tags 596498 + patch thanks > It would be nice if a repository could be marked as trusted in the > sources.list. This would make it easier to use local repositories with, > for example, pbuilder without having to generate a PGP key, signing the > repository and finally importing the key into apt, see also [1].
Attached is a patch to add a [trusted=1] option to sources.list. When present, the source is regarded as trusted even without a Release.gpg. Documentation of this feature is still missing. I did the following testing using apt 0.8.3 with the patch applied: Installing from an unsigned (or signed with unknown key) repository causes warning when [trusted=0] or no option is given in sources.list; installing from an unsigned (or signed with unknown key) repository does not warn when [trusted=1] is given in sources.list. Note that "apt-get update" still warns about unknown signatures even when [trusted=1] is given for the source. I do not think this is harmful as the option is mainly intended for unsigned (local) repositories anyway. Regards, Ansgar
>From 8be695d713ad952381069950e4e6ca22498e37ab Mon Sep 17 00:00:00 2001 From: Ansgar Burchardt <ans...@43-1.org> Date: Sun, 12 Sep 2010 20:23:38 +0900 Subject: [PATCH] Add trusted option to sources.list Signed-off-by: Ansgar Burchardt <ans...@43-1.org> --- apt-pkg/deb/debmetaindex.cc | 12 ++++++++++-- apt-pkg/deb/debmetaindex.h | 3 ++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/apt-pkg/deb/debmetaindex.cc b/apt-pkg/deb/debmetaindex.cc index 717d0bc..754ea08 100644 --- a/apt-pkg/deb/debmetaindex.cc +++ b/apt-pkg/deb/debmetaindex.cc @@ -119,11 +119,12 @@ string debReleaseIndex::SourceIndexURI(const char *Type, const string &Section) return URI + "dists/" + Dist + "/" + SourceIndexURISuffix(Type, Section); } -debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist) { +debReleaseIndex::debReleaseIndex(string const &URI, string const &Dist, bool Trusted) { this->URI = URI; this->Dist = Dist; this->Indexes = NULL; this->Type = "deb"; + this->Trusted = Trusted; } debReleaseIndex::~debReleaseIndex() { @@ -224,6 +225,9 @@ bool debReleaseIndex::GetIndexes(pkgAcquire *Owner, bool const &GetAll) const bool debReleaseIndex::IsTrusted() const { + if (Trusted) + return Trusted; + string VerifiedSigFile = _config->FindDir("Dir::State::lists") + URItoFileName(MetaIndexURI("Release")) + ".gpg"; @@ -341,9 +345,13 @@ class debSLTypeDebian : public pkgSourceList::Type return true; } } + + map<string, string>::const_iterator const trusted = Options.find("trusted"); + bool Trusted = (trusted != Options.end()) ? StringToBool(trusted->second, 0) : false; + // No currently created Release file indexes this entry, so we create a new one. // XXX determine whether this release is trusted or not - debReleaseIndex *Deb = new debReleaseIndex(URI, Dist); + debReleaseIndex *Deb = new debReleaseIndex(URI, Dist, Trusted); if (IsSrc == true) Deb->PushSectionEntry ("source", new debReleaseIndex::debSectionEntry(Section, IsSrc)); else diff --git a/apt-pkg/deb/debmetaindex.h b/apt-pkg/deb/debmetaindex.h index 360fa54..f47e74b 100644 --- a/apt-pkg/deb/debmetaindex.h +++ b/apt-pkg/deb/debmetaindex.h @@ -20,10 +20,11 @@ class debReleaseIndex : public metaIndex { private: std::map<string, vector<debSectionEntry const*> > ArchEntries; + bool Trusted; public: - debReleaseIndex(string const &URI, string const &Dist); + debReleaseIndex(string const &URI, string const &Dist, bool Trusted = false); ~debReleaseIndex(); virtual string ArchiveURI(string const &File) const {return URI + File;}; -- 1.7.1