Hoy KiBi,
Le vendredi, 22 avril 2016, 19.57:55 Cyril Brulebois a écrit :
> Adam D. Barratt <a...@adam-barratt.org.uk> (2016-03-30):
> > Whilst a failure to verify the Release signature does mean that we
> > don't attempt to build an image using untrusted inputs, the package
> > build continues with no sign of a problem having occurred until the
> > binary packages are examined.
>
> Thanks for the catch!
>
> Didier, I see you have committed a fix in git master, so I'm tagging
> this bug report accordingly. Did you test it (e.g. by faking a Release
> file corruption)?
Yes, right. I hacked on that bug, but forgot to update the buglog; sorry
for that.
> This seems like something we should cherry-pick in
> stable branches, but I don't want to do so without a confirmation
> first.
The following patch makes the build fail indeed:
diff --git a/get-images.sh b/get-images.sh
index caea03d..31f25bf 100755
--- a/get-images.sh
+++ b/get-images.sh
@@ -159,6 +159,9 @@ unpack_installer () {
wget -c $MIRROR/dists/$DISTRIBUTION/Release.gpg -O $RELEASE_FILE.gpg
wget -c $MIRROR/dists/$DISTRIBUTION/Release -O $RELEASE_FILE
+# Corrupt the release file
+echo "Break the signature" >> $RELEASE_FILE
+
gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg
$RELEASE_FILE.gpg $RELEASE_FILE
get_di_built_using $1
--
Cheers,
OdyX
