signreleasefiles() {
local SIGNER="${1:-Joe Sixpack}"
+ local GPG="gpg --batch --yes --no-default-keyring --trustdb-name rootdir/etc/apt/trustdb.gpg"
msgninfo "\tSign archive with $SIGNER key… "
- local SECKEYS=""
+ local REXKEY='keys/rexexpired'
+ local SECEXPIREBAK="${REXKEY}.sec.bak"
+ local PUBEXPIREBAK="${REXKEY}.pub.bak"
+ if [ "${SIGNER}" = 'Rex Expired' ]; then
+ # the key is expired, so gpg doesn't allow to sign with and the --faked-system-time
+ # option doesn't exist anymore (and using faketime would add a new obscure dependency)
+ # therefore we 'temporary' make the key not expired and restore a backup after signing
+ cp ${REXKEY}.sec $SECEXPIREBAK
+ cp ${REXKEY}.pub $PUBEXPIREBAK
+ local SECUNEXPIRED="${REXKEY}.sec.unexpired"
+ local PUBUNEXPIRED="${REXKEY}.pub.unexpired"
+ if [ -f "$SECUNEXPIRED" ] && [ -f "$PUBUNEXPIRED" ]; then
+ cp $SECUNEXPIRED ${REXKEY}.sec
+ cp $PUBUNEXPIRED ${REXKEY}.pub
+ else
+ printf "expire\n1w\nsave\n" | $GPG --keyring ${REXKEY}.pub --secret-keyring ${REXKEY}.sec --command-fd 0 --edit-key "${SIGNER}" >/dev/null 2>&1 || true
+ cp ${REXKEY}.sec $SECUNEXPIRED
+ cp ${REXKEY}.pub $PUBUNEXPIRED
+ fi
+ fi
for KEY in $(find keys/ -name '*.sec'); do
- SECKEYS="$SECKEYS --secret-keyring $KEY"
+ GPG="$GPG --secret-keyring $KEY"
done
- local PUBKEYS=""
for KEY in $(find keys/ -name '*.pub'); do
- PUBKEYS="$PUBKEYS --keyring $KEY"
+ GPG="$GPG --keyring $KEY"
done
for RELEASE in $(find aptarchive/ -name Release); do
- gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" -abs -o ${RELEASE}.gpg ${RELEASE}
+ $GPG --default-key "$SIGNER" --armor --detach-sign --sign --output ${RELEASE}.gpg ${RELEASE}
local INRELEASE="$(echo "${RELEASE}" | sed 's#/Release$#/InRelease#')"
- gpg --yes --no-default-keyring $SECKEYS $PUBKEYS --default-key "$SIGNER" --clearsign -o $INRELEASE $RELEASE
+ $GPG --default-key "$SIGNER" --clearsign --output $INRELEASE $RELEASE
# we might have set a specific date for the Release file, so copy it
touch -d "$(stat --format "%y" ${RELEASE})" ${RELEASE}.gpg ${INRELEASE}
done
+ if [ -f "$SECEXPIREBAK" ] && [ -f "$PUBEXPIREBAK" ]; then
+ mv -f $SECEXPIREBAK ${REXKEY}.sec
+ mv -f $PUBEXPIREBAK ${REXKEY}.pub
+ fi
msgdone "info"
}
" aptcache show apt
installaptnew
+ prepare ${PKGFILE}
+ rm -rf rootdir/var/lib/apt/lists
+ cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+ signreleasefiles 'Rex Expired'
+ find aptarchive/ -name "$DELETEFILE" -delete
+ msgtest 'Cold archive signed by' 'Rex Expired'
+ aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
+ testequal "$(cat ${PKGFILE})
+" aptcache show apt
+ failaptold
+ rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
prepare ${PKGFILE}
rm -rf rootdir/var/lib/apt/lists
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
msgtest 'Cold archive signed by' 'Marvin Paranoid'
- aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+ aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
testequal "$(cat ${PKGFILE})
" aptcache show apt
failaptold
signreleasefiles 'Marvin Paranoid'
find aptarchive/ -name "$DELETEFILE" -delete
msgtest 'Good warm archive signed by' 'Marvin Paranoid'
- aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgpass || msgfail
+ aptget update 2>&1 | grep -E '^W: .* NO_PUBKEY' > /dev/null && msgpass || msgfail
+ testequal "$(cat ${PKGFILE})
+" aptcache show apt
+ installaptold
+
+ prepare ${PKGFILE}-new
+ cp keys/rexexpired.pub rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+ signreleasefiles 'Rex Expired'
+ find aptarchive/ -name "$DELETEFILE" -delete
+ msgtest 'Good warm archive signed by' 'Rex Expired'
+ aptget update 2>&1 | grep -E '^W: .* KEYEXPIRED' > /dev/null && msgpass || msgfail
testequal "$(cat ${PKGFILE})
" aptcache show apt
installaptold
+ rm rootdir/etc/apt/trusted.gpg.d/rexexpired.gpg
+
+ prepare ${PKGFILE}-new
+ signreleasefiles
+ find aptarchive/ -name "$DELETEFILE" -delete
+ msgtest 'Good warm archive signed by' 'Joe Sixpack'
+ aptget update 2>&1 | grep -E '^(W|E): ' > /dev/null && msgfail || msgpass
+ testequal "$(cat ${PKGFILE}-new)
+" aptcache show apt
+ installaptnew
}
runtest2() {
projects / apt.git / commitdiff
