summaryrefslogtreecommitdiff
path: root/scripts/build/bootstrap_archive-keys
blob: 2bec20db58d00fac7c4b1fbafc8844e9533e9778 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/bin/sh

## live-build(7) - System Build Scripts
## Copyright (C) 2006-2014 Daniel Baumann <mail@daniel-baumann.ch>
##
## This program comes with ABSOLUTELY NO WARRANTY; for details see COPYING.
## This is free software, and you are welcome to redistribute it
## under certain conditions; see COPYING for details.


set -e

# Including common functions
[ -e "${LIVE_BUILD}/scripts/build.sh" ] && . "${LIVE_BUILD}/scripts/build.sh" || . /usr/lib/live/build.sh

# Setting static variables
DESCRIPTION="$(Echo 'bootstrap non-Debian archive-signing-keys')"
HELP=""
USAGE="${PROGRAM} [--force]"

Arguments "${@}"

# Reading configuration files
Read_conffiles config/all config/common config/bootstrap config/chroot config/binary config/source
Set_defaults

# TODO: allow verification against user-specified keyring
# For now, we'll only validate against debian-keyring

# TODO2: use chrooted validation rather than host system based one

case "${LB_MODE}" in
	progress-linux)
		case "${LB_DISTRIBUTION}" in
			artax*)
				_KEYS="1.0-artax 1.0-artax-packages"
				;;

			baureo*)
				_KEYS="2.0-baureo 2.0-baureo-packages"
				;;

			chairon*)
				_KEYS="3.0-chairon 3.0-chairon-packages"
				;;
		esac

		_URL="${LB_MIRROR_CHROOT}/project/keys"
		;;
esac

for _KEY in ${_KEYS}
do
	Echo_message "Fetching archive-key ${_KEY}..."

	wget -q "${_URL}/archive-key-${_KEY}.asc" -O chroot/key.asc
	wget -q "${_URL}/archive-key-${_KEY}.asc.sig" -O chroot/key.asc.sig

	if [ -e /usr/bin/gpgv ] && [ -e /usr/share/keyrings/debian-keyring.gpg ]
	then
		Echo_message "Verifying archive-key ${_KEY} against debian-keyring..."

		/usr/bin/gpgv --quiet --keyring /usr/share/keyrings/debian-keyring.gpg chroot/key.asc.sig chroot/key.asc > /dev/null 2>&1 || { Echo_error "archive-key ${_KEY} has invalid signature."; return 1;}
	else
		Echo_warning "Skipping archive-key ${_KEY} verification, either gpgv or debian-keyring not available on host system..."
	fi

	Echo_message "Importing archive-key ${_KEY}..."

	Chroot chroot "apt-key add key.asc"
	rm -f chroot/key.asc chroot/key.asc.sig
done

if [ -n "${LB_SNAPSHOT}" ]
then
	Chroot chroot "apt-get update -o Acquire::Check-Valid-Until=false"
else
	Chroot chroot "apt-get update"
fi

# Creating stage file
Create_stagefile .build/bootstrap_archive-keys