* added Debian Archive keyring

* added questions to user about keyring differences/trust
* added documentation notes about the Debian Archive keyring

docker/gitian-host/README.md

@@ -14,11 +14,16 @@ Preamble
 It is **necessary** that before you using these scripts you read them and understand what they do.
 Why? Because your goal is to create a gitian build (deterministic) that has not been tampered with, thus trust shall be correctly attributed during your process.
 
+For example, in this repository I provide the [Debian Archive keyring](../keyrings/debian-archive-keyring.gpg) that is used for the original debootstrap,
+however you **must** verify its authenticity and that it is exactly [as provided officially by Debian](https://packages.debian.org/wheezy/all/debian-archive-keyring/download)
+in order to continue using a trusted chain of systems.
+
 See also:
 - https://gitian.org/
 - https://en.wikipedia.org/wiki/Web_of_trust
 - http://www.dwheeler.com/trusting-trust/
 - https://www.debian.org/
+- https://wiki.debian.org/SecureApt
 - https://www.docker.io/
 - http://www.ubuntu.com/
 

docker/gitian-host/build-base-vms.sh

@@ -23,10 +23,12 @@ function ext_partition() {
  	loop=`sudo kpartx -av $OUT.raw|sed -n '/loop.p1/{s/.*loop\(.\)p1.*/\1/;p}'`
 	sudo cp --sparse=always /dev/mapper/loop${loop}p1 $OUT
 	sudo chown $USER $OUT
+	## following 2 lines are a sloppy hack to an unknown problem with kpartx
 	sudo sync
 	sleep 5
+	## these are silenced because if former fails, second doesn't and viceversa
 	sudo kpartx -d /dev/loop$loop 2>/dev/null
-	sudo rm /dev/mapper/loop${loop}p1
+	sudo rm /dev/mapper/loop${loop}p1 2>/dev/null
 	rm -f $OUT.raw
 }
 

docker/scripts/build-wheezy.sh

@@ -5,26 +5,59 @@
 ## build a base Debian Wheezy
 #
 
+BASENAME=$(dirname $(readlink -m $0))
+
 ## the distro we are going to use
 DISTNAME=wheezy
 DEBIAN_REPO=http://ftp.debian.org/debian
 
 if [ ! $UID -eq 0 ]; then
 	echo "This script can only be run as root" 1>&2
-	exit
+	exit 1
 fi
 
 ## install prerequisites
 ## NOTE: may fail on non-Ubuntu/Debian systems
-if ! type -P debootstrap; then
+if ! type -P debootstrap >/dev/null; then
         apt-get install debootstrap -y || exit $?
 fi
 
+## check about the Debian archive keyring
+DEFK=/usr/share/keyrings/debian-archive-keyring.gpg
+KEYRING=$BASENAME/../keyrings/debian-archive-keyring.gpg
+if [ -s $DEFK ]; then
+	if ! diff $DEFK $KEYRING; then
+		ANSWER=
+		while [[ "$ANSWER" != "Y" && "$ANSWER" != "n" ]]; do
+			echo -n "The Debian Archive keyring in your system ($DEFK) that will be used to debootstrap is different from the reference provided keyring. Continue? (Y/n) "
+			read -r ANSWER || exit $?
+		done
+		if [[ "$ANSWER" == "n" ]]; then
+			exit 1
+		fi
+		## use system's keyring, even if different than provided one
+		## this is a no-issue only in case the system's keyring is more recent than the provided one
+		KEYRING=$DEFK
+	fi
+else
+	ANSWER=
+	while [[ "$ANSWER" != "Y" && "$ANSWER" != "n" ]]; do
+		echo -n "Your system comes with no Debian Archive keyring in $DEFK that is necessary for debootstrap. Use reference provided keyring? (Y/n) "
+		read -r ANSWER || exit $?
+	done
+	if [[ "$ANSWER" == "n" ]]; then
+		exit 1
+	fi
+fi
+
+echo "Will use $KEYRING"
+exit 0
+
 ## NOTE: a temporary directory under /tmp is not used because can't be mounted dev/exec
 mkdir $DISTNAME || exit $?
 TMPDIR=$PWD/$DISTNAME
 
-debootstrap $DISTNAME $DISTNAME $DEBIAN_REPO && \
+debootstrap --keyring=$KEYRING $DISTNAME $DISTNAME $DEBIAN_REPO && \
 cd $DISTNAME && \
 tar -c . | docker import - gdm85/$DISTNAME
 RV=$?

docker/scripts/create-gitian-host.sh

@@ -37,7 +37,7 @@ echo "Now building base VMs" && \
 IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' $CID) && \
 wait_for_ssh $IP 10 && \
 ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no debian@$IP ./build-base-vms.sh && \
-docker stop $CID && \
+docker kill $CID && \
 docker commit $CID gdm85/gitian-host-vms && \
 docker rm $CID && \
 echo "Gitian host images created successfully!" && \