-get -q -y --force-yes install build-essential dpkg-dev $EXTRAPACKAGES +$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" autoremove || true +$CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" install build-essential dpkg-dev $EXTRAPACKAGES save_aptcache # optionally auto-clean apt-cache @@ -53,6 +53,12 @@ PBUILDERROOTCMD="sudo -E" # not support unsigned APT repositories PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends" +# You can optionally make pbuilder check key by setting the following flags +# PBUILDERSATISFYDEPENDSOPT=('--check-key') +# unset PBUILDERSATISFYDEPENDSOPT +# option to pass to apt-get always. +export APTGETOPT=('--force-yes') + #Command-line option passed on to dpkg-buildpackage. #DEBBUILDOPTS="-IXXX -iXXX" DEBBUILDOPTS="" diff --git a/pbuilderrc.5 b/pbuilderrc.5 index 7c54c36..e6123d6 100644 --- a/pbuilderrc.5 +++ b/pbuilderrc.5 @@ -316,6 +316,17 @@ used until 0.172. The default is now "aptitude". .TP +.BI "PBUILDERSATISFYDEPENDSOPT=" "('--check-key')" +Array of flags to give to pbuilder-satisfydepends. +Specifying --check-key here will try to verify key signatures. + +.TP +.BI "APTGETOPT=" "('--force-yes')" +Extra flags to give to apt-get. +Default is --force-yes, which will skip key verification of packages +to be installed. Unset if you want to enable key verification. + +.TP .BI "REMOVEPACKAGES=" "lilo" Specify the packages to be removed on creation of .B base.tgz diff --git a/pdebuild-internal b/pdebuild-internal index 4d07a48..0c4fb99 100644 --- a/pdebuild-internal +++ b/pdebuild-internal @@ -30,7 +30,7 @@ set -e # I am probably running as root; make sure I have pbuilder installed here. # passwd is needed as well because of useradd and groupadd calls. -apt-get install -q -y --force-yes pbuilder passwd +apt-get install -q -y "${APTGETOPT[@]}" pbuilder passwd # I'm not going to have the same LOGNAME as outside, I'm root. export LOGNAME=root @@ -101,7 +101,7 @@ fi executehooks "D" export PBCURRENTCOMMANDLINEOPERATION="pdebuild" "$PBUILDERSATISFYDEPENDSCMD" -apt-get install -q -y --force-yes fakeroot +apt-get install -q -y "${APTGETOPT[@]}" fakeroot # set home directory to .. |