On Wed, 2019-01-16 at 08:55 +0100, Axel Beckert wrote:
>
>
> # summary of how this script can be called:
> # * <postinst> `configure' <most-recently-configured-version>
> [...]
> case "$1" in
> configure)
> # configure the control channel if run for the first time
> if [ -z "$2" ]; then
> dnssec-trigger-control-setup
> fi
> ;;
>
> So as I read it, dnssec-trigger-control-setup is only called if there
> was no previously configured version installed and is hence never
> called when upgrading the package and hence never removes, the too
> small old keys on upgrade.
>
I'm tired enough I wanted to double check the logic of a solution
before trying to implement it.
the check to remove too small keys should probably be moved out of
dnssec-trigger-control-setup and into the postinst script.
Then the "if [ -z "$2" ]" conditional in the post should be replaced
with checking for the existence of the keys instead of the package
version number to decide if the control-setup script is called.
Something like
configure)
debian_remove_small_keys $SERVER
debian_remove_small_keys $CONTROL
if [ \! -e /etc/dnssec-trigger/dnssec_trigger_control.key ]; then
dnssec-trigger-control-setup
fi
How's that sound to you?
Diane
