From b72649b4cac635e91a1ea2028c36f4688808894c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Thu, 3 Mar 2016 17:57:46 +0100 Subject: overhaul/simplify keyring package --- README | 19 ------------------- debian/changelog | 8 ++++++++ debian/compat | 1 + debian/control | 25 +++++++++++++++--------- debian/copyright | 7 ++++--- debian/install | 1 + debian/postinst | 8 -------- debian/preinst | 21 ++++++++++++++++++++ debian/prerm | 12 ------------ debian/rules | 58 ++------------------------------------------------------ 10 files changed, 53 insertions(+), 107 deletions(-) delete mode 100644 README create mode 100644 debian/compat create mode 100644 debian/install delete mode 100644 debian/postinst create mode 100755 debian/preinst delete mode 100644 debian/prerm diff --git a/README b/README deleted file mode 100644 index 5d55c43..0000000 --- a/README +++ /dev/null @@ -1,19 +0,0 @@ -Introduction ------------- - -LEAP signs its Debian archive Release files that are stored on -deb.leap.se with the archive signing key contained in this package. - -A quick overview about this package: -* This keyrings are used by "apt" versions 0.6 and later. They - will be used with the apt-key command. -* Normally (i.e. if the apt-key binary is found), the keys contained in - the debian-archive-keyring package will be automatically installed into - apt's trusted keyring by the package's postinst script and keys that are - in the debian-archive-keyring-removed will be automatically removed. -* If the automatic installation of the keys fails, then the user can run - "apt-key update" manually. - -More information about the archive authentication feature can be found -here: http://wiki.debian.org/SecureApt - diff --git a/debian/changelog b/debian/changelog index 54ed1d4..9d8a817 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +leap-archive-keyring (2016.03.03) unstable; urgency=medium + + * convert to debhelper + * avoid the use of flakey "apt-key del" upon package removal. + * rename package to leap-archive-keyring + + -- Daniel Kahn Gillmor Thu, 03 Mar 2016 17:44:00 +0100 + leap-keyring (2015.02.26) unstable; urgency=medium * Update key expiration date to expire in 2 years diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..ec63514 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +9 diff --git a/debian/control b/debian/control index 67d98c5..8cd9b95 100644 --- a/debian/control +++ b/debian/control @@ -1,14 +1,21 @@ -Source: leap-keyring -Priority: important +Source: leap-archive-keyring +Priority: extra Section: misc Maintainer: Micah Anderson -Standards-Version: 3.9.6 +Standards-Version: 3.9.7 Uploaders: Micah Anderson +Build-Depends: debhelper (>= 9) +Vcs-Git: https://leap.se/git/leap-keyring.git +Vcs-Browser: https://leap.se/git/leap-keyring.git -Package: leap-keyring +Package: leap-archive-keyring +Priority: extra Architecture: all -Depends: gnupg (>= 1.0.6-4) -Description: GnuPG archive key of the leap.se repository - The riseup repository digitally signs its Release files. This package - contains the repository key and will be automatically installed into - the apt-key list on the system when installed. +Provides: leap-keyring +Conflicts: leap-keyring +Replaces: leap-keyring +Depends: ${misc:Depends} +Description: OpenPGP archive key for the leap.se software repositories + The leap.se software repositories digitally sign their Release + files. This package contains the repository keys used to verify those + files. diff --git a/debian/copyright b/debian/copyright index ca9a282..cb82ca3 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,8 +1,10 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: leap-archive-keyring +Source: https://leap.se/git/leap-keyring.git +Upstream-Contact: Micah Anderson Files: * -Copyright: 2006 Michael Vogt , 2013-2015 LEAP Encryption Access Project -Comment: This is leap.se's GnuPG keyrings of archive keys. This package was originally put together by Michael Vogt based on the debian-keyring package maintained by James Troup. It was adapted to backports.org by Alexander Wirt and for leap.se by Micah Anderson +Copyright: 2013-2016 LEAP Encryption Access Project License: GPL-3+ This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -19,4 +21,3 @@ License: GPL-3+ . On Debian GNU/Linux systems, the complete text of the GNU General Public License version 3 can be found in /usr/share/common-licenses/GPL-3. - diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..e577cfc --- /dev/null +++ b/debian/install @@ -0,0 +1 @@ +keyrings/*.gpg etc/apt/trusted.gpg.d diff --git a/debian/postinst b/debian/postinst deleted file mode 100644 index ebe1959..0000000 --- a/debian/postinst +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -set -e - -if which apt-key > /dev/null; then - apt-key add /usr/share/keyrings/leap-keyring.gpg - apt-key add /usr/share/keyrings/leap-experimental-keyring.gpg -fi diff --git a/debian/preinst b/debian/preinst new file mode 100755 index 0000000..7524ff8 --- /dev/null +++ b/debian/preinst @@ -0,0 +1,21 @@ +#!/bin/sh -e + +# cleanup keys from the old /etc/apt/trusted.gpg, because it was not +# properly cleaned up by previous versions of leap-keyring. + +# we could try to limit this cleanup to just upgrade moving from +# versions before 2016.03.03, but due to the package rename and the +# possibility of someone having purged the old package before +# installing this new one, it's better to do it unconditionally. + +# another way of looking at this is that the installation of this +# package will ensure that the keys in question don't show up in two +# keyrings at once. + +if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then + # remove the version of the keys that were shipped in leap-keyring before version 2016.03.03: + gpg --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg --delete-key 0x1E453B2CE87BEE2F7DFE99661E34A1828E207901 || true + gpg --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg --delete-key 0xCE433F407BAB443AFEA196C1837C1AD5367429D9 || true +fi + +#DEBHELPER# diff --git a/debian/prerm b/debian/prerm deleted file mode 100644 index 7548411..0000000 --- a/debian/prerm +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -set -e - -case "$1" in - remove|purge) - if which apt-key > /dev/null; then - apt-key del 0x1E34A1828E207901 - apt-key del 0x837C1AD5367429D9 - fi - ;; -esac diff --git a/debian/rules b/debian/rules index cec1191..cbe925d 100755 --- a/debian/rules +++ b/debian/rules @@ -1,57 +1,3 @@ #!/usr/bin/make -f -# debian/rules file - for debian/keyring - -install_dir=install -d -m 755 -install_file=install -m 644 -install_script=install -m 755 -install_binary=install -m 755 -s - -VERSION := $(shell dpkg-parsechangelog | grep ^Version: | cut -d' ' -f2) - -build: -build-arch: build -build-indep: build - -clean: - $(checkdir) - -rm -f foo foo.asc *.bak *~ */*~ debian/files* debian/*substvars - -rm -rf debian/tmp - -binary-indep: checkroot - $(checkdir) - -rm -rf debian/tmp - $(install_dir) debian/tmp/DEBIAN/ - $(install_script) debian/postinst debian/tmp/DEBIAN/ - $(install_script) debian/prerm debian/tmp/DEBIAN/ - - $(install_dir) debian/tmp/usr/share/keyrings/ - $(install_file) keyrings/leap-keyring.gpg debian/tmp/usr/share/keyrings/ - $(install_file) keyrings/leap-experimental-keyring.gpg debian/tmp/usr/share/keyrings/ - - $(install_dir) debian/tmp/usr/share/doc/leap-keyring/ - $(install_file) README debian/tmp/usr/share/doc/leap-keyring/ - $(install_file) debian/changelog debian/tmp/usr/share/doc/leap-keyring/changelog - $(install_file) debian/copyright debian/tmp/usr/share/doc/leap-keyring/ - gzip -9vn debian/tmp/usr/share/doc/leap-keyring/changelog - gzip -9vn debian/tmp/usr/share/doc/leap-keyring/README - - cd debian/tmp && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | xargs -r0 md5sum > DEBIAN/md5sums - cd debian/tmp && find . -type f ! -regex '.*DEBIAN/.*' -printf '%P\0' | xargs -r0 sha256sum > DEBIAN/sha256sums - dpkg-gencontrol -pleap-keyring -isp - chown -R root.root debian/tmp - chmod -R go=rX debian/tmp - dpkg --build debian/tmp .. - -define checkdir - test -f keyrings/leap-keyring.gpg -endef - -# Below here is fairly generic really - -binary: binary-indep - -checkroot: - $(checkdir) - test root = "`whoami`" - -.PHONY: binary binary-arch binary-indep clean checkroot +%: + dh $@ -- cgit v1.2.3