[elbe-devel] [PATCH] debinstaller: Do not verify Release file for noauth

Torben Hohn torben.hohn at linutronix.de
Mon Jul 12 14:12:08 CEST 2021 

On Fri, Jul 09, 2021 at 05:05:27PM +0200, bage at linutronix.de wrote:
> From: Bastian Germann <bage at linutronix.de>
> 
> Regardless of a <noauth/> in the <initvm> section, Elbe downloads
> Release.gpg and verifies it.  Stop doing that with <noauth/>.
> 
> Signed-off-by: Bastian Germann <bage at linutronix.de>

Reviewed-by: Torben Hohn <torben.hohn at linutronix.de> 

> ---
>  elbepack/debinstaller.py | 17 +++++++----------
>  1 file changed, 7 insertions(+), 10 deletions(-)
> 
> diff --git a/elbepack/debinstaller.py b/elbepack/debinstaller.py
> index d880e5e34..1e42bc283 100644
> --- a/elbepack/debinstaller.py
> +++ b/elbepack/debinstaller.py
> @@ -109,7 +109,7 @@ def download(url, local_fname):
>          raise NoKinitrdException('Failed to download %s' % url)
>  
>  
> -def download_release(tmp, base_url):
> +def verify_release(tmp, base_url):
>  
>      # setup gpg context, for verifying
>      # the Release.gpg signature.
> @@ -118,10 +118,6 @@ def download_release(tmp, base_url):
>                        None,
>                        tmp.fname('/'))
>  
> -    # download the Relase file to a tmp file,
> -    # because we need it 2 times
> -    download(base_url + "Release", tmp.fname('Release'))
> -
>      # validate signature.
>      # open downloaded plaintext file, and
>      # use the urlopen object of the Release.gpg
> @@ -149,16 +145,17 @@ def download_release(tmp, base_url):
>          sig.close()
>  
>  
> -def download_kinitrd(tmp, suite, mirror):
> +def download_kinitrd(tmp, suite, mirror, skip_signature=False):
>      base_url = "%s/dists/%s/" % (
>          mirror.replace("LOCALMACHINE", "localhost"), suite)
>      installer_path = "main/installer-amd64/current/images/"
>  
>      setup_apt_keyring(tmp.fname('/'), 'pubring.gpg')
>  
> -    # download release file and check
> -    # signature
> -    download_release(tmp, base_url)
> +    # download release file
> +    download(base_url + "Release", tmp.fname('Release'))
> +    if not skip_signature:
> +        verify_release(tmp, base_url)
>  
>      # parse Release file, and remember hashvalues
>      # we are interested in
> @@ -220,7 +217,7 @@ def copy_kinitrd(prj, target_dir):
>                       os.path.join(target_dir, "initrd.gz"))
>          else:
>              mirror = get_primary_mirror(prj)
> -            download_kinitrd(tmp, suite, mirror)
> +            download_kinitrd(tmp, suite, mirror, prj.has("noauth"))
>  
>              copyfile(tmp.fname("initrd.gz"),
>                       os.path.join(target_dir, "initrd.gz"))
> -- 
> 2.30.2
> 
> _______________________________________________
> elbe-devel mailing list
> elbe-devel at linutronix.de
> https://lists.linutronix.de/mailman/listinfo/elbe-devel

-- 
Torben Hohn
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 18; Fax.: +49 7556 25 999 99

Hinweise zum Datenschutz finden Sie hier (Informations on data privacy 
can be found here): https://linutronix.de/kontakt/Datenschutz.php

Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen | 
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700 
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner

More information about the elbe-devel mailing list