add --skip=check/signed-by

This commit is contained in:
Johannes Schauer Marin Rodrigues 2023-01-16 14:58:23 +01:00
parent 42386c90c8
commit 327b75846f
Signed by untrusted user: josch
GPG key ID: F2CBA5C78FBD83E1

View file

@ -5117,17 +5117,17 @@ sub main() {
# a signed-by option
my $signedby = '';
my %suite_by_vendor = get_suite_by_vendor();
{
my $gpgproc = sub {
my $keyring
= get_keyring_by_suite($options->{suite}, \%suite_by_vendor);
if (!defined $keyring) {
last;
return '';
}
# we can only check if we need the signed-by entry if we u
# automatically chosen keyring exists
if (!defined $keyring || !-e $keyring) {
last;
return '';
}
# we can only check key material if gpg is installed
@ -5155,9 +5155,9 @@ sub main() {
close $fh;
}
if ($? != 0 || !defined $ret || defined $message) {
info "gpg --version failed: cannot determine the right"
. " signed-by value";
last;
warning
"gpg --version failed: cannot infer signed-by value";
return '';
}
# initialize gpg trustdb with empty one
{
@ -5166,7 +5166,7 @@ sub main() {
}
if (!-d $options->{apttrustedparts}) {
warning "$options->{apttrustedparts} doesn't exist";
last;
return '';
}
# find all the fingerprints of the keys apt currently
# knows about
@ -5188,8 +5188,7 @@ sub main() {
}
my @aptfingerprints = ();
if (scalar @keyrings == 0) {
$signedby = " [signed-by=\"$keyring\"]";
last;
return " [signed-by=\"$keyring\"]";
}
info "Finding correct signed-by value...";
my $progress = 0.0;
@ -5212,8 +5211,7 @@ sub main() {
}
print_progress("done");
if (scalar @aptfingerprints == 0) {
$signedby = " [signed-by=\"$keyring\"]";
last;
return " [signed-by=\"$keyring\"]";
}
# check if all fingerprints from the keyring that we guessed
# are known by apt and only add signed-by option if that's not
@ -5229,16 +5227,21 @@ sub main() {
# if this fingerprint is not known by apt, then we need
#to add the signed-by option
if (none { $_ eq $1 } @aptfingerprints) {
$signedby = " [signed-by=\"$keyring\"]";
last;
return " [signed-by=\"$keyring\"]";
}
}
close $fh;
}
if ($? != 0) {
error "gpg failed";
warning "gpg failed -- cannot infer signed-by value";
}
}
return '';
};
if (any { $_ eq 'check/signed-by' } @{ $options->{skip} }) {
info "skipping check/signed-by as requested";
} else {
$signedby = $gpgproc->();
}
if (scalar @ARGV > 0) {
for my $arg (@ARGV) {
if ($arg eq '-') {
@ -6943,6 +6946,8 @@ Upon startup, several checks are carried out, like:
=item * whether the output directory is empty. This check can be disabled using B<--skip=check/empty>
=item * whether adding a C<signed-by> to C<apt/sources.list> is necessary. This requires gpg and can be disabled using B<--skip=check/signed-by>
=back
=item B<setup>