]>
Commit | Line | Data |
---|---|---|
b3d44315 MV |
1 | #!/bin/sh |
2 | ||
3 | set -e | |
dac074b0 | 4 | unset GREP_OPTIONS |
b3d44315 | 5 | |
4a242c5b MV |
6 | # We don't use a secret keyring, of course, but gpg panics and |
7 | # implodes if there isn't one available | |
285feb3c DK |
8 | SECRETKEYRING="$(mktemp)" |
9 | trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM | |
331eea38 | 10 | GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" |
248ec5ab | 11 | |
d4e80f1f | 12 | if [ "$(id -u)" -eq 0 ]; then |
285feb3c | 13 | # we could use a tmpfile here too, but creation of this tends to be time-consuming |
563fd891 MV |
14 | eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) |
15 | GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" | |
248ec5ab DK |
16 | fi |
17 | ||
46e39c8e | 18 | GPG="$GPG_CMD" |
4a242c5b | 19 | |
7fbe42c0 | 20 | MASTER_KEYRING="" |
848ecfa4 | 21 | ARCHIVE_KEYRING_URI="" |
7fbe42c0 | 22 | #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg |
848ecfa4 MV |
23 | #ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg |
24 | ||
7ef96224 MV |
25 | ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg |
26 | REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg | |
4a242c5b | 27 | |
00c6e1a3 MV |
28 | requires_root() { |
29 | if [ "$(id -u)" -ne 0 ]; then | |
30 | echo >&1 "ERROR: This command can only be used by root." | |
31 | exit 1 | |
32 | fi | |
33 | } | |
34 | ||
5de34668 JK |
35 | # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. |
36 | init_keyring() { | |
37 | for path; do | |
38 | if ! [ -e "$path" ]; then | |
39 | touch -- "$path" | |
40 | chmod 0644 -- "$path" | |
41 | fi | |
42 | done | |
43 | } | |
44 | ||
7fbe42c0 | 45 | add_keys_with_verify_against_master_keyring() { |
8c56b1e0 MV |
46 | ADD_KEYRING=$1 |
47 | MASTER=$2 | |
48 | ||
49 | if [ ! -f "$ADD_KEYRING" ]; then | |
50 | echo "ERROR: '$ADD_KEYRING' not found" | |
51 | return | |
52 | fi | |
53 | if [ ! -f "$MASTER" ]; then | |
54 | echo "ERROR: '$MASTER' not found" | |
55 | return | |
56 | fi | |
57 | ||
58 | # when adding new keys, make sure that the archive-master-keyring | |
59 | # is honored. so: | |
3a341a1d MV |
60 | # all keys that are exported must have a valid signature |
61 | # from a key in the $distro-master-keyring | |
8c56b1e0 MV |
62 | add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` |
63 | master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
64 | for add_key in $add_keys; do | |
c9bb37c7 | 65 | ADDED=0 |
8c56b1e0 | 66 | for master_key in $master_keys; do |
c9bb37c7 | 67 | if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then |
3916f941 | 68 | $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import |
c9bb37c7 | 69 | ADDED=1 |
8c56b1e0 | 70 | fi |
7fbe42c0 | 71 | done |
c9bb37c7 MV |
72 | if [ $ADDED = 0 ]; then |
73 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
74 | fi | |
8c56b1e0 | 75 | done |
7fbe42c0 | 76 | } |
4a242c5b | 77 | |
848ecfa4 MV |
78 | # update the current archive signing keyring from a network URI |
79 | # the archive-keyring keys needs to be signed with the master key | |
80 | # (otherwise it does not make sense from a security POV) | |
81 | net_update() { | |
82 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then | |
00c6e1a3 | 83 | echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" |
46e39c8e MV |
84 | exit 1 |
85 | fi | |
00c6e1a3 | 86 | requires_root |
46e39c8e MV |
87 | # in theory we would need to depend on wget for this, but this feature |
88 | # isn't useable in debian anyway as we have no keyring uri nor a master key | |
89 | if ! which wget >/dev/null 2>&1; then | |
00c6e1a3 | 90 | echo >&2 "ERROR: an installed wget is required for a network-based update" |
46e39c8e | 91 | exit 1 |
848ecfa4 MV |
92 | fi |
93 | if [ ! -d /var/lib/apt/keyrings ]; then | |
94 | mkdir -p /var/lib/apt/keyrings | |
95 | fi | |
20ba2505 | 96 | keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) |
93886541 MV |
97 | old_mtime=0 |
98 | if [ -e $keyring ]; then | |
20ba2505 | 99 | old_mtime=$(stat -c %Y $keyring) |
93886541 | 100 | fi |
848ecfa4 | 101 | (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) |
93886541 MV |
102 | if [ ! -e $keyring ]; then |
103 | return | |
104 | fi | |
20ba2505 | 105 | new_mtime=$(stat -c %Y $keyring) |
93886541 | 106 | if [ $new_mtime -ne $old_mtime ]; then |
8dd0686e | 107 | echo "Checking for new archive signing keys now" |
93886541 MV |
108 | add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING |
109 | fi | |
848ecfa4 MV |
110 | } |
111 | ||
4a242c5b MV |
112 | update() { |
113 | if [ ! -f $ARCHIVE_KEYRING ]; then | |
114 | echo >&2 "ERROR: Can't find the archive-keyring" | |
5fdd72f2 | 115 | echo >&2 "Is the debian-archive-keyring package installed?" |
4a242c5b MV |
116 | exit 1 |
117 | fi | |
00c6e1a3 | 118 | requires_root |
4a242c5b | 119 | |
3a341a1d MV |
120 | # add new keys from the package; |
121 | ||
122 | # we do not use add_keys_with_verify_against_master_keyring here, | |
1171258a | 123 | # because "update" is run on regular package updates. A |
3a341a1d MV |
124 | # attacker might as well replace the master-archive-keyring file |
125 | # in the package and add his own keys. so this check wouldn't | |
126 | # add any security. we *need* this check on net-update though | |
127 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import | |
4a242c5b | 128 | |
364af2ef MV |
129 | if [ -r "$REMOVED_KEYS" ]; then |
130 | # remove no-longer supported/used keys | |
131 | keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
132 | for key in $keys; do | |
133 | if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then | |
134 | $GPG --quiet --batch --delete-key --yes ${key} | |
135 | fi | |
136 | done | |
137 | else | |
138 | echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 | |
139 | fi | |
4a242c5b MV |
140 | } |
141 | ||
7fbe42c0 | 142 | |
b3d44315 | 143 | usage() { |
46e39c8e | 144 | echo "Usage: apt-key [--keyring file] [command] [arguments]" |
b3d44315 MV |
145 | echo |
146 | echo "Manage apt's list of trusted keys" | |
147 | echo | |
148 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
149 | echo " apt-key del <keyid> - remove the key <keyid>" | |
bf6d5b42 OS |
150 | echo " apt-key export <keyid> - output the key <keyid>" |
151 | echo " apt-key exportall - output all trusted keys" | |
4a242c5b | 152 | echo " apt-key update - update keys using the keyring package" |
848ecfa4 | 153 | echo " apt-key net-update - update keys using the network" |
b3d44315 | 154 | echo " apt-key list - list keys" |
a8cabc8f LB |
155 | echo " apt-key finger - list fingerprints" |
156 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
b3d44315 | 157 | echo |
46e39c8e | 158 | echo "If no specific keyring file is given the command applies to all keyring files." |
b3d44315 MV |
159 | } |
160 | ||
46e39c8e MV |
161 | # Determine on which keyring we want to work |
162 | if [ "$1" = "--keyring" ]; then | |
163 | #echo "keyfile given" | |
164 | shift | |
165 | TRUSTEDFILE="$1" | |
9120d409 | 166 | if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ]; then |
46e39c8e MV |
167 | GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" |
168 | else | |
169 | echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" | |
170 | exit 1 | |
171 | fi | |
172 | shift | |
173 | # otherwise use the default | |
174 | else | |
175 | #echo "generate list" | |
176 | TRUSTEDFILE="/etc/apt/trusted.gpg" | |
6520109c | 177 | eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) |
1f8b2599 | 178 | eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) |
46e39c8e MV |
179 | if [ -r "$TRUSTEDFILE" ]; then |
180 | GPG="$GPG --keyring $TRUSTEDFILE" | |
181 | fi | |
182 | GPG="$GPG --primary-keyring $TRUSTEDFILE" | |
183 | TRUSTEDPARTS="/etc/apt/trusted.gpg.d" | |
1f8b2599 | 184 | eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) |
46e39c8e MV |
185 | if [ -d "$TRUSTEDPARTS" ]; then |
186 | #echo "parts active" | |
187 | for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do | |
188 | #echo "part -> $trusted" | |
189 | GPG="$GPG --keyring $trusted" | |
190 | done | |
191 | fi | |
192 | fi | |
193 | #echo "COMMAND: $GPG" | |
194 | ||
b3d44315 MV |
195 | command="$1" |
196 | if [ -z "$command" ]; then | |
197 | usage | |
198 | exit 1 | |
199 | fi | |
200 | shift | |
201 | ||
202 | if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then | |
203 | echo >&2 "Warning: gnupg does not seem to be installed." | |
204 | echo >&2 "Warning: apt-key requires gnupg for most operations." | |
205 | echo >&2 | |
206 | fi | |
207 | ||
b3d44315 MV |
208 | case "$command" in |
209 | add) | |
00c6e1a3 | 210 | requires_root |
5de34668 | 211 | init_keyring "$TRUSTEDFILE" |
b3d44315 MV |
212 | $GPG --quiet --batch --import "$1" |
213 | echo "OK" | |
214 | ;; | |
215 | del|rm|remove) | |
00c6e1a3 | 216 | requires_root |
5de34668 | 217 | init_keyring "$TRUSTEDFILE" |
b3d44315 MV |
218 | $GPG --quiet --batch --delete-key --yes "$1" |
219 | echo "OK" | |
220 | ;; | |
4a242c5b | 221 | update) |
5de34668 | 222 | init_keyring "$TRUSTEDFILE" |
4a242c5b MV |
223 | update |
224 | ;; | |
848ecfa4 | 225 | net-update) |
5de34668 | 226 | init_keyring "$TRUSTEDFILE" |
848ecfa4 MV |
227 | net_update |
228 | ;; | |
b3d44315 | 229 | list) |
5de34668 | 230 | init_keyring "$TRUSTEDFILE" |
b3d44315 MV |
231 | $GPG --batch --list-keys |
232 | ;; | |
233 | finger*) | |
5de34668 | 234 | init_keyring "$TRUSTEDFILE" |
b3d44315 MV |
235 | $GPG --batch --fingerprint |
236 | ;; | |
bf6d5b42 | 237 | export) |
5de34668 | 238 | init_keyring "$TRUSTEDFILE" |
bf6d5b42 OS |
239 | $GPG --armor --export "$1" |
240 | ;; | |
241 | exportall) | |
5de34668 | 242 | init_keyring "$TRUSTEDFILE" |
bf6d5b42 OS |
243 | $GPG --armor --export |
244 | ;; | |
b3d44315 | 245 | adv*) |
5de34668 | 246 | init_keyring "$TRUSTEDFILE" |
b3d44315 MV |
247 | echo "Executing: $GPG $*" |
248 | $GPG $* | |
249 | ;; | |
250 | help) | |
251 | usage | |
252 | ;; | |
253 | *) | |
254 | usage | |
255 | exit 1 | |
256 | ;; | |
257 | esac |