]>
Commit | Line | Data |
---|---|---|
da6ee469 JF |
1 | #!/bin/sh |
2 | ||
3 | set -e | |
00ec24d0 | 4 | unset GREP_OPTIONS |
da6ee469 JF |
5 | |
6 | # We don't use a secret keyring, of course, but gpg panics and | |
7 | # implodes if there isn't one available | |
8 | ||
00ec24d0 | 9 | GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg" |
da6ee469 JF |
10 | GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg" |
11 | ||
12 | ||
00ec24d0 JF |
13 | MASTER_KEYRING="" |
14 | ARCHIVE_KEYRING_URI="" | |
15 | #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg | |
16 | #ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg | |
17 | ||
da6ee469 JF |
18 | ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg |
19 | REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg | |
20 | ||
00ec24d0 JF |
21 | add_keys_with_verify_against_master_keyring() { |
22 | ADD_KEYRING=$1 | |
23 | MASTER=$2 | |
24 | ||
25 | if [ ! -f "$ADD_KEYRING" ]; then | |
26 | echo "ERROR: '$ADD_KEYRING' not found" | |
27 | return | |
28 | fi | |
29 | if [ ! -f "$MASTER" ]; then | |
30 | echo "ERROR: '$MASTER' not found" | |
31 | return | |
32 | fi | |
33 | ||
34 | # when adding new keys, make sure that the archive-master-keyring | |
35 | # is honored. so: | |
36 | # all keys that are exported must have a valid signature | |
37 | # from a key in the $distro-master-keyring | |
38 | add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
39 | master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
40 | for add_key in $add_keys; do | |
41 | ADDED=0 | |
42 | for master_key in $master_keys; do | |
43 | if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then | |
44 | $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import | |
45 | ADDED=1 | |
46 | fi | |
47 | done | |
48 | if [ $ADDED = 0 ]; then | |
49 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
50 | fi | |
51 | done | |
52 | } | |
53 | ||
54 | # update the current archive signing keyring from a network URI | |
55 | # the archive-keyring keys needs to be signed with the master key | |
56 | # (otherwise it does not make sense from a security POV) | |
57 | net_update() { | |
58 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then | |
59 | echo "ERROR: no location for the archive-keyring given" | |
60 | fi | |
61 | if [ ! -d /var/lib/apt/keyrings ]; then | |
62 | mkdir -p /var/lib/apt/keyrings | |
63 | fi | |
64 | keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) | |
65 | old_mtime=0 | |
66 | if [ -e $keyring ]; then | |
67 | old_mtime=$(stat -c %Y $keyring) | |
68 | fi | |
69 | (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) | |
70 | if [ ! -e $keyring ]; then | |
71 | return | |
72 | fi | |
73 | new_mtime=$(stat -c %Y $keyring) | |
74 | if [ $new_mtime -ne $old_mtime ]; then | |
75 | echo "Checking for new archive signing keys now" | |
76 | add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING | |
77 | fi | |
78 | } | |
da6ee469 JF |
79 | |
80 | update() { | |
81 | if [ ! -f $ARCHIVE_KEYRING ]; then | |
82 | echo >&2 "ERROR: Can't find the archive-keyring" | |
83 | echo >&2 "Is the debian-archive-keyring package installed?" | |
84 | exit 1 | |
85 | fi | |
86 | ||
00ec24d0 JF |
87 | # add new keys from the package; |
88 | ||
89 | # we do not use add_keys_with_verify_against_master_keyring here, | |
90 | # because "update" is run on regular package updates. A | |
91 | # attacker might as well replace the master-archive-keyring file | |
92 | # in the package and add his own keys. so this check wouldn't | |
93 | # add any security. we *need* this check on net-update though | |
94 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import | |
da6ee469 | 95 | |
00ec24d0 | 96 | # remove no-longer supported/used keys |
da6ee469 JF |
97 | keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` |
98 | for key in $keys; do | |
99 | if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then | |
100 | $GPG --quiet --batch --delete-key --yes ${key} | |
101 | fi | |
102 | done | |
103 | } | |
104 | ||
00ec24d0 | 105 | |
da6ee469 JF |
106 | usage() { |
107 | echo "Usage: apt-key [command] [arguments]" | |
108 | echo | |
109 | echo "Manage apt's list of trusted keys" | |
110 | echo | |
111 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
112 | echo " apt-key del <keyid> - remove the key <keyid>" | |
00ec24d0 JF |
113 | echo " apt-key export <keyid> - output the key <keyid>" |
114 | echo " apt-key exportall - output all trusted keys" | |
da6ee469 | 115 | echo " apt-key update - update keys using the keyring package" |
00ec24d0 | 116 | echo " apt-key net-update - update keys using the network" |
da6ee469 | 117 | echo " apt-key list - list keys" |
00ec24d0 JF |
118 | echo " apt-key finger - list fingerprints" |
119 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
da6ee469 JF |
120 | echo |
121 | } | |
122 | ||
123 | command="$1" | |
124 | if [ -z "$command" ]; then | |
125 | usage | |
126 | exit 1 | |
127 | fi | |
128 | shift | |
129 | ||
130 | if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then | |
131 | echo >&2 "Warning: gnupg does not seem to be installed." | |
132 | echo >&2 "Warning: apt-key requires gnupg for most operations." | |
133 | echo >&2 | |
134 | fi | |
135 | ||
136 | case "$command" in | |
137 | add) | |
138 | $GPG --quiet --batch --import "$1" | |
139 | echo "OK" | |
140 | ;; | |
141 | del|rm|remove) | |
142 | $GPG --quiet --batch --delete-key --yes "$1" | |
143 | echo "OK" | |
144 | ;; | |
145 | update) | |
146 | update | |
147 | ;; | |
00ec24d0 JF |
148 | net-update) |
149 | net_update | |
150 | ;; | |
da6ee469 JF |
151 | list) |
152 | $GPG --batch --list-keys | |
153 | ;; | |
154 | finger*) | |
155 | $GPG --batch --fingerprint | |
156 | ;; | |
00ec24d0 JF |
157 | export) |
158 | $GPG --armor --export "$1" | |
159 | ;; | |
160 | exportall) | |
161 | $GPG --armor --export | |
162 | ;; | |
da6ee469 JF |
163 | adv*) |
164 | echo "Executing: $GPG $*" | |
165 | $GPG $* | |
166 | ;; | |
167 | help) | |
168 | usage | |
169 | ;; | |
170 | *) | |
171 | usage | |
172 | exit 1 | |
173 | ;; | |
174 | esac |