diff options
| -rw-r--r-- | debian/NEWS | 19 | ||||
| -rwxr-xr-x | debian/pbuilder-test/00_prepinstall | 2 | ||||
| -rwxr-xr-x | pbuilder-checkparams | 18 | ||||
| -rwxr-xr-x | pbuilder-createbuildenv | 5 | ||||
| -rwxr-xr-x | pbuilder-satisfydepends-aptitude | 2 | ||||
| -rwxr-xr-x | pbuilder-satisfydepends-checkparams | 19 | ||||
| -rwxr-xr-x | pbuilder-updatebuildenv | 6 | ||||
| -rw-r--r-- | pbuilder.8 | 20 | ||||
| -rw-r--r-- | pbuilderrc | 23 | ||||
| -rw-r--r-- | pbuilderrc.5 | 36 |
10 files changed, 124 insertions, 26 deletions
diff --git a/debian/NEWS b/debian/NEWS index 6d144b9..80d36e9 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,22 @@ +pbuilder (0.207) unstable; urgency=low + + The default configuration will now only install trusted packages. This + prevents building packages with manipulated sources or a system compromise + due to a man-in-the-middle attack. + + However this also prevents installing packages from unsigned repositories by + default. + + If you really want to continue using unsigned repositories, you have to set + ALLOWUNTRUSTED=yes in your .pbuilderrc or use the --allow-untrusted option. + But if possible use a signed repository and set the used keys with the new + --keyring option (can be passed multiple times). + + Due to this change the PBUILDERSATISFYDEPENDSOPT option --check-key is no + longer necessary and thus deprecated. + + -- Simon Ruderich <simon@ruderich.org> Tue, 06 Mar 2012 02:02:38 +0100 + pbuilder (0.197) unstable; urgency=low The default configuration will now enable ccache. To disable installation diff --git a/debian/pbuilder-test/00_prepinstall b/debian/pbuilder-test/00_prepinstall index 0c1d44c..1769cdd 100755 --- a/debian/pbuilder-test/00_prepinstall +++ b/debian/pbuilder-test/00_prepinstall @@ -1,4 +1,4 @@ #!/bin/bash # Prepare and install packages used in the tests. -apt-get install -y --force-yes sudo +apt-get install -y sudo diff --git a/pbuilder-checkparams b/pbuilder-checkparams index c031f18..3cdc48e 100755 --- a/pbuilder-checkparams +++ b/pbuilder-checkparams @@ -207,6 +207,14 @@ while [ -n "$1" ]; do DEBOOTSTRAP="$2"; shift; shift; ;; + --allow-untrusted) + ALLOWUNTRUSTED=yes; + shift; + ;; + --keyring) + APTKEYRINGS[${#APTKEYRINGS[@]}]="$2"; + shift; shift; + ;; --save-after-login|--save-after-exec) SAVE_AFTER_LOGIN=yes; shift; @@ -312,3 +320,13 @@ fi # sort BINDMOUNTS to ensure that deeper directories are mounted last BINDMOUNTS="$(for i in $BINDMOUNTS; do echo $i; done | sort -u)" + +if [ "$ALLOWUNTRUSTED" = "yes" ]; then + PBUILDERSATISFYDEPENDSOPT[${#PBUILDERSATISFYDEPENDSOPT[@]}]='--allow-untrusted' + # Also duplicated in pbuilder-satisfydepends-checkparams! + # apt flag to accept untrusted packages + APTGETOPT[${#APTGETOPT[@]}]='--force-yes' + # aptitude flag to accept untrusted packages + APTITUDEOPT[${#APTITUDEOPT[@]}]='-o' + APTITUDEOPT[${#APTITUDEOPT[@]}]='Aptitude::CmdLine::Ignore-Trust-Violations=true' +fi diff --git a/pbuilder-createbuildenv b/pbuilder-createbuildenv index 6c69f98..b23c343 100755 --- a/pbuilder-createbuildenv +++ b/pbuilder-createbuildenv @@ -78,6 +78,11 @@ mkdir -p "$BUILDPLACE/tmp/buildd" copy_local_configuration installaptlines +# To support package verification inside the repository we may have to import +# additional keys. +for KEY in "${APTKEYRINGS[@]}"; do + $CHROOTEXEC /usr/bin/apt-key add - < "${KEY}" > /dev/null +done executehooks "G" diff --git a/pbuilder-satisfydepends-aptitude b/pbuilder-satisfydepends-aptitude index 6ea6cb0..35a8374 100755 --- a/pbuilder-satisfydepends-aptitude +++ b/pbuilder-satisfydepends-aptitude @@ -89,7 +89,7 @@ EOF $CHROOTEXEC sh -c "cat \"$BUILD_DEP_DEB_CONTROL\"" $CHROOTEXEC sh -c "dpkg-deb -b \"$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy\"" $CHROOTEXEC dpkg --force-depends --force-conflicts -i "$BUILD_DEP_DEB_DIR/pbuilder-satisfydepends-dummy.deb" || true - $CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false "${PBUILDER_APTITUDE_CHECK_OPTS[@]}" -o Aptitude::ProblemResolver::StepScore=100 -o "Aptitude::ProblemResolver::Hints::KeepDummy=reject pbuilder-satisfydepends-dummy :UNINST" -o Aptitude::ProblemResolver::Keep-All-Level=55000 -o Aptitude::ProblemResolver::Remove-Essential-Level=maximum install pbuilder-satisfydepends-dummy + $CHROOTEXEC aptitude -y --without-recommends -o APT::Install-Recommends=false "${APTITUDEOPT[@]}" -o Aptitude::ProblemResolver::StepScore=100 -o "Aptitude::ProblemResolver::Hints::KeepDummy=reject pbuilder-satisfydepends-dummy :UNINST" -o Aptitude::ProblemResolver::Keep-All-Level=55000 -o Aptitude::ProblemResolver::Remove-Essential-Level=maximum install pbuilder-satisfydepends-dummy # check whether the aptitude's resolver kept the package if ! $CHROOTEXEC dpkg -l pbuilder-satisfydepends-dummy 2>/dev/null | grep -q ^ii; then echo "Aptitude couldn't satisfy the build dependencies" diff --git a/pbuilder-satisfydepends-checkparams b/pbuilder-satisfydepends-checkparams index 249b67e..b81c765 100755 --- a/pbuilder-satisfydepends-checkparams +++ b/pbuilder-satisfydepends-checkparams @@ -27,13 +27,6 @@ FORCEVERSION="" CONTINUE_FAIL="no" CHROOTEXEC_AFTER_INTERNAL_CHROOTEXEC=no -# aptitude flag to ignore key verification -PBUILDER_APTITUDE_CHECK_OPTS=( - '-o' - 'Aptitude::CmdLine::Ignore-Trust-Violations=true' ) -# apt flag to ignore key verification -PBUILDER_APT_GET_CHECK_OPTS="--force-yes" - while [ -n "$1" ]; do case "$1" in --control|-c) @@ -80,8 +73,16 @@ while [ -n "$1" ]; do shift; ;; --check-key) - unset PBUILDER_APTITUDE_CHECK_OPTS - unset PBUILDER_APT_GET_CHECK_OPTS + log 'W: --check-key is now enabled by default and thus deprecated.' + shift; + ;; + --allow-untrusted) + # Also duplicated in pbuilder-checkparams! + # apt flag to accept untrusted packages + APTGETOPT[${#APTGETOPT[@]}]='--force-yes' + # aptitude flag to accept untrusted packages + APTITUDEOPT[${#APTITUDEOPT[@]}]='-o' + APTITUDEOPT[${#APTITUDEOPT[@]}]='Aptitude::CmdLine::Ignore-Trust-Violations=true' shift; ;; --help|-h|*) diff --git a/pbuilder-updatebuildenv b/pbuilder-updatebuildenv index cdcc22c..737f53d 100755 --- a/pbuilder-updatebuildenv +++ b/pbuilder-updatebuildenv @@ -72,6 +72,12 @@ $CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" autoremove || true $CHROOTEXEC /usr/bin/apt-get -q -y "${APTGETOPT[@]}" install build-essential dpkg-dev $EXTRAPACKAGES save_aptcache +# To support package verification inside the repository we may have to import +# additional keys. +for KEY in "${APTKEYRINGS[@]}"; do + $CHROOTEXEC /usr/bin/apt-key add - < "${KEY}" > /dev/null +done + # optionally auto-clean apt-cache if [ "${AUTOCLEANAPTCACHE}" = "yes" -a -n "$APTCACHE" ]; then log "I: Cleaning the cached apt archive" @@ -361,7 +361,7 @@ specified in a space-delimited manner, surrounded in double quotations, like: .B """/srv /somedir /someotherdir""" .TP -.BI "\-\-debootstrapopts " "\-\-variant=buildd" +.BI "\-\-debootstrapopts " "\-\-variant=buildd" " " "\-\-keyring" " " "/usr/share/keyrings/debian\-archive\-keyring.gpg" Add extra command-line options to debootstrap. Specify multiple options through multiple instance of this @@ -380,6 +380,24 @@ and default is to use .B debootstrap. .TP +.BI "\-\-allow\-untrusted " +Allow untrusted (no key installed) and unsigned repositories. +.BI Warning: +Enabling this option may allow remote attackers to compromise the system. +Better use signed repositories and +.B "\-\-keyring" +to add the key(s). + +.TP +.BI "\-\-keyring " "path/to/keyring" +Additional keyrings to use for package verification with apt, not used for +debootstrap (use +.B "\-\-debootstrapopts" +). Use this to add (local) signed repositories. By default the +debian-archive-keyring package inside the chroot is used. Can be specified +multiple times. + +.TP .BI "\-\-save\-after\-login " .TP .BI "\-\-save\-after\-exec " @@ -53,11 +53,19 @@ PBUILDERROOTCMD="sudo -E" # not support unsigned APT repositories PBUILDERSATISFYDEPENDSCMD="/usr/lib/pbuilder/pbuilder-satisfydepends" -# You can optionally make pbuilder check key by setting the following flags -# PBUILDERSATISFYDEPENDSOPT=('--check-key') -# unset PBUILDERSATISFYDEPENDSOPT -# option to pass to apt-get always. -export APTGETOPT=('--force-yes') +# Arguments for $PBUILDERSATISFYDEPENDSCMD. +# PBUILDERSATISFYDEPENDSOPT=() + +# You can optionally make pbuilder accept untrusted repositories by setting +# this option to yes, but this may allow remote attackers to compromise the +# system. Better set a valid key for the signed (local) repository with +# $APTKEYRINGS (see below). +ALLOWUNTRUSTED=no + +# Option to pass to apt-get always. +export APTGETOPT=() +# Option to pass to aptitude always. +export APTITUDEOPT=() #Command-line option passed on to dpkg-buildpackage. #DEBBUILDOPTS="-IXXX -iXXX" @@ -82,6 +90,11 @@ DEBOOTSTRAPOPTS=( # or unset it to make it not a buildd type. # unset DEBOOTSTRAPOPTS +# Keyrings to use for package verification with apt, not used for debootstrap +# (use DEBOOTSTRAPOPTS). By default the debian-archive-keyring package inside +# the chroot is used. +APTKEYRINGS=() + # Set the PATH I am going to use inside pbuilder: default is "/usr/sbin:/usr/bin:/sbin:/bin" export PATH="/usr/sbin:/usr/bin:/sbin:/bin" diff --git a/pbuilderrc.5 b/pbuilderrc.5 index 14fde73..40fc8bb 100644 --- a/pbuilderrc.5 +++ b/pbuilderrc.5 @@ -178,17 +178,25 @@ may also be used to reset the list of options. The default value is to build source and binary package. .TP -.BI "DEBOOTSTRAPOPTS=" "( '\-\-variant=buildd' )" +.BI "DEBOOTSTRAPOPTS=" "( '\-\-variant=buildd' '\-\-keyring' '/usr/share/keyrings/debian\-archive\-keyring.gpg' )" When this option is set to .B "\-\-variant=buildd" .B "pbuilder" will invoke .B "$DEBOOTSTRAP" -with "\-\-variant=buildd" +with +.B "\-\-variant=buildd" option, which results in debootstrap creating a minimal chroot for buildd instead of trying to create a minimal installation chroot. -.B "DEBOOTSTRAP" -is another directive in this file. +.B "\-\-keyring" +is used to specify a keyring for debootstrap. +.TP +.BI "APTKEYRINGS=" "()" +Additional keyrings to use for package verification with apt, not used for +debootstrap (use +.B "$DEBOOTSTRAPOPTS" +). Use this to add (local) signed repositories. By default the +debian-archive-keyring package inside the chroot is used. .TP .BI "DEBOOTSTRAP=" "debootstrap" Use this option to switch the implementation of @@ -329,15 +337,25 @@ used until 0.172. The default is now "aptitude". .TP -.BI "PBUILDERSATISFYDEPENDSOPT=" "('\-\-check\-key')" +.BI "PBUILDERSATISFYDEPENDSOPT=" "()" Array of flags to give to pbuilder\-satisfydepends. -Specifying \-\-check\-key here will try to verify key signatures. .TP -.BI "APTGETOPT=" "('\-\-force\-yes')" +.BI "ALLOWUNTRUSTED=" "no" +Allow untrusted (no key installed) and unsigned repositories. +.BI Warning: +Enabling this option may allow remote attackers to compromise the system. +Better use signed repositories and +.B "$APTKEYRINGS" +to add the key(s). + +.TP +.BI "APTGETOPT=" "()" Extra flags to give to apt\-get. -Default is \-\-force\-yes, which will skip key verification of packages -to be installed. Unset if you want to enable key verification. + +.TP +.BI "APTITUDEGETOPT=" "()" +Extra flags to give to aptitude. .TP .BI "REMOVEPACKAGES=" "lilo" |