]>
Commit | Line | Data |
---|---|---|
b3d44315 MV |
1 | #!/bin/sh |
2 | ||
3 | set -e | |
dac074b0 | 4 | unset GREP_OPTIONS |
fecfbf2e | 5 | export IFS="$(printf "\n\b")" |
b3d44315 | 6 | |
5b2c6ddc | 7 | MASTER_KEYRING='&keyring-master-filename;' |
bc8f83a5 | 8 | eval "$(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)" |
5b2c6ddc | 9 | ARCHIVE_KEYRING='&keyring-filename;' |
bc8f83a5 | 10 | eval "$(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)" |
5b2c6ddc | 11 | REMOVED_KEYS='&keyring-removed-filename;' |
bc8f83a5 | 12 | eval "$(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)" |
5b2c6ddc | 13 | ARCHIVE_KEYRING_URI='&keyring-uri;' |
bc8f83a5 | 14 | eval "$(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)" |
4a242c5b | 15 | |
3d0def05 DK |
16 | aptkey_echo() { echo "$@"; } |
17 | ||
00c6e1a3 MV |
18 | requires_root() { |
19 | if [ "$(id -u)" -ne 0 ]; then | |
84b286f6 | 20 | echo >&2 "ERROR: This command can only be used by root." |
00c6e1a3 MV |
21 | exit 1 |
22 | fi | |
23 | } | |
24 | ||
e23ee4c2 | 25 | command_available() { |
ee385a36 | 26 | if [ -x "$1" ]; then return 0; fi |
e23ee4c2 DK |
27 | # command -v "$1" >/dev/null 2>&1 # not required by policy, see #747320 |
28 | # which "$1" >/dev/null 2>&1 # is in debianutils (essential) but not on non-debian systems | |
29 | local OLDIFS="$IFS" | |
30 | IFS=: | |
31 | for p in $PATH; do | |
32 | if [ -x "${p}/${1}" ]; then | |
33 | IFS="$OLDIFS" | |
34 | return 0 | |
35 | fi | |
36 | done | |
37 | IFS="$OLDIFS" | |
38 | return 1 | |
39 | } | |
40 | ||
bc8f83a5 DK |
41 | escape_shell() { |
42 | echo "$@" | sed -e "s#'#'\"'\"'#g" | |
43 | } | |
44 | ||
ba72845c | 45 | get_fingerprints_of_keyring() { |
fecfbf2e | 46 | aptkey_execute "$GPG_SH" --keyring "$1" --with-colons --fingerprint | while read publine; do |
ba72845c DK |
47 | # search for a public key |
48 | if [ "${publine%%:*}" != 'pub' ]; then continue; fi | |
49 | # search for the associated fingerprint (should be the very next line) | |
50 | while read fprline; do | |
51 | if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen | |
52 | elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi | |
53 | echo "$fprline" | cut -d':' -f 10 | |
54 | done | |
25f27319 DK |
55 | # order in the keyring shouldn't be important |
56 | done | sort | |
ba72845c DK |
57 | } |
58 | ||
7fbe42c0 | 59 | add_keys_with_verify_against_master_keyring() { |
bc8f83a5 DK |
60 | ADD_KEYRING="$1" |
61 | MASTER="$2" | |
f87338d2 | 62 | |
8c56b1e0 | 63 | if [ ! -f "$ADD_KEYRING" ]; then |
84b286f6 | 64 | echo >&2 "ERROR: '$ADD_KEYRING' not found" |
8c56b1e0 | 65 | return |
84b286f6 | 66 | fi |
8c56b1e0 | 67 | if [ ! -f "$MASTER" ]; then |
84b286f6 | 68 | echo >&2 "ERROR: '$MASTER' not found" |
8c56b1e0 MV |
69 | return |
70 | fi | |
71 | ||
72 | # when adding new keys, make sure that the archive-master-keyring | |
73 | # is honored. so: | |
3a341a1d MV |
74 | # all keys that are exported must have a valid signature |
75 | # from a key in the $distro-master-keyring | |
ba72845c | 76 | add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")" |
bc8f83a5 DK |
77 | all_add_keys="$(aptkey_execute "$GPG_SH" --keyring "$ADD_KEYRING" --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5)" |
78 | master_keys="$(aptkey_execute "$GPG_SH" --keyring "$MASTER" --with-colons --list-keys | grep ^pub | cut -d: -f5)" | |
f87338d2 DK |
79 | |
80 | # ensure there are no colisions LP: #857472 | |
81 | for all_add_key in $all_add_keys; do | |
82 | for master_key in $master_keys; do | |
83 | if [ "$all_add_key" = "$master_key" ]; then | |
84 | echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" | |
85 | return 1 | |
86 | fi | |
87 | done | |
88 | done | |
0dae96a2 | 89 | |
8c56b1e0 | 90 | for add_key in $add_keys; do |
f87338d2 | 91 | # export the add keyring one-by-one |
0dae96a2 | 92 | local TMP_KEYRING="${GPGHOMEDIR}/tmp-keyring.gpg" |
fecfbf2e DK |
93 | aptkey_execute "$GPG_SH" --batch --yes --keyring "$ADD_KEYRING" --output "$TMP_KEYRING" --export "$add_key" |
94 | if ! aptkey_execute "$GPG_SH" --batch --yes --keyring "$TMP_KEYRING" --import "$MASTER" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
c1642be5 | 95 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
0dae96a2 DK |
96 | false |
97 | fi | |
98 | # check if signed with the master key and only add in this case | |
99 | ADDED=0 | |
8c56b1e0 | 100 | for master_key in $master_keys; do |
fecfbf2e DK |
101 | if aptkey_execute "$GPG_SH" --keyring "$TMP_KEYRING" --check-sigs --with-colons "$add_key" \ |
102 | | grep '^sig:!:' | cut -d: -f5 | grep -q "$master_key"; then | |
103 | aptkey_execute "$GPG_SH" --batch --yes --keyring "$ADD_KEYRING" --export "$add_key" \ | |
104 | | aptkey_execute "$GPG" --batch --yes --import | |
c9bb37c7 | 105 | ADDED=1 |
8c56b1e0 | 106 | fi |
7fbe42c0 | 107 | done |
c9bb37c7 MV |
108 | if [ $ADDED = 0 ]; then |
109 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
110 | fi | |
0dae96a2 | 111 | rm -f "${TMP_KEYRING}" |
8c56b1e0 | 112 | done |
7fbe42c0 | 113 | } |
4a242c5b | 114 | |
848ecfa4 MV |
115 | # update the current archive signing keyring from a network URI |
116 | # the archive-keyring keys needs to be signed with the master key | |
117 | # (otherwise it does not make sense from a security POV) | |
118 | net_update() { | |
bc8f83a5 DK |
119 | local APT_DIR='/' |
120 | eval $(apt-config shell APT_DIR Dir) | |
121 | ||
f87338d2 | 122 | # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) |
5acf154d MV |
123 | APT_KEY_NET_UPDATE_ENABLED="" |
124 | eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled) | |
125 | if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then | |
126 | exit 1 | |
127 | fi | |
f87338d2 | 128 | |
848ecfa4 | 129 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then |
00c6e1a3 | 130 | echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" |
46e39c8e MV |
131 | exit 1 |
132 | fi | |
133 | # in theory we would need to depend on wget for this, but this feature | |
134 | # isn't useable in debian anyway as we have no keyring uri nor a master key | |
e23ee4c2 | 135 | if ! command_available 'wget'; then |
00c6e1a3 | 136 | echo >&2 "ERROR: an installed wget is required for a network-based update" |
46e39c8e | 137 | exit 1 |
848ecfa4 | 138 | fi |
fecfbf2e DK |
139 | if [ ! -d "${APT_DIR}/var/lib/apt/keyrings" ]; then |
140 | mkdir -p "${APT_DIR}/var/lib/apt/keyrings" | |
848ecfa4 | 141 | fi |
fecfbf2e | 142 | keyring="${APT_DIR}/var/lib/apt/keyrings/$(basename "$ARCHIVE_KEYRING_URI")" |
93886541 MV |
143 | old_mtime=0 |
144 | if [ -e $keyring ]; then | |
bc8f83a5 | 145 | old_mtime=$(stat -c %Y "$keyring") |
93886541 | 146 | fi |
fecfbf2e DK |
147 | (cd "${APT_DIR}/var/lib/apt/keyrings"; wget --timeout=90 -q -N "$ARCHIVE_KEYRING_URI") |
148 | if [ ! -e "$keyring" ]; then | |
93886541 MV |
149 | return |
150 | fi | |
fecfbf2e | 151 | new_mtime=$(stat -c %Y "$keyring") |
93886541 | 152 | if [ $new_mtime -ne $old_mtime ]; then |
3d0def05 | 153 | aptkey_echo "Checking for new archive signing keys now" |
fecfbf2e | 154 | add_keys_with_verify_against_master_keyring "$keyring" "$MASTER_KEYRING" |
93886541 | 155 | fi |
848ecfa4 MV |
156 | } |
157 | ||
4a242c5b | 158 | update() { |
f4dcab05 DK |
159 | if [ -z "$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE" ]; then |
160 | echo >&2 "Warning: 'apt-key update' is deprecated and should not be used anymore!" | |
161 | if [ -z "$ARCHIVE_KEYRING" ]; then | |
162 | echo >&2 "Note: In your distribution this command is a no-op and can therefore be removed safely." | |
163 | exit 0 | |
164 | fi | |
165 | fi | |
fecfbf2e | 166 | if [ ! -f "$ARCHIVE_KEYRING" ]; then |
4a242c5b | 167 | echo >&2 "ERROR: Can't find the archive-keyring" |
5b2c6ddc | 168 | echo >&2 "Is the &keyring-package; package installed?" |
4a242c5b MV |
169 | exit 1 |
170 | fi | |
171 | ||
3a341a1d MV |
172 | # add new keys from the package; |
173 | ||
174 | # we do not use add_keys_with_verify_against_master_keyring here, | |
1171258a | 175 | # because "update" is run on regular package updates. A |
3a341a1d MV |
176 | # attacker might as well replace the master-archive-keyring file |
177 | # in the package and add his own keys. so this check wouldn't | |
178 | # add any security. we *need* this check on net-update though | |
f14cde2c | 179 | import_keyring_into_keyring "$ARCHIVE_KEYRING" '' && cat "${GPGHOMEDIR}/gpgoutput.log" |
4a242c5b | 180 | |
364af2ef MV |
181 | if [ -r "$REMOVED_KEYS" ]; then |
182 | # remove no-longer supported/used keys | |
ba72845c | 183 | get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do |
5beb682d | 184 | foreach_keyring_do 'remove_key_from_keyring' "$key" |
364af2ef MV |
185 | done |
186 | else | |
84b286f6 | 187 | echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" |
364af2ef | 188 | fi |
4a242c5b MV |
189 | } |
190 | ||
04937adc | 191 | remove_key_from_keyring() { |
4b30c1dc DK |
192 | local KEYRINGFILE="$1" |
193 | shift | |
5beb682d DK |
194 | # non-existent keyrings have by definition no keys |
195 | if [ ! -e "$KEYRINGFILE" ]; then | |
196 | return | |
197 | fi | |
198 | ||
0b94a7bc | 199 | for KEY in "$@"; do |
25f27319 DK |
200 | local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst" |
201 | get_fingerprints_of_keyring "$KEYRINGFILE" > "$FINGERPRINTS" | |
f7bd44ba | 202 | |
e289907f DK |
203 | # strip leading 0x, if present: |
204 | KEY="$(echo "${KEY#0x}" | tr -d ' ')" | |
f7bd44ba | 205 | |
25f27319 DK |
206 | # check if the key is in this keyring |
207 | if ! grep -iq "^[0-9A-F]*${KEY}$" "$FINGERPRINTS"; then | |
4b30c1dc DK |
208 | continue |
209 | fi | |
210 | if [ ! -w "$KEYRINGFILE" ]; then | |
211 | echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only." | |
212 | continue | |
213 | fi | |
214 | # check if it is the only key in the keyring and if so remove the keyring altogether | |
25f27319 | 215 | if [ '1' = "$(uniq "$FINGERPRINTS" | wc -l)" ]; then |
4b30c1dc DK |
216 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg |
217 | return | |
218 | fi | |
219 | # we can't just modify pointed to files as these might be in /usr or something | |
220 | local REALTARGET | |
221 | if [ -L "$KEYRINGFILE" ]; then | |
222 | REALTARGET="$(readlink -f "$KEYRINGFILE")" | |
223 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp" | |
224 | cp -a "$REALTARGET" "$KEYRINGFILE" | |
225 | fi | |
226 | # delete the key from the keyring | |
fecfbf2e | 227 | aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch --delete-keys --yes "$KEY" |
4b30c1dc DK |
228 | if [ -n "$REALTARGET" ]; then |
229 | # the real backup is the old link, not the copy we made | |
230 | mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~" | |
231 | fi | |
232 | done | |
04937adc DK |
233 | } |
234 | ||
4b30c1dc DK |
235 | foreach_keyring_do() { |
236 | local ACTION="$1" | |
237 | shift | |
b0d40854 | 238 | # if a --keyring was given, just work on this one |
4b30c1dc DK |
239 | if [ -n "$FORCED_KEYRING" ]; then |
240 | $ACTION "$FORCED_KEYRING" "$@" | |
241 | else | |
242 | # otherwise all known keyrings are up for inspection | |
5beb682d DK |
243 | if [ -s "$TRUSTEDFILE" ]; then |
244 | $ACTION "$TRUSTEDFILE" "$@" | |
245 | fi | |
4b30c1dc | 246 | local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" |
bc8f83a5 | 247 | eval "$(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)" |
4b30c1dc | 248 | if [ -d "$TRUSTEDPARTS" ]; then |
0cfec3ab DK |
249 | TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")" |
250 | local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg')" | |
251 | for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do | |
5beb682d DK |
252 | if [ -s "$trusted" ]; then |
253 | $ACTION "$trusted" "$@" | |
254 | fi | |
4b30c1dc | 255 | done |
04937adc | 256 | fi |
4b30c1dc | 257 | fi |
04937adc DK |
258 | } |
259 | ||
0b94a7bc | 260 | run_cmd_on_keyring() { |
5beb682d DK |
261 | local KEYRINGFILE="$1" |
262 | shift | |
0b94a7bc | 263 | # fingerprint and co will fail if key isn't in this keyring |
fecfbf2e | 264 | aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true |
5beb682d DK |
265 | } |
266 | ||
f14cde2c DK |
267 | import_keyring_into_keyring() { |
268 | local FROM="${1:-${GPGHOMEDIR}/pubring.gpg}" | |
269 | local TO="${2:-${GPGHOMEDIR}/pubring.gpg}" | |
270 | shift 2 | |
271 | rm -f "${GPGHOMEDIR}/gpgoutput.log" | |
272 | # the idea is simple: We take keys from one keyring and copy it to another | |
3a8776a3 | 273 | # we do this with so many checks in between to ensure that WE control the |
f14cde2c DK |
274 | # creation, so we know that the (potentially) created $TO keyring is a |
275 | # simple keyring rather than a keybox as gpg2 would create it which in turn | |
276 | # can't be read by gpgv. | |
277 | # BEWARE: This is designed more in the way to work with the current | |
278 | # callers, than to have a well defined it would be easy to add new callers to. | |
279 | if [ ! -s "$TO" ]; then | |
280 | if [ -s "$FROM" ]; then | |
281 | if [ -z "$2" ]; then | |
fecfbf2e | 282 | if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${1:+"$1"} > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then |
f14cde2c DK |
283 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
284 | false | |
285 | else | |
286 | chmod 0644 -- "$TO" | |
287 | fi | |
288 | else | |
289 | create_new_keyring "$TO" | |
290 | fi | |
291 | else | |
292 | create_new_keyring "$TO" | |
293 | fi | |
294 | elif [ -s "$FROM" ]; then | |
295 | local EXPORTLIMIT="$1" | |
296 | if [ -n "$1$2" ]; then shift; fi | |
fecfbf2e DK |
297 | if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} \ |
298 | | aptkey_execute "$GPG_SH" --keyring "$TO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
f14cde2c DK |
299 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
300 | false | |
301 | fi | |
0dae96a2 DK |
302 | fi |
303 | } | |
304 | ||
25f27319 DK |
305 | merge_all_trusted_keyrings_into_pubring() { |
306 | # does the same as: | |
307 | # foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" | |
308 | # but without using gpg, just cat and find | |
dd7758b9 | 309 | local PUBRING="$(readlink -f "${GPGHOMEDIR}")/pubring.gpg" |
25f27319 DK |
310 | # if a --keyring was given, just use this one |
311 | if [ -n "$FORCED_KEYRING" ]; then | |
312 | if [ -s "$FORCED_KEYRING" ]; then | |
313 | cp --dereference "$FORCED_KEYRING" "$PUBRING" | |
314 | fi | |
315 | else | |
316 | # otherwise all known keyrings are merged | |
317 | local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" | |
318 | eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) | |
319 | if [ -d "$TRUSTEDPARTS" ]; then | |
0cfec3ab DK |
320 | rm -f "$PUBRING" |
321 | if [ -s "$TRUSTEDFILE" ]; then | |
322 | cat "$TRUSTEDFILE" > "$PUBRING" | |
323 | fi | |
324 | TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")" | |
325 | (cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg' -exec cat {} + >> "$PUBRING";) | |
25f27319 DK |
326 | elif [ -s "$TRUSTEDFILE" ]; then |
327 | cp --dereference "$TRUSTEDFILE" "$PUBRING" | |
328 | fi | |
329 | fi | |
330 | ||
331 | if [ ! -s "$PUBRING" ]; then | |
332 | touch "$PUBRING" | |
333 | fi | |
334 | } | |
335 | ||
f14cde2c DK |
336 | import_keys_from_keyring() { |
337 | import_keyring_into_keyring "$1" "$2" | |
338 | } | |
339 | ||
0dae96a2 | 340 | merge_keys_into_keyrings() { |
f14cde2c | 341 | import_keyring_into_keyring "$2" "$1" '' --import-options 'merge-only' |
0dae96a2 DK |
342 | } |
343 | ||
344 | merge_back_changes() { | |
345 | if [ -n "$FORCED_KEYRING" ]; then | |
346 | # if the keyring was forced merge is already done | |
347 | return | |
348 | fi | |
349 | if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then | |
350 | # merge all updated keys | |
351 | foreach_keyring_do 'merge_keys_into_keyrings' "${GPGHOMEDIR}/pubring.gpg" | |
352 | fi | |
0b94a7bc | 353 | # look for keys which were added or removed |
0dae96a2 DK |
354 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.orig.gpg" > "${GPGHOMEDIR}/pubring.orig.keylst" |
355 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.gpg" > "${GPGHOMEDIR}/pubring.keylst" | |
25f27319 DK |
356 | comm -3 "${GPGHOMEDIR}/pubring.keylst" "${GPGHOMEDIR}/pubring.orig.keylst" > "${GPGHOMEDIR}/pubring.diff" |
357 | # key isn't part of new keyring, so remove | |
358 | cut -f 2 "${GPGHOMEDIR}/pubring.diff" | while read key; do | |
359 | if [ -z "$key" ]; then continue; fi | |
360 | foreach_keyring_do 'remove_key_from_keyring' "$key" | |
361 | done | |
362 | # key is only part of new keyring, so we need to import it | |
363 | cut -f 1 "${GPGHOMEDIR}/pubring.diff" | while read key; do | |
364 | if [ -z "$key" ]; then continue; fi | |
365 | import_keyring_into_keyring '' "$TRUSTEDFILE" "$key" | |
0dae96a2 | 366 | done |
5beb682d DK |
367 | } |
368 | ||
369 | setup_merged_keyring() { | |
b0d40854 | 370 | if [ -n "$FORCED_KEYID" ]; then |
25f27319 | 371 | merge_all_trusted_keyrings_into_pubring |
b0d40854 DK |
372 | FORCED_KEYRING="${GPGHOMEDIR}/forcedkeyid.gpg" |
373 | TRUSTEDFILE="${FORCED_KEYRING}" | |
fecfbf2e | 374 | echo "#!/bin/sh |
bc8f83a5 | 375 | exec sh '($(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh" |
fecfbf2e | 376 | GPG="${GPGHOMEDIR}/gpg.1.sh" |
b0d40854 | 377 | # ignore error as this "just" means we haven't found the forced keyid and the keyring will be empty |
f14cde2c | 378 | import_keyring_into_keyring '' "$TRUSTEDFILE" "$FORCED_KEYID" || true |
b0d40854 | 379 | elif [ -z "$FORCED_KEYRING" ]; then |
25f27319 | 380 | merge_all_trusted_keyrings_into_pubring |
0dae96a2 DK |
381 | if [ -r "${GPGHOMEDIR}/pubring.gpg" ]; then |
382 | cp -a "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
383 | else | |
384 | touch "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
0740a310 | 385 | fi |
fecfbf2e | 386 | echo "#!/bin/sh |
bc8f83a5 | 387 | exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${GPGHOMEDIR}/pubring.gpg")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh" |
fecfbf2e | 388 | GPG="${GPGHOMEDIR}/gpg.1.sh" |
0dae96a2 | 389 | else |
0dae96a2 | 390 | create_new_keyring "$TRUSTEDFILE" |
fecfbf2e | 391 | echo "#!/bin/sh |
bc8f83a5 | 392 | exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh" |
fecfbf2e | 393 | GPG="${GPGHOMEDIR}/gpg.1.sh" |
5beb682d DK |
394 | fi |
395 | } | |
396 | ||
0dae96a2 DK |
397 | create_new_keyring() { |
398 | # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. | |
399 | if ! [ -e "$TRUSTEDFILE" ]; then | |
400 | if [ -w "$(dirname "$TRUSTEDFILE")" ]; then | |
401 | touch -- "$TRUSTEDFILE" | |
402 | chmod 0644 -- "$TRUSTEDFILE" | |
403 | fi | |
404 | fi | |
405 | } | |
5beb682d | 406 | |
fecfbf2e DK |
407 | aptkey_execute() { sh "$@"; } |
408 | ||
b3d44315 | 409 | usage() { |
46e39c8e | 410 | echo "Usage: apt-key [--keyring file] [command] [arguments]" |
b3d44315 MV |
411 | echo |
412 | echo "Manage apt's list of trusted keys" | |
413 | echo | |
414 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
415 | echo " apt-key del <keyid> - remove the key <keyid>" | |
bf6d5b42 OS |
416 | echo " apt-key export <keyid> - output the key <keyid>" |
417 | echo " apt-key exportall - output all trusted keys" | |
4a242c5b | 418 | echo " apt-key update - update keys using the keyring package" |
848ecfa4 | 419 | echo " apt-key net-update - update keys using the network" |
b3d44315 | 420 | echo " apt-key list - list keys" |
a8cabc8f LB |
421 | echo " apt-key finger - list fingerprints" |
422 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
b3d44315 | 423 | echo |
46e39c8e | 424 | echo "If no specific keyring file is given the command applies to all keyring files." |
b3d44315 MV |
425 | } |
426 | ||
3dc55197 DK |
427 | while [ -n "$1" ]; do |
428 | case "$1" in | |
429 | --keyring) | |
430 | shift | |
431 | TRUSTEDFILE="$1" | |
04937adc | 432 | FORCED_KEYRING="$1" |
3dc55197 | 433 | ;; |
b0d40854 DK |
434 | --keyid) |
435 | shift | |
436 | FORCED_KEYID="$1" | |
437 | ;; | |
bd7fb5aa DK |
438 | --secret-keyring) |
439 | shift | |
440 | FORCED_SECRET_KEYRING="$1" | |
33a22672 DK |
441 | ;; |
442 | --readonly) | |
443 | merge_back_changes() { true; } | |
fecfbf2e | 444 | create_new_keyring() { if [ ! -r "$FORCED_KEYRING" ]; then TRUSTEDFILE='/dev/null'; FORCED_KEYRING="$TRUSTEDFILE"; fi; } |
bd7fb5aa | 445 | ;; |
3dc55197 DK |
446 | --fakeroot) |
447 | requires_root() { true; } | |
3dc55197 | 448 | ;; |
3d0def05 DK |
449 | --quiet) |
450 | aptkey_echo() { true; } | |
3d0def05 | 451 | ;; |
c1642be5 DK |
452 | --debug1) |
453 | # some cmds like finger redirect stderr to /dev/null … | |
fecfbf2e | 454 | aptkey_execute() { echo 'EXEC:' "$@"; sh "$@"; } |
c1642be5 DK |
455 | ;; |
456 | --debug2) | |
457 | # … other more complicated ones pipe gpg into gpg. | |
fecfbf2e | 458 | aptkey_execute() { echo >&2 'EXEC:' "$@"; sh "$@"; } |
c1642be5 | 459 | ;; |
3dc55197 DK |
460 | --*) |
461 | echo >&2 "Unknown option: $1" | |
462 | usage | |
463 | exit 1;; | |
464 | *) | |
465 | break;; | |
466 | esac | |
33a22672 | 467 | shift |
3dc55197 DK |
468 | done |
469 | ||
470 | if [ -z "$TRUSTEDFILE" ]; then | |
471 | TRUSTEDFILE="/etc/apt/trusted.gpg" | |
472 | eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) | |
473 | eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) | |
46e39c8e | 474 | fi |
46e39c8e | 475 | |
b3d44315 MV |
476 | command="$1" |
477 | if [ -z "$command" ]; then | |
478 | usage | |
479 | exit 1 | |
480 | fi | |
481 | shift | |
482 | ||
4039798d DK |
483 | cleanup_gpg_home() { |
484 | if [ -z "$GPGHOMEDIR" ]; then return; fi | |
485 | if command_available 'gpgconf'; then | |
215598df | 486 | GNUPGHOME="${GPGHOMEDIR}" gpgconf --kill gpg-agent >/dev/null 2>&1 || true |
4039798d DK |
487 | fi |
488 | rm -rf "$GPGHOMEDIR" | |
489 | } | |
490 | ||
25f27319 DK |
491 | create_gpg_home() { |
492 | # gpg needs (in different versions more or less) files to function correctly, | |
493 | # so we give it its own homedir and generate some valid content for it later on | |
494 | if [ -n "$TMPDIR" ]; then | |
495 | # tmpdir is a directory and current user has rwx access to it | |
496 | # same tests as in apt-pkg/contrib/fileutl.cc GetTempDir() | |
497 | if [ ! -d "$TMPDIR" ] || [ ! -r "$TMPDIR" ] || [ ! -w "$TMPDIR" ] || [ ! -x "$TMPDIR" ]; then | |
498 | unset TMPDIR | |
499 | fi | |
500 | fi | |
501 | GPGHOMEDIR="$(mktemp -d)" | |
4039798d | 502 | CURRENTTRAP="${CURRENTTRAP} cleanup_gpg_home;" |
25f27319 | 503 | trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM |
4039798d DK |
504 | if [ -z "$GPGHOMEDIR" ]; then |
505 | echo "ERROR: Could not create temporary gpg home directory in apt-key ($TMPDIR)" | |
506 | exit 28 | |
507 | fi | |
25f27319 DK |
508 | chmod 700 "$GPGHOMEDIR" |
509 | } | |
510 | ||
511 | prepare_gpg_home() { | |
5f17b19f DK |
512 | # crude detection if we are called from a maintainerscript where the |
513 | # package depends on gnupg or not. We accept recommends here as | |
514 | # well as the script hopefully uses apt-key optionally then like e.g. | |
515 | # debian-archive-keyring for (upgrade) cleanup did | |
08fcf962 | 516 | if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ] && [ -z "$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE" ]; then |
2e49f519 | 517 | if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -q gnupg; then |
5f17b19f DK |
518 | cat >&2 <<EOF |
519 | Warning: The $DPKG_MAINTSCRIPT_NAME maintainerscript of the package $DPKG_MAINTSCRIPT_PACKAGE | |
520 | Warning: seems to use apt-key (provided by apt) without depending on gnupg or gnupg2. | |
521 | Warning: This will BREAK in the future and should be fixed by the package maintainer(s). | |
522 | Note: Check first if apt-key functionality is needed at all - it probably isn't! | |
523 | EOF | |
524 | fi | |
525 | fi | |
bc8f83a5 | 526 | eval "$(apt-config shell GPG_EXE Apt::Key::gpgcommand)" |
e23ee4c2 | 527 | if [ -n "$GPG_EXE" ] && command_available "$GPG_EXE"; then |
93d0d08c | 528 | true |
e23ee4c2 | 529 | elif command_available 'gpg'; then |
93d0d08c | 530 | GPG_EXE="gpg" |
e23ee4c2 | 531 | elif command_available 'gpg2'; then |
93d0d08c | 532 | GPG_EXE="gpg2" |
19fdf93d DK |
533 | elif command_available 'gpg1'; then |
534 | GPG_EXE="gpg1" | |
93d0d08c | 535 | else |
19fdf93d DK |
536 | echo >&2 "Error: gnupg, gnupg2 and gnupg1 do not seem to be installed," |
537 | echo >&2 "Error: but apt-key requires gnupg, gnupg2 or gnupg1 for this operation." | |
9fda3be1 | 538 | echo >&2 |
93d0d08c | 539 | exit 255 |
9fda3be1 DK |
540 | fi |
541 | ||
25f27319 DK |
542 | create_gpg_home |
543 | ||
05991180 DK |
544 | # create the trustdb with an (empty) dummy keyring |
545 | # older gpgs required it, newer gpgs even warn that it isn't needed, | |
546 | # but require it nonetheless for some commands, so we just play safe | |
547 | # here for the foreseeable future and create a dummy one | |
803491dc | 548 | touch "${GPGHOMEDIR}/empty.gpg" |
fecfbf2e | 549 | if ! "$GPG_EXE" --ignore-time-conflict --no-options --no-default-keyring \ |
803491dc | 550 | --homedir "$GPGHOMEDIR" --quiet --check-trustdb --keyring "${GPGHOMEDIR}/empty.gpg" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then |
fecfbf2e DK |
551 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
552 | false | |
553 | fi | |
803491dc DK |
554 | |
555 | # now tell gpg that it shouldn't try to maintain this trustdb file | |
fecfbf2e | 556 | echo "#!/bin/sh |
bc8f83a5 DK |
557 | exec '$(escape_shell "${GPG_EXE}")' --ignore-time-conflict --no-options --no-default-keyring \\ |
558 | --homedir '$(escape_shell "${GPGHOMEDIR}")' --no-auto-check-trustdb --trust-model always \"\$@\"" > "${GPGHOMEDIR}/gpg.0.sh" | |
fecfbf2e DK |
559 | GPG_SH="${GPGHOMEDIR}/gpg.0.sh" |
560 | GPG="$GPG_SH" | |
05991180 | 561 | |
803491dc | 562 | # We don't usually need a secret keyring, of course, but |
bd7fb5aa DK |
563 | # for advanced operations, we might really need a secret keyring after all |
564 | if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then | |
803491dc DK |
565 | if ! aptkey_execute "$GPG" -v --batch --import "$FORCED_SECRET_KEYRING" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then |
566 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" | |
567 | false | |
568 | fi | |
569 | else | |
570 | # and then, there are older versions of gpg which panic and implode | |
571 | # if there isn't one available - and writeable for imports | |
572 | # and even if not output is littered with the creation of a secring, | |
573 | # so lets call import once to have it create what it wants in silence | |
574 | echo -n | aptkey_execute "$GPG" --batch --import >/dev/null 2>&1 || true | |
bd7fb5aa | 575 | fi |
25f27319 DK |
576 | } |
577 | ||
08fcf962 DK |
578 | warn_on_script_usage() { |
579 | if [ -n "$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE" ]; then | |
580 | return | |
581 | fi | |
582 | # (Maintainer) scripts should not be using apt-key | |
583 | if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ]; then | |
584 | echo >&2 "Warning: apt-key should not be used in scripts (called from $DPKG_MAINTSCRIPT_NAME maintainerscript of the package ${DPKG_MAINTSCRIPT_PACKAGE})" | |
585 | elif [ ! -t 1 ]; then | |
586 | echo >&2 "Warning: apt-key output should not be parsed (stdout is not a terminal)" | |
587 | fi | |
588 | } | |
589 | ||
25f27319 DK |
590 | if [ "$command" != 'help' ] && [ "$command" != 'verify' ]; then |
591 | prepare_gpg_home | |
b3d44315 MV |
592 | fi |
593 | ||
b3d44315 MV |
594 | case "$command" in |
595 | add) | |
08fcf962 | 596 | warn_on_script_usage |
5beb682d DK |
597 | requires_root |
598 | setup_merged_keyring | |
fecfbf2e | 599 | aptkey_execute "$GPG" --quiet --batch --import "$@" |
0dae96a2 | 600 | merge_back_changes |
5beb682d | 601 | aptkey_echo "OK" |
b3d44315 MV |
602 | ;; |
603 | del|rm|remove) | |
08fcf962 | 604 | # no script warning here as removing 'add' usage needs 'del' for cleanup |
5beb682d DK |
605 | requires_root |
606 | foreach_keyring_do 'remove_key_from_keyring' "$@" | |
607 | aptkey_echo "OK" | |
b3d44315 | 608 | ;; |
4a242c5b | 609 | update) |
08fcf962 | 610 | warn_on_script_usage |
5beb682d DK |
611 | requires_root |
612 | setup_merged_keyring | |
4a242c5b | 613 | update |
0dae96a2 | 614 | merge_back_changes |
4a242c5b | 615 | ;; |
848ecfa4 | 616 | net-update) |
5beb682d DK |
617 | requires_root |
618 | setup_merged_keyring | |
848ecfa4 | 619 | net_update |
0dae96a2 | 620 | merge_back_changes |
848ecfa4 | 621 | ;; |
a5f9b45e | 622 | list|finger*) |
08fcf962 | 623 | warn_on_script_usage |
0b94a7bc | 624 | foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@" |
5beb682d | 625 | ;; |
4f51a496 | 626 | export|exportall) |
08fcf962 | 627 | warn_on_script_usage |
25f27319 | 628 | merge_all_trusted_keyrings_into_pubring |
fecfbf2e | 629 | aptkey_execute "$GPG_SH" --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@" |
5beb682d | 630 | ;; |
b3d44315 | 631 | adv*) |
08fcf962 | 632 | warn_on_script_usage |
5beb682d DK |
633 | setup_merged_keyring |
634 | aptkey_echo "Executing: $GPG $*" | |
fecfbf2e | 635 | aptkey_execute "$GPG" "$@" |
0dae96a2 | 636 | merge_back_changes |
5beb682d | 637 | ;; |
c46a36ad | 638 | verify) |
f14cde2c DK |
639 | GPGV='' |
640 | eval $(apt-config shell GPGV Apt::Key::gpgvcommand) | |
e23ee4c2 DK |
641 | if [ -n "$GPGV" ] && command_available "$GPGV"; then true; |
642 | elif command_available 'gpgv'; then GPGV='gpgv'; | |
643 | elif command_available 'gpgv2'; then GPGV='gpgv2'; | |
19fdf93d | 644 | elif command_available 'gpgv1'; then GPGV='gpgv1'; |
25f27319 | 645 | else |
19fdf93d | 646 | echo >&2 'ERROR: gpgv, gpgv2 or gpgv1 required for verification' |
25f27319 | 647 | exit 29 |
f14cde2c | 648 | fi |
25f27319 DK |
649 | # for a forced keyid we need gpg --export, so full wrapping required |
650 | if [ -n "$FORCED_KEYID" ]; then | |
651 | prepare_gpg_home | |
652 | else | |
653 | create_gpg_home | |
654 | fi | |
655 | setup_merged_keyring | |
656 | if [ -n "$FORCED_KEYRING" ]; then | |
fecfbf2e | 657 | "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${FORCED_KEYRING}" --ignore-time-conflict "$@" |
c46a36ad | 658 | else |
fecfbf2e | 659 | "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" |
c46a36ad DK |
660 | fi |
661 | ;; | |
b3d44315 MV |
662 | help) |
663 | usage | |
664 | ;; | |
665 | *) | |
666 | usage | |
667 | exit 1 | |
668 | ;; | |
669 | esac |