Hi *, I think the idea of using a symlink in debian-archive-keyring/experimental isn't that great, and here is why:
APT has the lovely bug #558784 who complains about re-adding the keys from the debian-archive-keyring all the time. The situation is that a user removes keys which are still active for debian, but not needed anymore for him like for example lenny keys currently. Currently this means he gets the keys back on apt or debian-archive-keyring updated (= apt-key update); with this experimental version he will only get them back on debian-archive-keyring updates (then apt has dropped the apt-key update), but in his first step, he will modify a file in /usr/share/ to remove the key(s)… After all, the whole idea of trusted.gpg.d was to get closer to the point of fixing this. So attached is a diff against the experimental version to split up the keyring into fragment-files and drop these into trusted.gpg.d handled as config files so that it is save to remove them and make it stick. It also adds a fitting break for apt pre-squeeze versions to ensure apt will be able to use them, depends only on gpgv and only recommends gnupg as gpgv is enough to check Release files and gnupg is only needed if you want to manage the keys - or to run the postinst cleanup of the trusted.gpg file. Upgrades should have gnupg installed this way, new installs doesn't need it, but feel free to raise to Depends if that is a problem. Further more I changed the code in postinst to cleanup the trusted.gpg file. I agree that apt-key is crappy and thats why we want to push slowly for trusted.gpg.d so apt-key isn't required anymore for this important operation, but partly reimplementing it doesn't seem to be that much less-crappy… Beware, I haven't tested the code so far and it includes two fixmes, so it's more of a proof of concept to get the ball rolling… Best regards David Kalnischkies, who wanted to send that months ago… P.S.: I am not subscribed to release-lists, so feel free to cc me. Thanks.
diff -ru debian-archive-keyring-2011.10.23/debian/changelog debian-archive-keyring-2011.10.23+nmu1/debian/changelog --- debian-archive-keyring-2011.10.23/debian/changelog 2011-10-23 07:12:10.000000000 -0500 +++ debian-archive-keyring-2011.10.23+nmu1/debian/changelog 2011-10-31 09:23:12.472901631 -0500 @@ -1,3 +1,14 @@ +debian-archive-keyring (2011.10.23+nmu1) experimental; urgency=low + + * Non-maintainer upload. + * ship each active key in a separate keyring in /etc/apt/trusted.gpg.d/ + as conffiles for simpler usage of apt-secure(8) + * remove all active keys from /etc/apt/trusted.gpg as they are shipped + now as fragments file + * depend on gpgv and only recommend gnupg (Closes: #387688) + + -- David Kalnischkies <kalnischk...@gmail.com> Mon, 31 Oct 2011 09:21:39 -0500 + debian-archive-keyring (2011.10.23) experimental; urgency=low * Team upload. diff -ru debian-archive-keyring-2011.10.23/debian/control debian-archive-keyring-2011.10.23+nmu1/debian/control --- debian-archive-keyring-2011.10.23/debian/control 2011-10-21 05:45:38.000000000 -0500 +++ debian-archive-keyring-2011.10.23+nmu1/debian/control 2011-10-31 09:34:30.632047155 -0500 @@ -7,7 +7,9 @@ Package: debian-archive-keyring Priority: important Architecture: all -Depends: gnupg, ${misc:Depends} +Depends: gpgv, ${misc:Depends} +Recommends: gnupg +Breaks: apt (<< 0.7.25.1) Description: GnuPG archive keys of the Debian archive The Debian project digitally signs its Release files. This package contains the archive keys used for that. diff -ru debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.install debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.install --- debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.install 2011-10-21 05:37:22.000000000 -0500 +++ debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.install 2011-10-31 09:16:27.691918480 -0500 @@ -1 +1,2 @@ usr/share/keyrings/* +etc/apt/trusted.gpg.d/* diff -ru debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.postinst debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.postinst --- debian-archive-keyring-2011.10.23/debian/debian-archive-keyring.postinst 2011-10-23 07:14:08.000000000 -0500 +++ debian-archive-keyring-2011.10.23+nmu1/debian/debian-archive-keyring.postinst 2011-10-31 09:24:52.894897337 -0500 @@ -2,32 +2,18 @@ set -e -export GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg" - -case "$1" in - configure) - if dpkg --compare-versions "$2" lt "2011.10.21" - then - if [ -n "$2" -a -e /etc/apt/trusted.gpg ] - then - if which gpg >/dev/null 2>&1 - then - # Remove old keys from /etc/apt/trusted.gpg - for keyid in $($GPG_CMD /etc/apt/trusted.gpg | sed -n -r -e 's,pub .*/([0-9A-F]+).*,\1,p' | grep -x -E 'F42584E6|55BE302B|6D849617|B98321F9|473041FA') - do - echo "Removing trusted apt key $keyid from /etc/apt/trusted.gpg ..." - $GPG_CMD --primary-keyring /etc/apt/trusted.gpg \ - --quiet --batch --delete-key --yes "$keyid" - done - fi - fi - # Install the symlink upon first installation - ln -sf /usr/share/keyrings/debian-archive-keyring.gpg \ - /etc/apt/trusted.gpg.d/debian-archive-keyring.gpg - echo "Installed debian-archive-keyring as a trusted apt keyring." - fi - ;; -esac +if [ "$1" = 'configure' ]; then + # remove keys from the trusted.gpg file as they are now shipped in fragment files in trusted.gpg.d + if dpkg --compare-versions '2010.08.28' '>=' "$2" && which gpg > /dev/null; then + TRUSTEDFILE='/etc/apt/trusted.gpg' + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + if [ -e "$TRUSTEDFILE" ]; then + for KEY in F42584E6 55BE302B 6D849617 B98321F9 473041FA; do + apt-key --keyring "$TRUSTEDFILE" del $KEY 2> /dev/null || : + done + fi + fi +fi #DEBHELPER# - Nur in debian-archive-keyring-2011.10.23/debian: debian-archive-keyring.postrm. diff -ru debian-archive-keyring-2011.10.23/Makefile debian-archive-keyring-2011.10.23+nmu1/Makefile --- debian-archive-keyring-2011.10.23/Makefile 2011-10-21 05:34:45.000000000 -0500 +++ debian-archive-keyring-2011.10.23+nmu1/Makefile 2011-10-31 10:01:09.112920074 -0500 @@ -1,4 +1,8 @@ -build: verify-indices keyrings/debian-archive-keyring.gpg keyrings/debian-archive-removed-keys.gpg verify-results +TRUSTED-LIST := $(patsubst active-keys/add-%,trusted.gpg/debian-archive-%.gpg,$(wildcard active-keys/add-*)) +# FIXME: find a better place for storing intermediate files? +TMPRING := trusted.gpg/build-area + +build: verify-indices keyrings/debian-archive-keyring.gpg keyrings/debian-archive-removed-keys.gpg verify-results $(TRUSTED-LIST) verify-indices: keyrings/team-members.gpg gpg --no-default-keyring --keyring keyrings/team-members.gpg \ @@ -13,6 +17,8 @@ gpg --no-default-keyring --keyring keyrings/team-members.gpg --verify \ keyrings/debian-archive-removed-keys.gpg.asc \ keyrings/debian-archive-removed-keys.gpg + #FIXME: Do we need to verify the created keyrings in trusted.gpg.d, too? + # Maybe "just" checking that no key is added if we merge, but how… keyrings/debian-archive-keyring.gpg: active-keys/index jetring-build -I $@ active-keys @@ -23,6 +29,13 @@ keyrings/team-members.gpg: team-members/index jetring-build -I $@ team-members +$(TRUSTED-LIST) :: trusted.gpg/debian-archive-%.gpg : active-keys/add-% active-keys/index + mkdir -p $(TMPRING) trusted.gpg + grep -F $(shell basename $<) -- active-keys/index > $(TMPRING)/index + cp $< $(TMPRING) + jetring-build -I $@ $(TMPRING) + rm -rf $(TMPRING) + clean: rm -f keyrings/debian-archive-keyring.gpg \ keyrings/debian-archive-keyring.gpg.lastchangeset @@ -30,11 +43,13 @@ keyrings/debian-archive-removed-keys.gpg.lastchangeset rm -f keyrings/team-members.gpg \ keyrings/team-members.gpg.lastchangeset + rm -rf $(TMPRING) trusted.gpg install: build install -d $(DESTDIR)/usr/share/keyrings/ cp keyrings/debian-archive-keyring.gpg $(DESTDIR)/usr/share/keyrings/ cp keyrings/debian-archive-removed-keys.gpg $(DESTDIR)/usr/share/keyrings/ + install -d $(DESTDIR)/etc/apt/trusted.gpg.d/ + cp $(shell find trusted.gpg/ -name '*.gpg' -type f) $(DESTDIR)/etc/apt/trusted.gpg.d/ -.PHONY: verify-indices clean - +.PHONY: verify-indices verify-results clean build install diff -ru debian-archive-keyring-2011.10.23/README debian-archive-keyring-2011.10.23+nmu1/README --- debian-archive-keyring-2011.10.23/README 2010-08-28 17:32:18.000000000 -0500 +++ debian-archive-keyring-2011.10.23+nmu1/README 2011-10-31 09:25:14.185896978 -0500 @@ -10,14 +10,14 @@ packages. A quick overview about this package: -* This keyrings are used by "apt" versions 0.6 and later. They - will be used with the apt-key command. -* Normally (i.e. if the apt-key binary is found), the keys contained in - the debian-archive-keyring package will be automatically installed into - apt's trusted keyring by the package's postinst script and keys that are - in the debian-archive-keyring-removed will be automatically removed. -* If the automatic installation of the keys fails, then the user can run - "apt-key update" manually. +* a keyring including all actively used keys to sign Release files in + different supported releases is shipped in /usr/share/keyrings +* in the same location can a keyring be found including keys used by + previous releases which are no longer used to sign Release files +* each actively used key is also placed in /etc/apt/trusted.gpg.d/ to + be used by "apt" and its apt-key command in versions 0.6 and later + to check the signature of acquired Release files -More information about the archive authentication feature can be found -here: http://wiki.debian.org/SecureApt + +More information about the archive authentication feature can be found +in manpage apt-secure(8) and online here: http://wiki.debian.org/SecureApt