Bug#635584: multistrap: issue when using multiple keyring packages

Wed, 27 Jul 2011 01:15:29 -0700 

Package: multistrap
Version: 2.1.15
Severity: normal
Tags: patch

Multistrap does import keys only from first processed keyring package when using
multiple sources with different keyring packages.

When using configuration like this:

[Debian]
source=http://ftp.debian.org/
keyring=debian-archive-keyring
suite=squeeze

[Emdebian]
source=http://www.emdebian.org/baked
keyring=emdebian-archive-keyring
suite=testing

multistrap correctly imports only first keyring package
(debian-archive-keyring) and import of second one fails with following gpg
error:

gpg: WARNING: unsafe permissions on homedir 
`/tmp/tree-root//etc/apt/trusted.gpg.d/'
gpg: 0: read expected rec type 1, got 153
gpg: fatal: /tmp/tree-root//etc/apt/trusted.gpg.d//trustdb.gpg: invalid trustdb


The root cause seems to be line:

288:  system ("cp ${dir}/etc/apt/trusted.gpg.d/multistrap.gpg 
${dir}/etc/apt/trusted.gpg.d/trustdb.gpg");

where keyring file is used to replace trustdb.gpg. These files seems to have
different format and after the trustdb.gpg is replaced, no other import can
succeed.

Attached patch seems to fix the issue.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages multistrap depends on:
ii  apt                           0.8.15.2   Advanced front-end for dpkg
ii  libconfig-auto-perl           0.36-1     magical config file parser
ii  libparse-debian-packages-perl 0.01-2     parse the data from a Debian Packa
ii  perl                          5.12.4-1   Larry Wall's Practical Extraction 

Versions of packages multistrap recommends:
ii  emdebian-archive-keyring      2.0.1      GnuPG archive keys for the emdebia

Versions of packages multistrap suggests:
ii  fakeroot                      1.16-1     tool for simulating superuser priv

-- no debconf information

---  multistrap_2.1.15  2011-06-15 22:20:00.000000000 +0200
+++  multistrap_2.1.15_modif    2011-07-27 09:29:17.049311244 +0200
@@ -280,15 +280,12 @@
                }
                foreach my $gpg (@files) {
                        next if ($gpg =~ /removed/);
-                       system ("gpg --no-default-keyring ".
+                       $retval = system ("gpg --no-default-keyring ".
                                "--homedir=${dir}/etc/apt/trusted.gpg.d/ ".
                                "--keyring=multistrap.gpg ".
-                               " --import ${xdir}/usr/share/keyrings/${gpg} 
2>/dev/null");
-                       if (-f "${dir}/etc/apt/trusted.gpg.d/multistrap.gpg") {
-                               system ("cp 
${dir}/etc/apt/trusted.gpg.d/multistrap.gpg 
${dir}/etc/apt/trusted.gpg.d/trustdb.gpg");
-                       } else {
-                               die (_g("Secure Apt handling failed - try 
without authentication."));
-                       }
+                               " --import ${xdir}/usr/share/keyrings/${gpg}");
+                       die (_g("Secure Apt handling failed - try without 
authentication."))
+                               if ( 0 != $retval );
                }
                system ("rm -rf ${xdir}");
        }

Reply via email to