Bug#606668: sbuild: shouldn't read gpg.conf when signing dummy archive key

Simon McVittie Fri, 10 Dec 2010 10:33:20 -0800

Package: sbuild
Version: 0.60.7-1
Severity: normal
Tags: patch

My gpg.conf sets up a non-default secret keyring in a location that sbuild
can't see. This causes signing of the dummy archive key to fail when using
the aptitude resolver (because --secret-keyring appears to have the semantics
of "add another secret keyring", not "replace the secret keyring", and gpg
refuses to run unless it can access all of its secret keyrings).


Please see attached patch, which makes the gpg run by sbuild not use ~/.gnupg
at all.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (101, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sbuild depends on:
ii  adduser                       3.112+nmu2 add and remove users and groups
ii  libsbuild-perl                0.60.7-1   Tool for building Debian binary pa
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 
ii  perl-modules                  5.10.1-16  Core Perl modules

Versions of packages sbuild recommends:
ii  debootstrap                   1.0.26     Bootstrap a basic Debian system
ii  fakeroot                      1.14.5-1   Gives a fake root environment

Versions of packages sbuild suggests:
pn  deborphan                     <none>     (no description available)
ii  wget                          1.12-2.1   retrieves files from the web

-- no debconf information

From 386cd5530e2136575792287ca6e7424c42a9a913 Mon Sep 17 00:00:00 2001
From: Simon McVittie <[email protected]>
Date: Fri, 10 Dec 2010 18:25:41 +0000
Subject: [PATCH] Use gpg --homedir to avoid the user's gpg.conf completely

My gpg.conf uses a non-default secret keyring on a filesystem inaccessible
by sbuild, causing builds to fail.
---
 lib/Sbuild/ResolverBase.pm |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/lib/Sbuild/ResolverBase.pm b/lib/Sbuild/ResolverBase.pm
index 5973c41..d651bf5 100644
--- a/lib/Sbuild/ResolverBase.pm
+++ b/lib/Sbuild/ResolverBase.pm
@@ -614,6 +614,8 @@ EOF
     copy($self->get_conf('SBUILD_BUILD_DEPENDS_PUBLIC_KEY'), $dummy_archive_pubkey) unless
         (-f $dummy_archive_pubkey);
     my @gpg_command = ('gpg', '--yes', '--no-default-keyring',
+                       '--homedir',
+                       $session->strip_chroot_path($dummy_archive_dir),
                        '--secret-keyring',
                        $session->strip_chroot_path($dummy_archive_seckey),
                        '--keyring',
-- 
1.7.2.3

signature.asc
Description: Digital signature

Bug#606668: sbuild: shouldn't read gpg.conf when signing dummy archive key

Reply via email to