[buildd-tools-devel] Bug#837188: Bug#837188: sbuild: Signing the dummy release file and SBUILD_BUILD_DEPENDS_{SECRET|PUBLIC}_KEY seem deprecated

Johannes Schauer josch at debian.org
Fri Sep 9 22:19:02 UTC 2016 

Hi,

Quoting Guilhem Moulin (2016-09-10 00:04:19)
> #833547/#834898 have been fixed by adding a call to ‘gpgconf --kill
> gpg-agent’.  I was wondering whether access to private key material from
> inside the chroot is required at all?  Sbuild::ResolverBase reads
> 
>     # Sign the release file
>     # This will only be done if the sbuild keys are present.
>     # Once squeeze is not supported anymore, we want to never sign the
>     # dummy repository anymore but instead make use of apt's support for
>     # [trusted=yes] in wheezy and later.
>     # On hosts that include apt 1.3~exp1 or newer (Debian squeeze or later)
>     # the gnupg package will no longer be installed because apt doesn't depend
>     # on it anymore.
> 
> After installing sbuild on sid, the directory ‘/var/lib/sbuild/apt-keys’
> is left empty, thus sbuild doesn't sign the dummy Release file and apt
> trusts it regardless thanks to the [trusted=yes] option.
> 
> However when *upgrading* sbuild from an older version, the key pair
> ‘/var/lib/sbuild/apt-keys/sbuild-key.{pub,sec}’, which was created for
> compatibility with apt <1.3~exp1, is still used for signing the Release
> file.  This code path seems obsolete to me as squeeze reached end of LTS
> in February 2016.  Furthermore since signing the dummy Release file is
> AFAICT currently the only reason why sbuild requires access to private
> key material (hence spawns a gpg-agent(1) process with GnuPG 2.1.x) from
> inside the chroot, removing ‘/var/lib/sbuild/apt-keys’ and
> ‘SBUILD_BUILD_DEPENDS_{SECRET|PUBLIC}_KEY’ should also remove the need
> for the ‘gpgconf --kill gpg-agent’ workaround.

I do not see any bug here. You are just describing the current situation.
Please describe the problem you are experiencing.

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20160910/2359d205/attachment.sig>

More information about the Buildd-tools-devel mailing list