[dpkg] 05/11: dpkg-source: Add new --no-vendor-certs extract option

Guillem Jover Mon, 15 Dec 2025 06:05:12 -0800

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch main
in repository dpkg.


View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=5998b86523498f324036373357285a160e2b7027

commit 5998b86523498f324036373357285a160e2b7027
Author: Guillem Jover <[email protected]>
AuthorDate: Thu Jun 5 00:56:37 2025 +0200

    dpkg-source: Add new --no-vendor-certs extract option
    
    Make it possible to disable any vendor certificate, so that the caller
    can rely exclusively on certificates specifies via the new --signer-certs
    option.
---
 man/dpkg-source.pod               |  6 ++++++
 scripts/Dpkg/Source/Package.pm    | 22 +++++++++++++++-------
 scripts/Dpkg/Source/Package/V1.pm |  1 +
 scripts/dpkg-source.pl            |  4 ++++
 4 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/man/dpkg-source.pod b/man/dpkg-source.pod
index 5ce73786b..43933dae7 100644
--- a/man/dpkg-source.pod
+++ b/man/dpkg-source.pod
@@ -315,6 +315,12 @@ Do not check signatures and checksums before unpacking 
(since dpkg 1.14.17).
 Do not overwrite the extraction directory if it already exists
 (since dpkg 1.18.8).
 
+=item B<--no-vendor-certs>
+
+Do not use the vendor specific certificate keyrings.
+
+Supported since dpkg 1.23.0.
+
 =item B<--signer-certs=>I<keyring>
 
 Use this I<keyring> containing signer certificates during signature
diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm
index dff2f29b8..d8b808259 100644
--- a/scripts/Dpkg/Source/Package.pm
+++ b/scripts/Dpkg/Source/Package.pm
@@ -198,6 +198,11 @@ specific for source packages using format "2.0" and "3.0 
(quilt)".
 An array ref with a list of certificate keyrings to use for signature
 verification.
 
+=item B<use_vendor_certs>
+
+If set to 0, the check_signature() method will not use vendor specific
+keyrings, only user supplied ones.
+
 =item B<require_valid_signature>
 
 If set to 1, the check_signature() method will be stricter and will error
@@ -283,6 +288,7 @@ sub init_options {
 
     # Set default validation checks.
     $self->{options}{certs} //= [];
+    $self->{options}{use_vendor_certs} //= 1;
     $self->{options}{require_valid_signature} //= 0;
     $self->{options}{require_strong_checksums} //= 0;
 
@@ -550,12 +556,14 @@ sub check_signature {
         }
     }
 
-    foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) {
-        if (-r $vendor_keyring) {
-            push @certs, $vendor_keyring;
-            info(g_('using keyring %s'), $vendor_keyring);
-        } else {
-            info(g_('skipping absent keyring %s'), $vendor_keyring);
+    if ($self->{options}{use_vendor_certs}) {
+        foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) {
+            if (-r $vendor_keyring) {
+                push @certs, $vendor_keyring;
+                info(g_('using keyring %s'), $vendor_keyring);
+            } else {
+                info(g_('skipping absent keyring %s'), $vendor_keyring);
+            }
         }
     }
 
@@ -740,7 +748,7 @@ sub write_dsc {
 
 =head2 Version 2.04 (dpkg 1.23.0)
 
-New options: certs in $p->check_checksums().
+New options: certs, use_vendor_certs in $p->check_checksums().
 
 =head2 Version 2.03 (dpkg 1.22.7)
 
diff --git a/scripts/Dpkg/Source/Package/V1.pm 
b/scripts/Dpkg/Source/Package/V1.pm
index d5f6e1bb9..e53415cd9 100644
--- a/scripts/Dpkg/Source/Package/V1.pm
+++ b/scripts/Dpkg/Source/Package/V1.pm
@@ -77,6 +77,7 @@ sub init_options {
 
     # Set default validation checks.
     $self->{options}{certs} //= [];
+    $self->{options}{use_vendor_certs} //= 1;
     $self->{options}{require_valid_signature} //= 0;
     $self->{options}{require_strong_checksums} //= 0;
 
diff --git a/scripts/dpkg-source.pl b/scripts/dpkg-source.pl
index ef411c954..d78f4988a 100755
--- a/scripts/dpkg-source.pl
+++ b/scripts/dpkg-source.pl
@@ -69,6 +69,7 @@ my %options = (
     copy_orig_tarballs => 1,
     no_check => 0,
     no_overwrite_dir => 1,
+    use_vendor_certs => 1,
     require_valid_signature => 0,
     require_strong_checksums => 0,
     certs => [],
@@ -204,6 +205,8 @@ while (@options) {
         $options{no_check} = 1;
     } elsif (m/^--no-overwrite-dir$/) {
         $options{no_overwrite_dir} = 1;
+    } elsif (m/^--no-vendor-certs$/) {
+        $options{use_vendor_certs} = 0;
     } elsif (m/^--signer-certs=(.*)$/) {
         push @{$options{certs}}, $1;
     } elsif (m/^--require-valid-signature$/) {
@@ -685,6 +688,7 @@ sub usage {
   --no-copy                do not copy .orig tarballs
   --no-check               do not check signature and checksums on extraction
   --no-overwrite-dir       do not overwrite directory on extraction
+  --no-vendor-certs        do not use vendor specific certificate keyrings
   --signer-certs=<keyring> use a signer certificates keyring
   --require-valid-signature
                            abort if the package does not have a valid signature

-- 
Dpkg.Org's dpkg

[dpkg] 05/11: dpkg-source: Add new --no-vendor-certs extract option

Reply via email to