Package: libsbuild-perl Version: 0.64.1-1 Severity: normal Tags: patch Dear Maintainer,
"sbuild-update --keygen" generates sbuild-key.pub and sbuild-key.sec files (default location is "/var/lib/sbuild/apt-keys/"). The generated file sbuild-key.pub is owned by $BUILD_USER:sbuild with access permission set to 0600. So when a user (root or an user belonging to 'sbuild' group) use "sbuild-update --keygen", this file is not readable by other users and "sbuild" command fails: > gpg: keyring `/«BUILDDIR»/resolver-GS4RzV/apt_archive/sbuild-key.pub' created > gpg: key AEF9CEB5: secret key without public key - skipped > gpg: no default secret key: secret key not available > gpg: signing failed: secret key not available > Failed to sign dummy archive Release file. Attached patch change group permissions (0640). -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (700, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.11-rc7-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libsbuild-perl depends on: ii adduser 3.113+nmu3 ii apt 0.9.12.1 ii apt-utils 0.9.12.1 ii dctrl-tools 2.23 ii devscripts 2.13.4 ii dpkg-dev 1.17.1 ii exim4 4.80-9 ii exim4-daemon-light [mail-transport-agent] 4.80-9 ii libdpkg-perl 1.17.1 ii libexception-class-perl 1.37-1 ii libfilesys-df-perl 0.92-4+b2 ii libmime-lite-perl 3.028-1 ii perl 5.18.1-4 ii perl-modules [libio-zlib-perl] 5.18.1-4 ii schroot 1.6.5-1+b1 libsbuild-perl recommends no packages. libsbuild-perl suggests no packages. -- no debconf information
>From ca6b25217cd8d309488c909cdfeb3e259c085d11 Mon Sep 17 00:00:00 2001 From: Pierre-Louis Bonicoli <[email protected]> Date: Sun, 20 Oct 2013 00:59:10 +0200 Subject: [PATCH] Public key needs to be readable by sbuild group --- lib/Sbuild/ChrootSetup.pm | 39 +++++++++++++++++++-------------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/lib/Sbuild/ChrootSetup.pm b/lib/Sbuild/ChrootSetup.pm index ab16e3c..000c8d0 100644 --- a/lib/Sbuild/ChrootSetup.pm +++ b/lib/Sbuild/ChrootSetup.pm @@ -230,6 +230,9 @@ sub generate_keys ($$) { my $host = shift; my $conf = shift; + my $pubkey = $conf->get('SBUILD_BUILD_DEPENDS_PUBLIC_KEY'); + my $seckey = $conf->get('SBUILD_BUILD_DEPENDS_SECRET_KEY'); + my ($tmpfh, $tmpfilename) = tempfile(); print $tmpfh <<"EOF"; Key-Type: RSA @@ -239,8 +242,8 @@ Name-Comment: Sbuild Build Dependency Archive Key Name-Email: buildd-tools-devel\@lists.alioth.debian.org Expire-Date: 0 EOF - print $tmpfh '%secring ' . $conf->get('SBUILD_BUILD_DEPENDS_SECRET_KEY') . "\n"; - print $tmpfh '%pubring ' . $conf->get('SBUILD_BUILD_DEPENDS_PUBLIC_KEY') . "\n"; + print $tmpfh '%secring ' . $seckey . "\n"; + print $tmpfh '%pubring ' . $pubkey . "\n"; print $tmpfh '%commit' . "\n"; close($tmpfh); @@ -261,26 +264,22 @@ EOF return $? } - my @command = ('gpg', '--no-default-keyring', '--batch', '--gen-key', - $tmpfilename); - $host->run_command( - { COMMAND => \@command, - USER => $conf->get('BUILD_USER'), - PRIORITY => 0, - DIR => '/'}); - if ($?) { - return $?; + my @commands = ( + ['gpg', '--no-default-keyring', '--batch', '--gen-key', $tmpfilename], + ['chmod', '640', $pubkey], # keys need to be + ['chmod', '640', $seckey]); # readable by 'sbuild' group. + + foreach my $cmd (@commands) { + $host->run_command( + { COMMAND => $cmd, + USER => $conf->get('BUILD_USER'), + PRIORITY => 0, + DIR => '/'}); + if ($?) { + last; + } } - # Secret keyring needs to be readable by 'sbuild' group. - @command = ('chmod', '640', - $conf->get('SBUILD_BUILD_DEPENDS_SECRET_KEY')); - $host->run_command( - { COMMAND => \@command, - USER => $conf->get('BUILD_USER'), - PRIORITY => 0, - DIR => '/'}); - return $?; } -- 1.8.4.rc3
