Changeset 980


Ignore:
Timestamp:
Feb 19, 2008, 10:48:30 AM (10 years ago)
Author:
dkg
Message:

debirf: added cryptographic verification of the debootstrap phase

Location:
trunk/debirf
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/debirf/debian/changelog

    r970 r980  
    55  * new "makeiso" subcommand to build a bootable CD-ROM image, at least on
    66    i386 and amd64 architectures. (closes CMRG #63)
     7  * set up cryptographic verification of the debootstrap step.
    78
    89 -- Daniel Kahn Gillmor <dkg-debian.org@fifthhorseman.net>  Wed, 30 Jan 2008 18:29:06 -0500
  • trunk/debirf/fs/usr/bin/debirf

    r971 r980  
    5353                              (requires superuser privileges or CAP_SYS_CHROOT)
    5454    -w|--no-warning           skip superuser warning
     55    -g|--gpg-keyring=KEYRING  keyring to verify Releases during debootstrap
     56                              (if 'noverify', don't verify Releases)           
    5557    -d|--no-initrd            do not make initramfs
    5658    -i|--initrd-only          just remake initramfs from existing root
     
    7981create_debootstrap() {
    8082    mkdir -p "$DEBIRF_ROOT"
     83    local KROPT
     84    if [ "$DEBIRF_KEYRING" != 'noverify' ] ; then
     85        [ -r "$DEBIRF_KEYRING" ] || failure "Cannot read keyring '$DEBIRF_KEYRING' for debootstrap verification."
     86    else
     87        KROPT=--keyring=$DEBIRF_KEYRING
     88    fi
    8189    if [ "$ROOT_BUILD" = 'true' ] ; then
    82         /usr/sbin/debootstrap --exclude="$EXCLUDE" "$DEBIRF_DISTRO" "$DEBIRF_ROOT" "$DEBIRF_MIRROR"
    83     else
    84         fakeroot_if_needed fakechroot /usr/sbin/debootstrap --variant=fakechroot --include="$INCLUDE" --exclude="$EXCLUDE" "$DEBIRF_DISTRO" "$DEBIRF_ROOT" "$DEBIRF_MIRROR"
     90        /usr/sbin/debootstrap --exclude="$EXCLUDE" ${KROPT+"$KROPT"} "$DEBIRF_DISTRO" "$DEBIRF_ROOT" "$DEBIRF_MIRROR"
     91    else
     92        fakeroot_if_needed fakechroot /usr/sbin/debootstrap --variant=fakechroot --include="$INCLUDE" ${KROPT+"$KROPT"} --exclude="$EXCLUDE" "$DEBIRF_DISTRO" "$DEBIRF_ROOT" "$DEBIRF_MIRROR"
    8593    fi
    8694    fakeroot_if_needed mv "$DEBIRF_ROOT"/var/log/bootstrap.log "$DEBIRF_BUILDD"/.bootstrap.log
     
    256264make() {
    257265    # option parsing
    258     TEMP=$(getopt --options -hcnosrwdik: --longoptions help,check-vars,new,overwrite,skip,root-build,no-warning,no-initrd,initrd-only,kernel: -n "$CMD" -- "$@")
     266    TEMP=$(getopt --options -hcnosrwgdik: --longoptions help,check-vars,new,overwrite,skip,root-build,no-warning,gpg-keyringno-initrd,initrd-only,kernel: -n "$CMD" -- "$@")
    259267
    260268    if [ $? != 0 ] ; then
     
    292300                ROOT_WARNING=false
    293301                shift 1
     302                ;;
     303            -g|--gpg-keyring)
     304                DEBIRF_KEYRING="$2"
     305                shift 2
    294306                ;;
    295307            -d|--no-initrd)
  • trunk/debirf/fs/usr/share/debirf/debirf.conf.defaults

    r889 r980  
    1515# what distribution should debirf be built from?
    1616DEBIRF_DISTRO=${DEBIRF_DISTRO:-"lenny"}
     17
     18# what keyring should be used to verify the debootstrap?
     19DEBIRF_KEYRING=${DEBIRF_KEYRING:-"/usr/share/keyrings/debian-archive-keyring.gpg"}
  • trunk/debirf/fs/usr/share/man/man1/debirf.1

    r970 r980  
    6262\fB\-w\fR, \fB\-\-no-warning\fR
    6363skip superuser warning
     64.TP
     65\fB\-g\fR, \fB\-\-gpg-keyring=KEYRING\fR
     66Verify the debootstrap stage against the GPG keyring KEYRING (which
     67should be specified by an absolute path).  By default, the keyring
     68used is /usr/share/keyrings/debian-archive-keyring.gpg.  If you want
     69to skip verification entirely (not recommended!), you should use
     70--gpg-keyring=noverify.
    6471.TP
    6572\fB\-i\fR, \fB\-\-initrd-only\fR
Note: See TracChangeset for help on using the changeset viewer.