Bug#510010: use debian-archive-keyring.gpg directly instead of assuming/requiring that it is installed manually

Robert Millan Sun, 28 Dec 2008 07:32:36 -0800

Package: debmirror
Version: 20070123
Severity: wishlist
Tags: patch

Would be useful if debmirror used debian-archive-keyring.gpg directly, like
dpkg-source does.  People don't usually import it by hand, which makes the
gpg check useless.


See attached patch.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=ca_AD.UTF-8, LC_CTYPE=ca_AD.UTF-8 (charmap=UTF-8)

Versions of packages debmirror depends on:
ii  bzip2                   1.0.3-6          high-quality block-sorting file co
ii  debian-archive-keyring  2007.07.31~etch1 GnuPG archive keys of the Debian a
ii  libcompress-zlib-perl   1.42-2           Perl module for creation and manip
ii  libdigest-sha1-perl     2.11-1           NIST SHA-1 message digest algorith
ii  liblockfile-simple-perl 0.2.5-7          Simple advisory file locking
ii  libwww-perl             5.805-1          WWW client/server library for Perl
ii  perl [libdigest-md5-per 5.8.8-7etch6     Larry Wall's Practical Extraction 
ii  perl-modules [libnet-pe 5.8.8-7etch6     Core Perl modules
ii  rsync                   2.6.9-2etch2     fast remote file copy program (lik

Versions of packages debmirror recommends:
ii  ed                            0.2-20     The classic unix line editor
ii  gnupg                         1.4.6-2    GNU privacy guard - a free PGP rep
ii  patch                         2.5.9-4    Apply a diff file to an original

-- no debconf information

diff -ur debmirror-20070123/debian/control debmirror-20070123.new/debian/control
--- debmirror-20070123/debian/control   2007-01-23 16:31:12.000000000 +0100
+++ debmirror-20070123.new/debian/control       2008-12-28 16:23:01.000000000 
+0100
@@ -6,7 +6,7 @@
 
 Package: debmirror
 Architecture: all
-Depends: libnet-perl, libdigest-md5-perl, libdigest-sha1-perl, 
liblockfile-simple-perl, rsync, libcompress-zlib-perl, bzip2, libwww-perl
+Depends: libnet-perl, libdigest-md5-perl, libdigest-sha1-perl, 
liblockfile-simple-perl, rsync, libcompress-zlib-perl, bzip2, libwww-perl, 
debian-archive-keyring
 Recommends: gnupg, patch, ed
 Description: Debian partial mirror script, with ftp and package pool support
  This program downloads and maintains a partial local Debian mirror.
diff -ur debmirror-20070123/debmirror debmirror-20070123.new/debmirror
--- debmirror-20070123/debmirror        2007-01-24 11:42:14.000000000 +0100
+++ debmirror-20070123.new/debmirror    2008-12-28 16:23:56.000000000 +0100
@@ -334,28 +334,6 @@
 
 Make a mirror using rsync. rsync server is ftp.debian.org::debian.
 
-=head1 FILES
-
-  ~/.gnupg/trustedkeys.gpg
-
-    Debmirror uses gpgv to verify Release and Release.gpg using the
-    default keying ~/.gnupg/trustedkeys.gpg. This can be changed by
-    exporting GNUPGHOME resulting in $GNUPGHOME/trustedkeys.gpg being
-    used.
-
-    To add the right key to this keyring you can import it from the
-    debian keyring (in case of the debian archive) using:
-
-      gpg --keyring /usr/share/keyrings/debian-archive-keyring.gpg --export \
-          | gpg --import
-
-    or download the key from a keyserver:
-
-      gpg --keyserver keyring.debian.org --recv-keys <key ID>
-
-    The <key ID> can be found in the gpgv error message in debmirror:
-    gpgv: Signature made Tue Jan 23 09:07:53 2007 CET using DSA key ID 2D230C5F
-
 =cut
 
 use strict;
@@ -626,16 +604,16 @@
     # Verify Release signature
     if (-f "$tempdir/dists/$dist/Release.gpg" || -f 
"$tempdir/dists/$dist/Release") {
       my $gpgv_res="failed";
-      open GPGV, "gpgv 2>/dev/null --status-fd 1 
$tempdir/dists/$dist/Release.gpg $tempdir/dists/$dist/Release|";
+      open GPGV, "gpgv 2>/dev/null --keyring 
/usr/share/keyrings/debian-archive-keyring.gpg --status-fd 1 
$tempdir/dists/$dist/Release.gpg $tempdir/dists/$dist/Release|";
       while (<GPGV>) {
        $gpgv_res="valid" if /^\[GNUPG:\] VALIDSIG/;
       }
       close GPGV;
       if ($gpgv_res eq "failed" || $debug) {
-       system("gpgv --status-fd 1 $tempdir/dists/$dist/Release.gpg 
$tempdir/dists/$dist/Release");
+       system("gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg 
--status-fd 1 $tempdir/dists/$dist/Release.gpg $tempdir/dists/$dist/Release");
       }
       if ($verbose && !$debug) {
-       system("gpgv --status-fd 1 $tempdir/dists/$dist/Release.gpg 
$tempdir/dists/$dist/Release >/dev/null");
+       system("gpgv --keyring /usr/share/keyrings/debian-archive-keyring.gpg  
--status-fd 1 $tempdir/dists/$dist/Release.gpg $tempdir/dists/$dist/Release 
>/dev/null");
       }
       if ($gpgv_res eq "failed") {
        say("Release signature does not verify.");

Bug#510010: use debian-archive-keyring.gpg directly instead of assuming/requiring that it is installed manually

Reply via email to