check keyrings by default, when possible

* Recommend debian-archive-keyring, and if it is installed, default to checking gpg signatures of the Release file against it when bootstrapping sid, squeeze, wheezy, etch, and lenny. Closes: #560038 * Add --no-check-gpg option that can be used to disable release file verification. * Needs base-installer 1.117.
author: Joey Hess <joey@kitenet.net> 2011-03-25 14:23:24 -0400
committer: Joey Hess <joey@kitenet.net> 2011-03-25 14:23:24 -0400
commit: a83170288740003d23968f8107d1ad32e0dc0452 (patch)
tree: 12e67976eba33f4a8446b95c7fbc043780ec2a09 /functions
parent: e5c267d5b0d0e153ba6a72eb56e7e76ada15edbc (diff)
download: debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/functions b/functions
index 8b8c889..99e34c5 100644
--- a/functions
+++ b/functions
@@ -191,6 +191,12 @@ download_style () {
 	esac
 }
 
+keyring () {
+	if [ -z "$KEYRING" ] && [ -e "$1" ]; then
+		KEYRING="$1"
+	fi
+}
+
 ########################################################## variant handling
 
 doing_variant () {
@@ -456,7 +462,7 @@ download_release_sig () {
 	local reldest="$2"
 	local relsigdest="$TARGET/$($DLDEST rel "$SUITE" "$m1" "dists/$SUITE/Release.gpg")"
 
-	if [ -n "$KEYRING" ]; then
+	if [ -n "$KEYRING" ] && [ -z "$DISABLE_KEYRING" ]; then
 		progress 0 100 DOWNRELSIG "Downloading Release file signature"
 		progress_next 50
 		get "$m1/dists/$SUITE/Release.gpg" "$relsigdest" nocache ||
author	Joey Hess <joey@kitenet.net>	2011-03-25 14:23:24 -0400
committer	Joey Hess <joey@kitenet.net>	2011-03-25 14:23:24 -0400
commit	a83170288740003d23968f8107d1ad32e0dc0452 (patch)
tree	12e67976eba33f4a8446b95c7fbc043780ec2a09 /functions
parent	e5c267d5b0d0e153ba6a72eb56e7e76ada15edbc (diff)
download	debootstrap-a83170288740003d23968f8107d1ad32e0dc0452.tar.gz