]>
Commit | Line | Data |
---|---|---|
b3d44315 MV |
1 | #!/bin/sh |
2 | ||
3 | set -e | |
dac074b0 | 4 | unset GREP_OPTIONS |
b3d44315 | 5 | |
5acf154d MV |
6 | APT_DIR="/" |
7 | eval $(apt-config shell APT_DIR Dir) | |
8 | ||
5b2c6ddc | 9 | MASTER_KEYRING='&keyring-master-filename;' |
80f3aeb0 | 10 | eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) |
5b2c6ddc | 11 | ARCHIVE_KEYRING='&keyring-filename;' |
80f3aeb0 | 12 | eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) |
5b2c6ddc | 13 | REMOVED_KEYS='&keyring-removed-filename;' |
80f3aeb0 | 14 | eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) |
5b2c6ddc | 15 | ARCHIVE_KEYRING_URI='&keyring-uri;' |
f87338d2 | 16 | eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) |
4a242c5b | 17 | |
3d0def05 DK |
18 | aptkey_echo() { echo "$@"; } |
19 | ||
00c6e1a3 MV |
20 | requires_root() { |
21 | if [ "$(id -u)" -ne 0 ]; then | |
84b286f6 | 22 | echo >&2 "ERROR: This command can only be used by root." |
00c6e1a3 MV |
23 | exit 1 |
24 | fi | |
25 | } | |
26 | ||
ba72845c DK |
27 | get_fingerprints_of_keyring() { |
28 | $GPG_CMD --keyring "$1" --with-colons --fingerprint | while read publine; do | |
29 | # search for a public key | |
30 | if [ "${publine%%:*}" != 'pub' ]; then continue; fi | |
31 | # search for the associated fingerprint (should be the very next line) | |
32 | while read fprline; do | |
33 | if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen | |
34 | elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi | |
35 | echo "$fprline" | cut -d':' -f 10 | |
36 | done | |
37 | done | |
38 | } | |
39 | ||
7fbe42c0 | 40 | add_keys_with_verify_against_master_keyring() { |
8c56b1e0 MV |
41 | ADD_KEYRING=$1 |
42 | MASTER=$2 | |
f87338d2 | 43 | |
8c56b1e0 | 44 | if [ ! -f "$ADD_KEYRING" ]; then |
84b286f6 | 45 | echo >&2 "ERROR: '$ADD_KEYRING' not found" |
8c56b1e0 | 46 | return |
84b286f6 | 47 | fi |
8c56b1e0 | 48 | if [ ! -f "$MASTER" ]; then |
84b286f6 | 49 | echo >&2 "ERROR: '$MASTER' not found" |
8c56b1e0 MV |
50 | return |
51 | fi | |
52 | ||
53 | # when adding new keys, make sure that the archive-master-keyring | |
54 | # is honored. so: | |
3a341a1d MV |
55 | # all keys that are exported must have a valid signature |
56 | # from a key in the $distro-master-keyring | |
ba72845c | 57 | add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")" |
f87338d2 | 58 | all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` |
8c56b1e0 | 59 | master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` |
f87338d2 DK |
60 | |
61 | # ensure there are no colisions LP: #857472 | |
62 | for all_add_key in $all_add_keys; do | |
63 | for master_key in $master_keys; do | |
64 | if [ "$all_add_key" = "$master_key" ]; then | |
65 | echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" | |
66 | return 1 | |
67 | fi | |
68 | done | |
69 | done | |
0dae96a2 | 70 | |
8c56b1e0 | 71 | for add_key in $add_keys; do |
f87338d2 | 72 | # export the add keyring one-by-one |
0dae96a2 DK |
73 | local TMP_KEYRING="${GPGHOMEDIR}/tmp-keyring.gpg" |
74 | $GPG_CMD --batch --yes --keyring "$ADD_KEYRING" --output "$TMP_KEYRING" --export "$add_key" | |
75 | if ! $GPG_CMD --batch --yes --keyring "$TMP_KEYRING" --import "$MASTER" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
76 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
77 | false | |
78 | fi | |
79 | # check if signed with the master key and only add in this case | |
80 | ADDED=0 | |
8c56b1e0 | 81 | for master_key in $master_keys; do |
0dae96a2 DK |
82 | if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then |
83 | $GPG_CMD --batch --yes --keyring "$ADD_KEYRING" --export "$add_key" | $GPG --batch --yes --import | |
c9bb37c7 | 84 | ADDED=1 |
8c56b1e0 | 85 | fi |
7fbe42c0 | 86 | done |
c9bb37c7 MV |
87 | if [ $ADDED = 0 ]; then |
88 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
89 | fi | |
0dae96a2 | 90 | rm -f "${TMP_KEYRING}" |
8c56b1e0 | 91 | done |
7fbe42c0 | 92 | } |
4a242c5b | 93 | |
848ecfa4 MV |
94 | # update the current archive signing keyring from a network URI |
95 | # the archive-keyring keys needs to be signed with the master key | |
96 | # (otherwise it does not make sense from a security POV) | |
97 | net_update() { | |
f87338d2 | 98 | # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) |
5acf154d MV |
99 | APT_KEY_NET_UPDATE_ENABLED="" |
100 | eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled) | |
101 | if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then | |
102 | exit 1 | |
103 | fi | |
f87338d2 | 104 | |
848ecfa4 | 105 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then |
00c6e1a3 | 106 | echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" |
46e39c8e MV |
107 | exit 1 |
108 | fi | |
109 | # in theory we would need to depend on wget for this, but this feature | |
110 | # isn't useable in debian anyway as we have no keyring uri nor a master key | |
111 | if ! which wget >/dev/null 2>&1; then | |
00c6e1a3 | 112 | echo >&2 "ERROR: an installed wget is required for a network-based update" |
46e39c8e | 113 | exit 1 |
848ecfa4 | 114 | fi |
5acf154d MV |
115 | if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then |
116 | mkdir -p ${APT_DIR}/var/lib/apt/keyrings | |
848ecfa4 | 117 | fi |
e5543ea5 | 118 | keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI) |
93886541 MV |
119 | old_mtime=0 |
120 | if [ -e $keyring ]; then | |
20ba2505 | 121 | old_mtime=$(stat -c %Y $keyring) |
93886541 | 122 | fi |
5acf154d | 123 | (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) |
93886541 MV |
124 | if [ ! -e $keyring ]; then |
125 | return | |
126 | fi | |
20ba2505 | 127 | new_mtime=$(stat -c %Y $keyring) |
93886541 | 128 | if [ $new_mtime -ne $old_mtime ]; then |
3d0def05 | 129 | aptkey_echo "Checking for new archive signing keys now" |
93886541 MV |
130 | add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING |
131 | fi | |
848ecfa4 MV |
132 | } |
133 | ||
4a242c5b MV |
134 | update() { |
135 | if [ ! -f $ARCHIVE_KEYRING ]; then | |
136 | echo >&2 "ERROR: Can't find the archive-keyring" | |
5b2c6ddc | 137 | echo >&2 "Is the &keyring-package; package installed?" |
4a242c5b MV |
138 | exit 1 |
139 | fi | |
140 | ||
3a341a1d MV |
141 | # add new keys from the package; |
142 | ||
143 | # we do not use add_keys_with_verify_against_master_keyring here, | |
1171258a | 144 | # because "update" is run on regular package updates. A |
3a341a1d MV |
145 | # attacker might as well replace the master-archive-keyring file |
146 | # in the package and add his own keys. so this check wouldn't | |
147 | # add any security. we *need* this check on net-update though | |
148 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import | |
4a242c5b | 149 | |
364af2ef MV |
150 | if [ -r "$REMOVED_KEYS" ]; then |
151 | # remove no-longer supported/used keys | |
ba72845c | 152 | get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do |
5beb682d | 153 | foreach_keyring_do 'remove_key_from_keyring' "$key" |
364af2ef MV |
154 | done |
155 | else | |
84b286f6 | 156 | echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" |
364af2ef | 157 | fi |
4a242c5b MV |
158 | } |
159 | ||
04937adc | 160 | remove_key_from_keyring() { |
4b30c1dc DK |
161 | local KEYRINGFILE="$1" |
162 | shift | |
5beb682d DK |
163 | # non-existent keyrings have by definition no keys |
164 | if [ ! -e "$KEYRINGFILE" ]; then | |
165 | return | |
166 | fi | |
167 | ||
4b30c1dc | 168 | local GPG="$GPG_CMD --keyring $KEYRINGFILE" |
0b94a7bc | 169 | for KEY in "$@"; do |
4b30c1dc | 170 | # check if the key is in this keyring: the key id is in the 5 column at the end |
05f64ca2 | 171 | if ! get_fingerprints_of_keyring "$KEYRINGFILE" | grep -iq "^[0-9A-F]*${KEY}$"; then |
4b30c1dc DK |
172 | continue |
173 | fi | |
174 | if [ ! -w "$KEYRINGFILE" ]; then | |
175 | echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only." | |
176 | continue | |
177 | fi | |
178 | # check if it is the only key in the keyring and if so remove the keyring altogether | |
ba72845c | 179 | if [ '1' = "$(get_fingerprints_of_keyring "$KEYRINGFILE" | wc -l)" ]; then |
4b30c1dc DK |
180 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg |
181 | return | |
182 | fi | |
183 | # we can't just modify pointed to files as these might be in /usr or something | |
184 | local REALTARGET | |
185 | if [ -L "$KEYRINGFILE" ]; then | |
186 | REALTARGET="$(readlink -f "$KEYRINGFILE")" | |
187 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp" | |
188 | cp -a "$REALTARGET" "$KEYRINGFILE" | |
189 | fi | |
190 | # delete the key from the keyring | |
191 | $GPG --batch --delete-key --yes "$KEY" | |
192 | if [ -n "$REALTARGET" ]; then | |
193 | # the real backup is the old link, not the copy we made | |
194 | mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~" | |
195 | fi | |
196 | done | |
04937adc DK |
197 | } |
198 | ||
4b30c1dc DK |
199 | foreach_keyring_do() { |
200 | local ACTION="$1" | |
201 | shift | |
202 | # if a --keyring was given, just remove from there | |
203 | if [ -n "$FORCED_KEYRING" ]; then | |
204 | $ACTION "$FORCED_KEYRING" "$@" | |
205 | else | |
206 | # otherwise all known keyrings are up for inspection | |
5beb682d DK |
207 | if [ -s "$TRUSTEDFILE" ]; then |
208 | $ACTION "$TRUSTEDFILE" "$@" | |
209 | fi | |
4b30c1dc DK |
210 | local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" |
211 | eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) | |
212 | if [ -d "$TRUSTEDPARTS" ]; then | |
5beb682d DK |
213 | # strip / suffix as gpg will double-slash in that case (#665411) |
214 | local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" | |
215 | if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then | |
216 | TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" | |
217 | fi | |
4b30c1dc | 218 | for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do |
5beb682d DK |
219 | if [ -s "$trusted" ]; then |
220 | $ACTION "$trusted" "$@" | |
221 | fi | |
4b30c1dc | 222 | done |
04937adc | 223 | fi |
4b30c1dc | 224 | fi |
04937adc DK |
225 | } |
226 | ||
0b94a7bc | 227 | run_cmd_on_keyring() { |
5beb682d DK |
228 | local KEYRINGFILE="$1" |
229 | shift | |
0b94a7bc DK |
230 | # fingerprint and co will fail if key isn't in this keyring |
231 | $GPG_CMD --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true | |
5beb682d DK |
232 | } |
233 | ||
234 | import_keys_from_keyring() { | |
235 | local IMPORT="$1" | |
236 | local KEYRINGFILE="$2" | |
0dae96a2 DK |
237 | if ! $GPG_CMD --keyring "$KEYRINGFILE" --batch --import "$IMPORT" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then |
238 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
239 | false | |
240 | fi | |
241 | } | |
242 | ||
243 | merge_keys_into_keyrings() { | |
244 | local KEYRINGFILE="$1" | |
245 | local IMPORT="$2" | |
246 | if ! $GPG_CMD --keyring "$KEYRINGFILE" --batch --import --import-options 'merge-only' "$IMPORT" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
247 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
248 | false | |
249 | fi | |
250 | } | |
251 | ||
252 | merge_back_changes() { | |
253 | if [ -n "$FORCED_KEYRING" ]; then | |
254 | # if the keyring was forced merge is already done | |
255 | return | |
256 | fi | |
257 | if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then | |
258 | # merge all updated keys | |
259 | foreach_keyring_do 'merge_keys_into_keyrings' "${GPGHOMEDIR}/pubring.gpg" | |
260 | fi | |
0b94a7bc | 261 | # look for keys which were added or removed |
0dae96a2 DK |
262 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.orig.gpg" > "${GPGHOMEDIR}/pubring.orig.keylst" |
263 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.gpg" > "${GPGHOMEDIR}/pubring.keylst" | |
0dae96a2 DK |
264 | sort "${GPGHOMEDIR}/pubring.keylst" "${GPGHOMEDIR}/pubring.orig.keylst" | uniq --unique | while read key; do |
265 | if grep -q "^${key}$" "${GPGHOMEDIR}/pubring.orig.keylst"; then | |
266 | # key isn't part of new keyring, so remove | |
267 | foreach_keyring_do 'remove_key_from_keyring' "$key" | |
268 | elif grep -q "^${key}$" "${GPGHOMEDIR}/pubring.keylst"; then | |
269 | # key is part of new keyring, so we need to import it | |
270 | create_new_keyring "$TRUSTEDFILE" | |
271 | if ! $GPG --batch --yes --export "$key" | $GPG_CMD --keyring "$TRUSTEDFILE" --batch --yes --import > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
272 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
273 | false | |
274 | fi | |
275 | else | |
276 | echo >&2 "Errror: Key ${key} (dis)appeared out of nowhere" | |
277 | fi | |
278 | done | |
5beb682d DK |
279 | } |
280 | ||
281 | setup_merged_keyring() { | |
0740a310 | 282 | if [ -z "$FORCED_KEYRING" ]; then |
0740a310 | 283 | foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" |
0dae96a2 DK |
284 | if [ -r "${GPGHOMEDIR}/pubring.gpg" ]; then |
285 | cp -a "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
286 | else | |
287 | touch "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
0740a310 | 288 | fi |
0dae96a2 DK |
289 | GPG="$GPG --keyring ${GPGHOMEDIR}/pubring.gpg" |
290 | else | |
291 | GPG="$GPG --keyring $TRUSTEDFILE" | |
292 | create_new_keyring "$TRUSTEDFILE" | |
5beb682d DK |
293 | fi |
294 | } | |
295 | ||
0dae96a2 DK |
296 | create_new_keyring() { |
297 | # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. | |
298 | if ! [ -e "$TRUSTEDFILE" ]; then | |
299 | if [ -w "$(dirname "$TRUSTEDFILE")" ]; then | |
300 | touch -- "$TRUSTEDFILE" | |
301 | chmod 0644 -- "$TRUSTEDFILE" | |
302 | fi | |
303 | fi | |
304 | } | |
5beb682d | 305 | |
b3d44315 | 306 | usage() { |
46e39c8e | 307 | echo "Usage: apt-key [--keyring file] [command] [arguments]" |
b3d44315 MV |
308 | echo |
309 | echo "Manage apt's list of trusted keys" | |
310 | echo | |
311 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
312 | echo " apt-key del <keyid> - remove the key <keyid>" | |
bf6d5b42 OS |
313 | echo " apt-key export <keyid> - output the key <keyid>" |
314 | echo " apt-key exportall - output all trusted keys" | |
4a242c5b | 315 | echo " apt-key update - update keys using the keyring package" |
848ecfa4 | 316 | echo " apt-key net-update - update keys using the network" |
b3d44315 | 317 | echo " apt-key list - list keys" |
a8cabc8f LB |
318 | echo " apt-key finger - list fingerprints" |
319 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
b3d44315 | 320 | echo |
46e39c8e | 321 | echo "If no specific keyring file is given the command applies to all keyring files." |
b3d44315 MV |
322 | } |
323 | ||
3dc55197 DK |
324 | while [ -n "$1" ]; do |
325 | case "$1" in | |
326 | --keyring) | |
327 | shift | |
328 | TRUSTEDFILE="$1" | |
04937adc | 329 | FORCED_KEYRING="$1" |
3dc55197 | 330 | ;; |
bd7fb5aa DK |
331 | --secret-keyring) |
332 | shift | |
333 | FORCED_SECRET_KEYRING="$1" | |
33a22672 DK |
334 | ;; |
335 | --readonly) | |
336 | merge_back_changes() { true; } | |
bd7fb5aa | 337 | ;; |
3dc55197 DK |
338 | --fakeroot) |
339 | requires_root() { true; } | |
3dc55197 | 340 | ;; |
3d0def05 DK |
341 | --quiet) |
342 | aptkey_echo() { true; } | |
3d0def05 | 343 | ;; |
3dc55197 DK |
344 | --*) |
345 | echo >&2 "Unknown option: $1" | |
346 | usage | |
347 | exit 1;; | |
348 | *) | |
349 | break;; | |
350 | esac | |
33a22672 | 351 | shift |
3dc55197 DK |
352 | done |
353 | ||
354 | if [ -z "$TRUSTEDFILE" ]; then | |
355 | TRUSTEDFILE="/etc/apt/trusted.gpg" | |
356 | eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) | |
357 | eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) | |
46e39c8e | 358 | fi |
46e39c8e | 359 | |
b3d44315 MV |
360 | command="$1" |
361 | if [ -z "$command" ]; then | |
362 | usage | |
363 | exit 1 | |
364 | fi | |
365 | shift | |
366 | ||
9fda3be1 | 367 | if [ "$command" != "help" ]; then |
93d0d08c DK |
368 | eval $(apt-config shell GPG_EXE Apt::Key::gpgcommand) |
369 | ||
370 | if [ -n "$GPG_EXE" ] && which "$GPG_EXE" >/dev/null 2>&1; then | |
371 | true | |
372 | elif which gpg >/dev/null 2>&1; then | |
373 | GPG_EXE="gpg" | |
374 | elif which gpg2 >/dev/null 2>&1; then | |
375 | GPG_EXE="gpg2" | |
376 | else | |
377 | echo >&2 "Error: gnupg or gnupg2 do not seem to be installed," | |
378 | echo >&2 "Error: but apt-key requires gnupg or gnupg2 for operation." | |
9fda3be1 | 379 | echo >&2 |
93d0d08c | 380 | exit 255 |
9fda3be1 DK |
381 | fi |
382 | ||
93d0d08c | 383 | GPG_CMD="$GPG_EXE --ignore-time-conflict --no-options --no-default-keyring" |
05991180 DK |
384 | |
385 | # gpg needs (in different versions more or less) files to function correctly, | |
386 | # so we give it its own homedir and generate some valid content for it | |
0d303f17 DK |
387 | if [ -n "$TMPDIR" ]; then |
388 | # tmpdir is a directory and current user has rwx access to it | |
389 | # same tests as in apt-pkg/contrib/fileutl.cc GetTempDir() | |
390 | if [ ! -d "$TMPDIR" ] || [ ! -r "$TMPDIR" ] || [ ! -w "$TMPDIR" ] || [ ! -x "$TMPDIR" ]; then | |
391 | unset TMPDIR | |
392 | fi | |
7ffac4c1 | 393 | fi |
05991180 DK |
394 | GPGHOMEDIR="$(mktemp -d)" |
395 | CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';" | |
396 | trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM | |
397 | chmod 700 "$GPGHOMEDIR" | |
398 | # We don't use a secret keyring, of course, but gpg panics and | |
399 | # implodes if there isn't one available - and writeable for imports | |
400 | SECRETKEYRING="${GPGHOMEDIR}/secring.gpg" | |
401 | touch $SECRETKEYRING | |
402 | GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR" | |
403 | # create the trustdb with an (empty) dummy keyring | |
404 | # older gpgs required it, newer gpgs even warn that it isn't needed, | |
405 | # but require it nonetheless for some commands, so we just play safe | |
406 | # here for the foreseeable future and create a dummy one | |
407 | $GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1 | |
408 | # tell gpg that it shouldn't try to maintain a trustdb file | |
409 | GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" | |
410 | GPG="$GPG_CMD" | |
411 | ||
bd7fb5aa DK |
412 | # for advanced operations, we might really need a secret keyring after all |
413 | if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then | |
414 | rm -f "$SECRETKEYRING" | |
415 | cp -a "$FORCED_SECRET_KEYRING" "$SECRETKEYRING" | |
416 | fi | |
b3d44315 MV |
417 | fi |
418 | ||
b3d44315 MV |
419 | case "$command" in |
420 | add) | |
5beb682d DK |
421 | requires_root |
422 | setup_merged_keyring | |
423 | $GPG --quiet --batch --import "$@" | |
0dae96a2 | 424 | merge_back_changes |
5beb682d | 425 | aptkey_echo "OK" |
b3d44315 MV |
426 | ;; |
427 | del|rm|remove) | |
5beb682d DK |
428 | requires_root |
429 | foreach_keyring_do 'remove_key_from_keyring' "$@" | |
430 | aptkey_echo "OK" | |
b3d44315 | 431 | ;; |
4a242c5b | 432 | update) |
5beb682d DK |
433 | requires_root |
434 | setup_merged_keyring | |
4a242c5b | 435 | update |
0dae96a2 | 436 | merge_back_changes |
4a242c5b | 437 | ;; |
848ecfa4 | 438 | net-update) |
5beb682d DK |
439 | requires_root |
440 | setup_merged_keyring | |
848ecfa4 | 441 | net_update |
0dae96a2 | 442 | merge_back_changes |
848ecfa4 | 443 | ;; |
b3d44315 | 444 | list) |
0b94a7bc | 445 | foreach_keyring_do 'run_cmd_on_keyring' --list-keys "$@" |
5beb682d | 446 | ;; |
b3d44315 | 447 | finger*) |
0b94a7bc | 448 | foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@" |
5beb682d | 449 | ;; |
4f51a496 | 450 | export|exportall) |
38005d8b DK |
451 | foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" |
452 | $GPG_CMD --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@" | |
5beb682d | 453 | ;; |
b3d44315 | 454 | adv*) |
5beb682d DK |
455 | setup_merged_keyring |
456 | aptkey_echo "Executing: $GPG $*" | |
457 | $GPG "$@" | |
0dae96a2 | 458 | merge_back_changes |
5beb682d | 459 | ;; |
c46a36ad DK |
460 | verify) |
461 | setup_merged_keyring | |
462 | if which gpgv >/dev/null 2>&1; then | |
463 | gpgv --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" | |
464 | else | |
465 | $GPG --verify "$@" | |
466 | fi | |
467 | ;; | |
b3d44315 MV |
468 | help) |
469 | usage | |
470 | ;; | |
471 | *) | |
472 | usage | |
473 | exit 1 | |
474 | ;; | |
475 | esac |