On Fri, Sep 16, 2016 at 08:02:10PM +0200, Julien Cristau wrote:
> On Fri, Sep 16, 2016 at 13:55:53 -0400, Lennart Sorensen wrote:
> > On Fri, Sep 16, 2016 at 06:59:44PM +0200, Julien Cristau wrote:
> > > On Fri, Sep 2, 2016 at 20:35:12 +0200, Julien Cristau wrote:
> > >
> > > > On Mon, Aug 15, 2016 at 12:12:02 +0200, Ansgar Burchardt wrote:
> > > >
> > > > > If you restore support for `InRelease` and want to use `gpgv`, please
> > > > > split `InRelease` into two files, i.e. `Release` and `Release.gpg`,
> > > > > and
> > > > > verify that the signature actually covers all of `Release`.
> > > > >
> > > > Here's an attempt at doing that. Only lightly tested.
> > > >
> > > Ansgar pointed out on IRC that so far nothing in debootstrap requires
> > > awk on the host. I haven't found a way to kill the last newline with
> > > sed in a quick attempt, and I don't know how big of a deal requiring awk
> > > would be, so help welcome.
> > How about instead of the awk bit using:
> > sed '1,/^$/d;/^-----BEGIN PGP SIGNATURE-----$/,$d' < "$inreldest" >
> > "$reldest"
> > At least that works for the InRelease in debian sid since it has a blank
> > line at the end of the PGP header before the Release file data.
> My problem is getting something that I can feed to gpgv to verify the
> signature, I don't think your command provides that.
Well it makes a Release file that is totally bit for bit identical to
the Release file that goes with Release.gpg
diff verified that.
So if gpgv wants something different than the original Release file,
then that's weird.