ubuntu-security-tools

Merge ~ebarretto/ubuntu-security-tools:apt-key into ubuntu-security-tools:master

  1. Git
  2. lp:~ebarretto/ubuntu-security-tools
  3. apt-key
  4. Merge into master
Proposed by Eduardo Barretto
Status: Merged
Approved by: Paulo Flabiano Smorigo
Approved revision: 64a63eb3ab0ada7f24956525e6b468841b05a2af
Merged at revision: 64a63eb3ab0ada7f24956525e6b468841b05a2af
Proposed branch: ~ebarretto/ubuntu-security-tools:apt-key
Merge into: ubuntu-security-tools:master
Diff against target: 48 lines (+15/-4)
2 files modified
build-tools/build-sources-list (+14/-4)
build-tools/umt (+1/-0)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+451206@code.launchpad.net

Description of the change

This is a proposal on fixing umt compare-bin on systems that already don't use /etc/apt/trusted.gpg as apt-key was deprecated.
In this proposal we are using /etc/apt/keyrings, that is not an official directory but a recommendation for thirdparty keyrings:
"If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead."
https://wiki.debian.org/DebianRepository/UseThirdParty

Also altered build-sources-list as it was setting the signed-by entry only for trusty, xenial and bionic, and for newer systems we should have the signed-by for all running releases.

Any feedbacks or suggestions are very much appreciated.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I thought /etc/apt/keyrings was untrusted by default, so we should still need the "signed-by=" in build-sources-list, but changed to the new path, no?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Oh, never mind my comment, I see you set it further down now.

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

LGTM

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/build-tools/build-sources-list b/build-tools/build-sources-list
2index c944bb9..f4a20c6 100755
3--- a/build-tools/build-sources-list
4+++ b/build-tools/build-sources-list
5@@ -143,10 +143,6 @@ EOM
6 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918 stored in ${ESM_PPA_KEYRING}"
7 # normal ubuntu releases.
8 else
9- keyring=""
10- if [ "$r" = "trusty" ] || [ "$r" = "xenial" ] || [ "$r" = "bionic" ]; then
11- keyring="[signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg]"
12- fi
13 if [ "$r" = "precise" ] ; then
14 # releases where the archive key is no longer trusted
15 cat <<EOM
16@@ -168,6 +164,20 @@ EOM
17 # echo "deb-src http://archive.canonical.com/ubuntu $r partner"
18 fi
19
20+ sharedkeyring="/usr/share/keyrings"
21+ keyringsdir="/etc/apt/keyrings"
22+ keyringfile="ubuntu-archive-keyring.gpg"
23+ keyring="[signed-by=$keyringsdir/$keyringfile]"
24+
25+ if [ ! -d "$keyringsdir" ]; then
26+ mkdir "$keyringsdir"
27+ fi
28+ if [ ! -f "$sharedkeyring/$keyringfile" ]; then
29+ echo "Make sure you install ubuntu-keyring!"
30+ exit 1
31+ else
32+ sudo cp "$sharedkeyring/$keyringfile" "$keyringsdir"
33+ fi
34
35 if [ "$add_fallbacks" = "yes" ] && [ "$r" != "$release_devel" ]; then
36 cat <<EOM
37diff --git a/build-tools/umt b/build-tools/umt
38index 4237ff4..ce02735 100755
39--- a/build-tools/umt
40+++ b/build-tools/umt
41@@ -1370,6 +1370,7 @@ Dir "/"
42 Etc "%s/" {
43 trusted "/etc/apt/trusted.gpg";
44 trustedparts "/etc/apt/trusted.gpg.d";
45+ trustedparts "/etc/apt/keyrings";
46 };
47
48 // Location of the logfile

Subscribers

People subscribed via source and target branches