Merge ~ebarretto/ubuntu-security-tools:apt-key into ubuntu-security-tools:master

Proposed by Eduardo Barretto
Status: Merged
Approved by: Paulo Flabiano Smorigo
Approved revision: 64a63eb3ab0ada7f24956525e6b468841b05a2af
Merged at revision: 64a63eb3ab0ada7f24956525e6b468841b05a2af
Proposed branch: ~ebarretto/ubuntu-security-tools:apt-key
Merge into: ubuntu-security-tools:master
Diff against target: 48 lines (+15/-4)
2 files modified
build-tools/build-sources-list (+14/-4)
build-tools/umt (+1/-0)
Reviewer Review Type Date Requested Status
Ubuntu Security Team Pending
Review via email: mp+451206@code.launchpad.net

Description of the change

This is a proposal on fixing umt compare-bin on systems that already don't use /etc/apt/trusted.gpg as apt-key was deprecated.
In this proposal we are using /etc/apt/keyrings, that is not an official directory but a recommendation for thirdparty keyrings:
"If future updates to the certificate will be managed by an apt/dpkg package as recommended below, then it SHOULD be downloaded into /usr/share/keyrings using the same filename that will be provided by the package. If it will be managed locally , it SHOULD be downloaded into /etc/apt/keyrings instead."
https://wiki.debian.org/DebianRepository/UseThirdParty

Also altered build-sources-list as it was setting the signed-by entry only for trusty, xenial and bionic, and for newer systems we should have the signed-by for all running releases.

Any feedbacks or suggestions are very much appreciated.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I thought /etc/apt/keyrings was untrusted by default, so we should still need the "signed-by=" in build-sources-list, but changed to the new path, no?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Oh, never mind my comment, I see you set it further down now.

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

LGTM

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/build-tools/build-sources-list b/build-tools/build-sources-list
index c944bb9..f4a20c6 100755
--- a/build-tools/build-sources-list
+++ b/build-tools/build-sources-list
@@ -143,10 +143,6 @@ EOM
143 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918 stored in ${ESM_PPA_KEYRING}"143 echo "# Requires gpg keyid DBB1FC89762BF6B96707C4059BC0A1A1622CF918 stored in ${ESM_PPA_KEYRING}"
144 # normal ubuntu releases.144 # normal ubuntu releases.
145 else145 else
146 keyring=""
147 if [ "$r" = "trusty" ] || [ "$r" = "xenial" ] || [ "$r" = "bionic" ]; then
148 keyring="[signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg]"
149 fi
150 if [ "$r" = "precise" ] ; then146 if [ "$r" = "precise" ] ; then
151 # releases where the archive key is no longer trusted147 # releases where the archive key is no longer trusted
152 cat <<EOM148 cat <<EOM
@@ -168,6 +164,20 @@ EOM
168 # echo "deb-src http://archive.canonical.com/ubuntu $r partner"164 # echo "deb-src http://archive.canonical.com/ubuntu $r partner"
169 fi165 fi
170166
167 sharedkeyring="/usr/share/keyrings"
168 keyringsdir="/etc/apt/keyrings"
169 keyringfile="ubuntu-archive-keyring.gpg"
170 keyring="[signed-by=$keyringsdir/$keyringfile]"
171
172 if [ ! -d "$keyringsdir" ]; then
173 mkdir "$keyringsdir"
174 fi
175 if [ ! -f "$sharedkeyring/$keyringfile" ]; then
176 echo "Make sure you install ubuntu-keyring!"
177 exit 1
178 else
179 sudo cp "$sharedkeyring/$keyringfile" "$keyringsdir"
180 fi
171181
172 if [ "$add_fallbacks" = "yes" ] && [ "$r" != "$release_devel" ]; then182 if [ "$add_fallbacks" = "yes" ] && [ "$r" != "$release_devel" ]; then
173 cat <<EOM183 cat <<EOM
diff --git a/build-tools/umt b/build-tools/umt
index 4237ff4..ce02735 100755
--- a/build-tools/umt
+++ b/build-tools/umt
@@ -1370,6 +1370,7 @@ Dir "/"
1370 Etc "%s/" {1370 Etc "%s/" {
1371 trusted "/etc/apt/trusted.gpg";1371 trusted "/etc/apt/trusted.gpg";
1372 trustedparts "/etc/apt/trusted.gpg.d";1372 trustedparts "/etc/apt/trusted.gpg.d";
1373 trustedparts "/etc/apt/keyrings";
1373 };1374 };
13741375
1375 // Location of the logfile1376 // Location of the logfile

Subscribers

People subscribed via source and target branches