[buildd-tools-devel] Bug#607945: Bug#607945: Bug#607945: Bug#607945: sbuild: can haz I entropy?

Thu Dec 30 18:00:19 UTC 2010

tags 607945 + patch fixed-upstream pending
thanks

On Thu, Dec 30, 2010 at 05:39:26PM +0000, Roger Leigh wrote:
> On Thu, Dec 30, 2010 at 06:21:31PM +0100, Cyril Brulebois wrote:
> > Roger Leigh <rleigh at codelibre.net> (29/12/2010):
> > > This is a one-time only event.  Once the key is generated (which you
> > > can do with "sbuild-update -k" on another system or outside a
> > > package build at your leisure) the same key will be used for all
> > > subsequent builds.
> > 
> > One-time.. per host? Or per chroot?
> 
> Per host.  It's stored in /var/lib/sbuild/apt-keys .

Note that if there's a reason to do it per-chroot, we can do that.  I
couldn't envisage any security issues in sharing this key between
chroots, but if there are it's a simple change.

> Also, as discussed on IRC, we will solve this by bailing out with an
> error when the key is absent.  This will require the user to generate
> a key.

Fixed in commit fb790792.  Is this OK for you?


Regards,
Roger


commit fb790792a9433d469fa808f6613bdc0bf1f3ee21
Author: Roger Leigh <rleigh at debian.org>
Date:   Thu Dec 30 17:53:15 2010 +0000

    Sbuild::ResolverBase: Don't automatically generate archive signing key
    
    If the local archive signing key is not present, do not automatically
    generate it.  This can cause issues on systems with scarce entropy.
    Print an error message plus instructions on how to generate the key.

diff --git a/lib/Sbuild/ResolverBase.pm b/lib/Sbuild/ResolverBase.pm
index ca2052b..16a6356 100644
--- a/lib/Sbuild/ResolverBase.pm
+++ b/lib/Sbuild/ResolverBase.pm
@@ -758,17 +758,15 @@ sub generate_keys {
         return 1;
     }
 
-    my $host = $self->get('Host');
-
-    $self->log("Generating GPG local archive signing key...\n");
-    if (Sbuild::ChrootSetup::generate_keys($host, $self->get('Config'))) {
-	# Since apt-distupgrade was requested specifically, fail on
-	# error when not in buildd mode.
-	$self->log("Generating gpg keys failed\n");
-	return 0;
-    }
-
-    return 1;
+    $self->log_error("Local archive GPG signing key not found\n");
+    $self->log_info("Please generate a key with 'sbuild-update --keygen'\n");
+    $self->log_info("Note that on machines with scarce entropy, you may wish ".
+		    "to generate the key with this command on another machine ".
+		    "and copy the public and private keypair to '" .
+		    $self->get_conf('SBUILD_BUILD_DEPENDS_PUBLIC_KEY')
+		    ."' and '".
+		    $self->get_conf('SBUILD_BUILD_DEPENDS_SECRET_KEY') ."'\n");
+    return 0;
 }
 
 # Function that runs apt-ftparchive


-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101230/8f4e2e89/attachment-0001.pgp>
