|
|
|
|
@ -5117,17 +5117,17 @@ sub main() {
|
|
|
|
|
# a signed-by option
|
|
|
|
|
my $signedby = '';
|
|
|
|
|
my %suite_by_vendor = get_suite_by_vendor();
|
|
|
|
|
{
|
|
|
|
|
my $gpgproc = sub {
|
|
|
|
|
my $keyring
|
|
|
|
|
= get_keyring_by_suite($options->{suite}, \%suite_by_vendor);
|
|
|
|
|
if (!defined $keyring) {
|
|
|
|
|
last;
|
|
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# we can only check if we need the signed-by entry if we u
|
|
|
|
|
# automatically chosen keyring exists
|
|
|
|
|
if (!defined $keyring || !-e $keyring) {
|
|
|
|
|
last;
|
|
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# we can only check key material if gpg is installed
|
|
|
|
|
@ -5155,9 +5155,9 @@ sub main() {
|
|
|
|
|
close $fh;
|
|
|
|
|
}
|
|
|
|
|
if ($? != 0 || !defined $ret || defined $message) {
|
|
|
|
|
info "gpg --version failed: cannot determine the right"
|
|
|
|
|
. " signed-by value";
|
|
|
|
|
last;
|
|
|
|
|
warning
|
|
|
|
|
"gpg --version failed: cannot infer signed-by value";
|
|
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
# initialize gpg trustdb with empty one
|
|
|
|
|
{
|
|
|
|
|
@ -5166,7 +5166,7 @@ sub main() {
|
|
|
|
|
}
|
|
|
|
|
if (!-d $options->{apttrustedparts}) {
|
|
|
|
|
warning "$options->{apttrustedparts} doesn't exist";
|
|
|
|
|
last;
|
|
|
|
|
return '';
|
|
|
|
|
}
|
|
|
|
|
# find all the fingerprints of the keys apt currently
|
|
|
|
|
# knows about
|
|
|
|
|
@ -5188,8 +5188,7 @@ sub main() {
|
|
|
|
|
}
|
|
|
|
|
my @aptfingerprints = ();
|
|
|
|
|
if (scalar @keyrings == 0) {
|
|
|
|
|
$signedby = " [signed-by=\"$keyring\"]";
|
|
|
|
|
last;
|
|
|
|
|
return " [signed-by=\"$keyring\"]";
|
|
|
|
|
}
|
|
|
|
|
info "Finding correct signed-by value...";
|
|
|
|
|
my $progress = 0.0;
|
|
|
|
|
@ -5212,8 +5211,7 @@ sub main() {
|
|
|
|
|
}
|
|
|
|
|
print_progress("done");
|
|
|
|
|
if (scalar @aptfingerprints == 0) {
|
|
|
|
|
$signedby = " [signed-by=\"$keyring\"]";
|
|
|
|
|
last;
|
|
|
|
|
return " [signed-by=\"$keyring\"]";
|
|
|
|
|
}
|
|
|
|
|
# check if all fingerprints from the keyring that we guessed
|
|
|
|
|
# are known by apt and only add signed-by option if that's not
|
|
|
|
|
@ -5229,15 +5227,20 @@ sub main() {
|
|
|
|
|
# if this fingerprint is not known by apt, then we need
|
|
|
|
|
#to add the signed-by option
|
|
|
|
|
if (none { $_ eq $1 } @aptfingerprints) {
|
|
|
|
|
$signedby = " [signed-by=\"$keyring\"]";
|
|
|
|
|
last;
|
|
|
|
|
return " [signed-by=\"$keyring\"]";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
close $fh;
|
|
|
|
|
if ($? != 0) {
|
|
|
|
|
warning "gpg failed -- cannot infer signed-by value";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ($? != 0) {
|
|
|
|
|
error "gpg failed";
|
|
|
|
|
}
|
|
|
|
|
return '';
|
|
|
|
|
};
|
|
|
|
|
if (any { $_ eq 'check/signed-by' } @{ $options->{skip} }) {
|
|
|
|
|
info "skipping check/signed-by as requested";
|
|
|
|
|
} else {
|
|
|
|
|
$signedby = $gpgproc->();
|
|
|
|
|
}
|
|
|
|
|
if (scalar @ARGV > 0) {
|
|
|
|
|
for my $arg (@ARGV) {
|
|
|
|
|
@ -6943,6 +6946,8 @@ Upon startup, several checks are carried out, like:
|
|
|
|
|
|
|
|
|
|
=item * whether the output directory is empty. This check can be disabled using B<--skip=check/empty>
|
|
|
|
|
|
|
|
|
|
=item * whether adding a C<signed-by> to C<apt/sources.list> is necessary. This requires gpg and can be disabled using B<--skip=check/signed-by>
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=item B<setup>
|
|
|
|
|
|
