Bug#851774: [Bug 1754075] Re: apt-setup uses apt-key but probably should not anymore

2019-05-10 Thread Moritz Mühlenhoff 
On Mon, Apr 09, 2018 at 01:14:37PM +0200, Lars Kollstedt wrote:
> On Monday, 9 April 2018 12:56:12 CEST Lars Kollstedt wrote:
> [...]
> > This patch should IMHO work, but I have no opportunity to test it without
> > your help, since we're in udeb and testing preseed issues. ;-)
> 
> Hi again,
> 
> 20 times looked at it and still overlooked one detail.
> 
> This must of course be 'echo "$comment"'.

The patch looks good and works fine in my tests, so I created a
salsa merge request based on your patch at
https://salsa.debian.org/installer-team/apt-setup/merge_requests/1

d-i people; let me know if I can help with getting that fixed for buster
(like doing the unstable upload etc.), I can reliably reproduce this
with the buster test hosts we've installed at work and the apt.wikimedia.org
package repo.

Cheers,
Moritz

Bug#851774: [Bug 1754075] Re: apt-setup uses apt-key but probably should not anymore

2018-04-09 Thread Lars Kollstedt 
On Monday, 9 April 2018 12:56:12 CEST Lars Kollstedt wrote:
[...]
> This patch should IMHO work, but I have no opportunity to test it without
> your help, since we're in udeb and testing preseed issues. ;-)

Hi again,

20 times looked at it and still overlooked one detail.

This must of course be 'echo "$comment"'.

Kind regards,
Lars

-- 
Lars Kollstedt

Telefon: +49 6151 16-71027
E-Mail:  l...@man-da.de

man-da.de GmbH
Dolivostraße 11
64293 Darmstadt

Sitz der man-da.de GmbH: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
diff -rupNw apt-setup-0.104ubuntu5.orig/generators/60local apt-setup-0.104ubuntu5.fixed/generators/60local
--- apt-setup-0.104ubuntu5.orig/generators/60local	2016-06-08 19:08:12.0 +0200
+++ apt-setup-0.104ubuntu5.fixed/generators/60local	2018-04-09 13:11:08.347671088 +0200
@@ -35,8 +35,17 @@ while db_get "apt-setup/local$i/reposito
 		while :; do
 			if fetch-url "$key" "$ROOT/tmp/key$i.pub"; then
 # add it to the keyring
-$chroot $ROOT apt-key add "/tmp/key$i.pub"
-rm -f "$ROOT/tmp/key$i.pub"
+if [ -n "$comment" ]; then
+	name=$(echo "$comment" | sed -E 's/[^0-9A-Za-z]+/_/g')
+else
+	name="apt-setup_local$i"
+fi
+if grep -q -- '-BEGIN PGP PUBLIC KEY BLOCK-' $ROOT/tmp/key$i.pub 
+	then
+	mv "$ROOT/tmp/key$i.pub" "$ROOT/etc/apt/trusted.gpg.d/$name.asc"
+else
+	mv "$ROOT/tmp/key$i.pub" "$ROOT/etc/apt/trusted.gpg.d/$name.gpg"
+fi
 break
 			else
 db_subst apt-setup/local/key-error MIRROR "${repository%% *}"

Bug#851774: [Bug 1754075] Re: apt-setup uses apt-key but probably should not anymore

2018-04-09 Thread Lars Kollstedt 
Hi,

by the way apt-key belongs to the package apt:

root@bionic-test:/home/kollstedt# apt-file search apt-key   
   
[...]
apt: /usr/bin/apt-key
[...]

It is installed when the error occurs and is exitting with the error mentioned 
above.



But there is indeed another way to add the public key without using "apt-key 
add".
 
They can simply be copied to /etc/apt/trusted.gpg.d, with the ending *.gpg if 
it's binary format. With the ending *.asc for ASCII-amored format.

Please find a patch attached that use this way to add instead of the old way 
with apt-key.


The two following Debian Bugs for this lead me tho this:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851774

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=886473

I also sent this message to the first one I considered to be the main one. 


For the ones reading the debian bug, this was mainly send to 

https://bugs.launchpad.net/ubuntu/+source/gnupg/+bug/1754075

Since this also found it's way to Ubunut 18.4 bionic (unreleased LTS).


But there is some (more or less) usefull disscussion but as far as I can see 
no patch, yet. So I prepared one. Thanks to Marga Manterola and Philipp Kern 
for the idea.

One of the most important errors in stuff discussed there is IMHO the lack of 
"-- " which is necessary to prevent grep from interpreding the leading --. I 
also decided not to filter for things that are not relevant. Since comments 
describing the Publickey or it's origin might be placed above the -BEGIN 
PGP PUBLIC KEY BLOCK- (without hitting gpgv), and we would not be able to 
prevent all possible syntax evil here, without having gpg to import and export 
the public key to and from a temporary keyring.
I'm also trying to assign a useful name to the key added this way. 

This patch should IMHO work, but I have no opportunity to test it without your 
help, since we're in udeb and testing preseed issues. ;-)

Kind regards,
Lars

-- 
Lars Kollstedt

Telefon: +49 6151 16-71027
E-Mail:  l...@man-da.de

man-da.de GmbH
Dolivostraße 11
64293 Darmstadt

Sitz der man-da.de GmbH: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
diff -rupNw apt-setup-0.104ubuntu5.orig/generators/60local apt-setup-0.104ubuntu5.fixed/generators/60local
--- apt-setup-0.104ubuntu5.orig/generators/60local	2016-06-08 19:08:12.0 +0200
+++ apt-setup-0.104ubuntu5.fixed/generators/60local	2018-04-09 12:25:59.535772146 +0200
@@ -35,8 +35,17 @@ while db_get "apt-setup/local$i/reposito
 		while :; do
 			if fetch-url "$key" "$ROOT/tmp/key$i.pub"; then
 # add it to the keyring
-$chroot $ROOT apt-key add "/tmp/key$i.pub"
-rm -f "$ROOT/tmp/key$i.pub"
+if [ -n "$comment" ]; then
+	name=$(echo "" | sed -E 's/[^0-9A-Za-z]+/_/g')
+else
+	name="apt-setup_local$i"
+fi
+if grep -q -- '-BEGIN PGP PUBLIC KEY BLOCK-' $ROOT/tmp/key$i.pub 
+	then
+	mv "$ROOT/tmp/key$i.pub" "$ROOT/etc/apt/trusted.gpg.d/$name.asc"
+else
+	mv "$ROOT/tmp/key$i.pub" "$ROOT/etc/apt/trusted.gpg.d/$name.gpg"
+fi
 break
 			else
 db_subst apt-setup/local/key-error MIRROR "${repository%% *}"