]>
Commit | Line | Data |
---|---|---|
b3d44315 MV |
1 | #!/bin/sh |
2 | ||
3 | set -e | |
dac074b0 | 4 | unset GREP_OPTIONS |
fecfbf2e | 5 | export IFS="$(printf "\n\b")" |
b3d44315 | 6 | |
5b2c6ddc | 7 | MASTER_KEYRING='&keyring-master-filename;' |
bc8f83a5 | 8 | eval "$(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)" |
5b2c6ddc | 9 | ARCHIVE_KEYRING='&keyring-filename;' |
bc8f83a5 | 10 | eval "$(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)" |
5b2c6ddc | 11 | REMOVED_KEYS='&keyring-removed-filename;' |
bc8f83a5 | 12 | eval "$(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)" |
5b2c6ddc | 13 | ARCHIVE_KEYRING_URI='&keyring-uri;' |
bc8f83a5 | 14 | eval "$(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)" |
4a242c5b | 15 | |
3d0def05 DK |
16 | aptkey_echo() { echo "$@"; } |
17 | ||
00c6e1a3 MV |
18 | requires_root() { |
19 | if [ "$(id -u)" -ne 0 ]; then | |
84b286f6 | 20 | echo >&2 "ERROR: This command can only be used by root." |
00c6e1a3 MV |
21 | exit 1 |
22 | fi | |
23 | } | |
24 | ||
e23ee4c2 DK |
25 | command_available() { |
26 | # command -v "$1" >/dev/null 2>&1 # not required by policy, see #747320 | |
27 | # which "$1" >/dev/null 2>&1 # is in debianutils (essential) but not on non-debian systems | |
28 | local OLDIFS="$IFS" | |
29 | IFS=: | |
30 | for p in $PATH; do | |
31 | if [ -x "${p}/${1}" ]; then | |
32 | IFS="$OLDIFS" | |
33 | return 0 | |
34 | fi | |
35 | done | |
36 | IFS="$OLDIFS" | |
37 | return 1 | |
38 | } | |
39 | ||
bc8f83a5 DK |
40 | escape_shell() { |
41 | echo "$@" | sed -e "s#'#'\"'\"'#g" | |
42 | } | |
43 | ||
ba72845c | 44 | get_fingerprints_of_keyring() { |
fecfbf2e | 45 | aptkey_execute "$GPG_SH" --keyring "$1" --with-colons --fingerprint | while read publine; do |
ba72845c DK |
46 | # search for a public key |
47 | if [ "${publine%%:*}" != 'pub' ]; then continue; fi | |
48 | # search for the associated fingerprint (should be the very next line) | |
49 | while read fprline; do | |
50 | if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen | |
51 | elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi | |
52 | echo "$fprline" | cut -d':' -f 10 | |
53 | done | |
25f27319 DK |
54 | # order in the keyring shouldn't be important |
55 | done | sort | |
ba72845c DK |
56 | } |
57 | ||
7fbe42c0 | 58 | add_keys_with_verify_against_master_keyring() { |
bc8f83a5 DK |
59 | ADD_KEYRING="$1" |
60 | MASTER="$2" | |
f87338d2 | 61 | |
8c56b1e0 | 62 | if [ ! -f "$ADD_KEYRING" ]; then |
84b286f6 | 63 | echo >&2 "ERROR: '$ADD_KEYRING' not found" |
8c56b1e0 | 64 | return |
84b286f6 | 65 | fi |
8c56b1e0 | 66 | if [ ! -f "$MASTER" ]; then |
84b286f6 | 67 | echo >&2 "ERROR: '$MASTER' not found" |
8c56b1e0 MV |
68 | return |
69 | fi | |
70 | ||
71 | # when adding new keys, make sure that the archive-master-keyring | |
72 | # is honored. so: | |
3a341a1d MV |
73 | # all keys that are exported must have a valid signature |
74 | # from a key in the $distro-master-keyring | |
ba72845c | 75 | add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")" |
bc8f83a5 DK |
76 | all_add_keys="$(aptkey_execute "$GPG_SH" --keyring "$ADD_KEYRING" --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5)" |
77 | master_keys="$(aptkey_execute "$GPG_SH" --keyring "$MASTER" --with-colons --list-keys | grep ^pub | cut -d: -f5)" | |
f87338d2 DK |
78 | |
79 | # ensure there are no colisions LP: #857472 | |
80 | for all_add_key in $all_add_keys; do | |
81 | for master_key in $master_keys; do | |
82 | if [ "$all_add_key" = "$master_key" ]; then | |
83 | echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" | |
84 | return 1 | |
85 | fi | |
86 | done | |
87 | done | |
0dae96a2 | 88 | |
8c56b1e0 | 89 | for add_key in $add_keys; do |
f87338d2 | 90 | # export the add keyring one-by-one |
0dae96a2 | 91 | local TMP_KEYRING="${GPGHOMEDIR}/tmp-keyring.gpg" |
fecfbf2e DK |
92 | aptkey_execute "$GPG_SH" --batch --yes --keyring "$ADD_KEYRING" --output "$TMP_KEYRING" --export "$add_key" |
93 | if ! aptkey_execute "$GPG_SH" --batch --yes --keyring "$TMP_KEYRING" --import "$MASTER" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
c1642be5 | 94 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
0dae96a2 DK |
95 | false |
96 | fi | |
97 | # check if signed with the master key and only add in this case | |
98 | ADDED=0 | |
8c56b1e0 | 99 | for master_key in $master_keys; do |
fecfbf2e DK |
100 | if aptkey_execute "$GPG_SH" --keyring "$TMP_KEYRING" --check-sigs --with-colons "$add_key" \ |
101 | | grep '^sig:!:' | cut -d: -f5 | grep -q "$master_key"; then | |
102 | aptkey_execute "$GPG_SH" --batch --yes --keyring "$ADD_KEYRING" --export "$add_key" \ | |
103 | | aptkey_execute "$GPG" --batch --yes --import | |
c9bb37c7 | 104 | ADDED=1 |
8c56b1e0 | 105 | fi |
7fbe42c0 | 106 | done |
c9bb37c7 MV |
107 | if [ $ADDED = 0 ]; then |
108 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
109 | fi | |
0dae96a2 | 110 | rm -f "${TMP_KEYRING}" |
8c56b1e0 | 111 | done |
7fbe42c0 | 112 | } |
4a242c5b | 113 | |
848ecfa4 MV |
114 | # update the current archive signing keyring from a network URI |
115 | # the archive-keyring keys needs to be signed with the master key | |
116 | # (otherwise it does not make sense from a security POV) | |
117 | net_update() { | |
bc8f83a5 DK |
118 | local APT_DIR='/' |
119 | eval $(apt-config shell APT_DIR Dir) | |
120 | ||
f87338d2 | 121 | # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) |
5acf154d MV |
122 | APT_KEY_NET_UPDATE_ENABLED="" |
123 | eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled) | |
124 | if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then | |
125 | exit 1 | |
126 | fi | |
f87338d2 | 127 | |
848ecfa4 | 128 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then |
00c6e1a3 | 129 | echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" |
46e39c8e MV |
130 | exit 1 |
131 | fi | |
132 | # in theory we would need to depend on wget for this, but this feature | |
133 | # isn't useable in debian anyway as we have no keyring uri nor a master key | |
e23ee4c2 | 134 | if ! command_available 'wget'; then |
00c6e1a3 | 135 | echo >&2 "ERROR: an installed wget is required for a network-based update" |
46e39c8e | 136 | exit 1 |
848ecfa4 | 137 | fi |
fecfbf2e DK |
138 | if [ ! -d "${APT_DIR}/var/lib/apt/keyrings" ]; then |
139 | mkdir -p "${APT_DIR}/var/lib/apt/keyrings" | |
848ecfa4 | 140 | fi |
fecfbf2e | 141 | keyring="${APT_DIR}/var/lib/apt/keyrings/$(basename "$ARCHIVE_KEYRING_URI")" |
93886541 MV |
142 | old_mtime=0 |
143 | if [ -e $keyring ]; then | |
bc8f83a5 | 144 | old_mtime=$(stat -c %Y "$keyring") |
93886541 | 145 | fi |
fecfbf2e DK |
146 | (cd "${APT_DIR}/var/lib/apt/keyrings"; wget --timeout=90 -q -N "$ARCHIVE_KEYRING_URI") |
147 | if [ ! -e "$keyring" ]; then | |
93886541 MV |
148 | return |
149 | fi | |
fecfbf2e | 150 | new_mtime=$(stat -c %Y "$keyring") |
93886541 | 151 | if [ $new_mtime -ne $old_mtime ]; then |
3d0def05 | 152 | aptkey_echo "Checking for new archive signing keys now" |
fecfbf2e | 153 | add_keys_with_verify_against_master_keyring "$keyring" "$MASTER_KEYRING" |
93886541 | 154 | fi |
848ecfa4 MV |
155 | } |
156 | ||
4a242c5b | 157 | update() { |
fecfbf2e | 158 | if [ ! -f "$ARCHIVE_KEYRING" ]; then |
4a242c5b | 159 | echo >&2 "ERROR: Can't find the archive-keyring" |
5b2c6ddc | 160 | echo >&2 "Is the &keyring-package; package installed?" |
4a242c5b MV |
161 | exit 1 |
162 | fi | |
163 | ||
3a341a1d MV |
164 | # add new keys from the package; |
165 | ||
166 | # we do not use add_keys_with_verify_against_master_keyring here, | |
1171258a | 167 | # because "update" is run on regular package updates. A |
3a341a1d MV |
168 | # attacker might as well replace the master-archive-keyring file |
169 | # in the package and add his own keys. so this check wouldn't | |
170 | # add any security. we *need* this check on net-update though | |
f14cde2c | 171 | import_keyring_into_keyring "$ARCHIVE_KEYRING" '' && cat "${GPGHOMEDIR}/gpgoutput.log" |
4a242c5b | 172 | |
364af2ef MV |
173 | if [ -r "$REMOVED_KEYS" ]; then |
174 | # remove no-longer supported/used keys | |
ba72845c | 175 | get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do |
5beb682d | 176 | foreach_keyring_do 'remove_key_from_keyring' "$key" |
364af2ef MV |
177 | done |
178 | else | |
84b286f6 | 179 | echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" |
364af2ef | 180 | fi |
4a242c5b MV |
181 | } |
182 | ||
04937adc | 183 | remove_key_from_keyring() { |
4b30c1dc DK |
184 | local KEYRINGFILE="$1" |
185 | shift | |
5beb682d DK |
186 | # non-existent keyrings have by definition no keys |
187 | if [ ! -e "$KEYRINGFILE" ]; then | |
188 | return | |
189 | fi | |
190 | ||
0b94a7bc | 191 | for KEY in "$@"; do |
25f27319 DK |
192 | local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst" |
193 | get_fingerprints_of_keyring "$KEYRINGFILE" > "$FINGERPRINTS" | |
f7bd44ba DKG |
194 | |
195 | # strip leading 0x, if present: | |
031a3f25 | 196 | KEY="${KEY#0x}" |
f7bd44ba | 197 | |
25f27319 DK |
198 | # check if the key is in this keyring |
199 | if ! grep -iq "^[0-9A-F]*${KEY}$" "$FINGERPRINTS"; then | |
4b30c1dc DK |
200 | continue |
201 | fi | |
202 | if [ ! -w "$KEYRINGFILE" ]; then | |
203 | echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only." | |
204 | continue | |
205 | fi | |
206 | # check if it is the only key in the keyring and if so remove the keyring altogether | |
25f27319 | 207 | if [ '1' = "$(uniq "$FINGERPRINTS" | wc -l)" ]; then |
4b30c1dc DK |
208 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg |
209 | return | |
210 | fi | |
211 | # we can't just modify pointed to files as these might be in /usr or something | |
212 | local REALTARGET | |
213 | if [ -L "$KEYRINGFILE" ]; then | |
214 | REALTARGET="$(readlink -f "$KEYRINGFILE")" | |
215 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp" | |
216 | cp -a "$REALTARGET" "$KEYRINGFILE" | |
217 | fi | |
218 | # delete the key from the keyring | |
fecfbf2e | 219 | aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch --delete-keys --yes "$KEY" |
4b30c1dc DK |
220 | if [ -n "$REALTARGET" ]; then |
221 | # the real backup is the old link, not the copy we made | |
222 | mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~" | |
223 | fi | |
224 | done | |
04937adc DK |
225 | } |
226 | ||
4b30c1dc DK |
227 | foreach_keyring_do() { |
228 | local ACTION="$1" | |
229 | shift | |
b0d40854 | 230 | # if a --keyring was given, just work on this one |
4b30c1dc DK |
231 | if [ -n "$FORCED_KEYRING" ]; then |
232 | $ACTION "$FORCED_KEYRING" "$@" | |
233 | else | |
234 | # otherwise all known keyrings are up for inspection | |
5beb682d DK |
235 | if [ -s "$TRUSTEDFILE" ]; then |
236 | $ACTION "$TRUSTEDFILE" "$@" | |
237 | fi | |
4b30c1dc | 238 | local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" |
bc8f83a5 | 239 | eval "$(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)" |
4b30c1dc | 240 | if [ -d "$TRUSTEDPARTS" ]; then |
5beb682d DK |
241 | # strip / suffix as gpg will double-slash in that case (#665411) |
242 | local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" | |
243 | if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then | |
244 | TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" | |
245 | fi | |
80441902 | 246 | for trusted in $(find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -regex '^.*\.gpg$' | sort); do |
5beb682d DK |
247 | if [ -s "$trusted" ]; then |
248 | $ACTION "$trusted" "$@" | |
249 | fi | |
4b30c1dc | 250 | done |
04937adc | 251 | fi |
4b30c1dc | 252 | fi |
04937adc DK |
253 | } |
254 | ||
0b94a7bc | 255 | run_cmd_on_keyring() { |
5beb682d DK |
256 | local KEYRINGFILE="$1" |
257 | shift | |
0b94a7bc | 258 | # fingerprint and co will fail if key isn't in this keyring |
fecfbf2e | 259 | aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true |
5beb682d DK |
260 | } |
261 | ||
f14cde2c DK |
262 | import_keyring_into_keyring() { |
263 | local FROM="${1:-${GPGHOMEDIR}/pubring.gpg}" | |
264 | local TO="${2:-${GPGHOMEDIR}/pubring.gpg}" | |
265 | shift 2 | |
266 | rm -f "${GPGHOMEDIR}/gpgoutput.log" | |
267 | # the idea is simple: We take keys from one keyring and copy it to another | |
3a8776a3 | 268 | # we do this with so many checks in between to ensure that WE control the |
f14cde2c DK |
269 | # creation, so we know that the (potentially) created $TO keyring is a |
270 | # simple keyring rather than a keybox as gpg2 would create it which in turn | |
271 | # can't be read by gpgv. | |
272 | # BEWARE: This is designed more in the way to work with the current | |
273 | # callers, than to have a well defined it would be easy to add new callers to. | |
274 | if [ ! -s "$TO" ]; then | |
275 | if [ -s "$FROM" ]; then | |
276 | if [ -z "$2" ]; then | |
fecfbf2e | 277 | if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${1:+"$1"} > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then |
f14cde2c DK |
278 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
279 | false | |
280 | else | |
281 | chmod 0644 -- "$TO" | |
282 | fi | |
283 | else | |
284 | create_new_keyring "$TO" | |
285 | fi | |
286 | else | |
287 | create_new_keyring "$TO" | |
288 | fi | |
289 | elif [ -s "$FROM" ]; then | |
290 | local EXPORTLIMIT="$1" | |
291 | if [ -n "$1$2" ]; then shift; fi | |
fecfbf2e DK |
292 | if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} \ |
293 | | aptkey_execute "$GPG_SH" --keyring "$TO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
f14cde2c DK |
294 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
295 | false | |
296 | fi | |
0dae96a2 DK |
297 | fi |
298 | } | |
299 | ||
25f27319 DK |
300 | merge_all_trusted_keyrings_into_pubring() { |
301 | # does the same as: | |
302 | # foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" | |
303 | # but without using gpg, just cat and find | |
304 | local PUBRING="${GPGHOMEDIR}/pubring.gpg" | |
305 | # if a --keyring was given, just use this one | |
306 | if [ -n "$FORCED_KEYRING" ]; then | |
307 | if [ -s "$FORCED_KEYRING" ]; then | |
308 | cp --dereference "$FORCED_KEYRING" "$PUBRING" | |
309 | fi | |
310 | else | |
311 | # otherwise all known keyrings are merged | |
312 | local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" | |
313 | eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) | |
314 | if [ -d "$TRUSTEDPARTS" ]; then | |
315 | # ignore errors mostly for non-existing $TRUSTEDFILE | |
fecfbf2e DK |
316 | { |
317 | cat "$TRUSTEDFILE" || true | |
318 | for parts in $(find -L "$TRUSTEDPARTS" -type f -name '*.gpg'); do | |
319 | cat "$parts" || true | |
320 | done | |
321 | } > "$PUBRING" 2>/dev/null | |
25f27319 DK |
322 | elif [ -s "$TRUSTEDFILE" ]; then |
323 | cp --dereference "$TRUSTEDFILE" "$PUBRING" | |
324 | fi | |
325 | fi | |
326 | ||
327 | if [ ! -s "$PUBRING" ]; then | |
328 | touch "$PUBRING" | |
329 | fi | |
330 | } | |
331 | ||
f14cde2c DK |
332 | import_keys_from_keyring() { |
333 | import_keyring_into_keyring "$1" "$2" | |
334 | } | |
335 | ||
0dae96a2 | 336 | merge_keys_into_keyrings() { |
f14cde2c | 337 | import_keyring_into_keyring "$2" "$1" '' --import-options 'merge-only' |
0dae96a2 DK |
338 | } |
339 | ||
340 | merge_back_changes() { | |
341 | if [ -n "$FORCED_KEYRING" ]; then | |
342 | # if the keyring was forced merge is already done | |
343 | return | |
344 | fi | |
345 | if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then | |
346 | # merge all updated keys | |
347 | foreach_keyring_do 'merge_keys_into_keyrings' "${GPGHOMEDIR}/pubring.gpg" | |
348 | fi | |
0b94a7bc | 349 | # look for keys which were added or removed |
0dae96a2 DK |
350 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.orig.gpg" > "${GPGHOMEDIR}/pubring.orig.keylst" |
351 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.gpg" > "${GPGHOMEDIR}/pubring.keylst" | |
25f27319 DK |
352 | comm -3 "${GPGHOMEDIR}/pubring.keylst" "${GPGHOMEDIR}/pubring.orig.keylst" > "${GPGHOMEDIR}/pubring.diff" |
353 | # key isn't part of new keyring, so remove | |
354 | cut -f 2 "${GPGHOMEDIR}/pubring.diff" | while read key; do | |
355 | if [ -z "$key" ]; then continue; fi | |
356 | foreach_keyring_do 'remove_key_from_keyring' "$key" | |
357 | done | |
358 | # key is only part of new keyring, so we need to import it | |
359 | cut -f 1 "${GPGHOMEDIR}/pubring.diff" | while read key; do | |
360 | if [ -z "$key" ]; then continue; fi | |
361 | import_keyring_into_keyring '' "$TRUSTEDFILE" "$key" | |
0dae96a2 | 362 | done |
5beb682d DK |
363 | } |
364 | ||
365 | setup_merged_keyring() { | |
b0d40854 | 366 | if [ -n "$FORCED_KEYID" ]; then |
25f27319 | 367 | merge_all_trusted_keyrings_into_pubring |
b0d40854 DK |
368 | FORCED_KEYRING="${GPGHOMEDIR}/forcedkeyid.gpg" |
369 | TRUSTEDFILE="${FORCED_KEYRING}" | |
fecfbf2e | 370 | echo "#!/bin/sh |
bc8f83a5 | 371 | exec sh '($(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh" |
fecfbf2e | 372 | GPG="${GPGHOMEDIR}/gpg.1.sh" |
b0d40854 | 373 | # ignore error as this "just" means we haven't found the forced keyid and the keyring will be empty |
f14cde2c | 374 | import_keyring_into_keyring '' "$TRUSTEDFILE" "$FORCED_KEYID" || true |
b0d40854 | 375 | elif [ -z "$FORCED_KEYRING" ]; then |
25f27319 | 376 | merge_all_trusted_keyrings_into_pubring |
0dae96a2 DK |
377 | if [ -r "${GPGHOMEDIR}/pubring.gpg" ]; then |
378 | cp -a "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
379 | else | |
380 | touch "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
0740a310 | 381 | fi |
fecfbf2e | 382 | echo "#!/bin/sh |
bc8f83a5 | 383 | exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${GPGHOMEDIR}/pubring.gpg")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh" |
fecfbf2e | 384 | GPG="${GPGHOMEDIR}/gpg.1.sh" |
0dae96a2 | 385 | else |
0dae96a2 | 386 | create_new_keyring "$TRUSTEDFILE" |
fecfbf2e | 387 | echo "#!/bin/sh |
bc8f83a5 | 388 | exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh" |
fecfbf2e | 389 | GPG="${GPGHOMEDIR}/gpg.1.sh" |
5beb682d DK |
390 | fi |
391 | } | |
392 | ||
0dae96a2 DK |
393 | create_new_keyring() { |
394 | # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. | |
395 | if ! [ -e "$TRUSTEDFILE" ]; then | |
396 | if [ -w "$(dirname "$TRUSTEDFILE")" ]; then | |
397 | touch -- "$TRUSTEDFILE" | |
398 | chmod 0644 -- "$TRUSTEDFILE" | |
399 | fi | |
400 | fi | |
401 | } | |
5beb682d | 402 | |
fecfbf2e DK |
403 | aptkey_execute() { sh "$@"; } |
404 | ||
b3d44315 | 405 | usage() { |
46e39c8e | 406 | echo "Usage: apt-key [--keyring file] [command] [arguments]" |
b3d44315 MV |
407 | echo |
408 | echo "Manage apt's list of trusted keys" | |
409 | echo | |
410 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
411 | echo " apt-key del <keyid> - remove the key <keyid>" | |
bf6d5b42 OS |
412 | echo " apt-key export <keyid> - output the key <keyid>" |
413 | echo " apt-key exportall - output all trusted keys" | |
4a242c5b | 414 | echo " apt-key update - update keys using the keyring package" |
848ecfa4 | 415 | echo " apt-key net-update - update keys using the network" |
b3d44315 | 416 | echo " apt-key list - list keys" |
a8cabc8f LB |
417 | echo " apt-key finger - list fingerprints" |
418 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
b3d44315 | 419 | echo |
46e39c8e | 420 | echo "If no specific keyring file is given the command applies to all keyring files." |
b3d44315 MV |
421 | } |
422 | ||
3dc55197 DK |
423 | while [ -n "$1" ]; do |
424 | case "$1" in | |
425 | --keyring) | |
426 | shift | |
427 | TRUSTEDFILE="$1" | |
04937adc | 428 | FORCED_KEYRING="$1" |
3dc55197 | 429 | ;; |
b0d40854 DK |
430 | --keyid) |
431 | shift | |
432 | FORCED_KEYID="$1" | |
433 | ;; | |
bd7fb5aa DK |
434 | --secret-keyring) |
435 | shift | |
436 | FORCED_SECRET_KEYRING="$1" | |
33a22672 DK |
437 | ;; |
438 | --readonly) | |
439 | merge_back_changes() { true; } | |
fecfbf2e | 440 | create_new_keyring() { if [ ! -r "$FORCED_KEYRING" ]; then TRUSTEDFILE='/dev/null'; FORCED_KEYRING="$TRUSTEDFILE"; fi; } |
bd7fb5aa | 441 | ;; |
3dc55197 DK |
442 | --fakeroot) |
443 | requires_root() { true; } | |
3dc55197 | 444 | ;; |
3d0def05 DK |
445 | --quiet) |
446 | aptkey_echo() { true; } | |
3d0def05 | 447 | ;; |
c1642be5 DK |
448 | --debug1) |
449 | # some cmds like finger redirect stderr to /dev/null … | |
fecfbf2e | 450 | aptkey_execute() { echo 'EXEC:' "$@"; sh "$@"; } |
c1642be5 DK |
451 | ;; |
452 | --debug2) | |
453 | # … other more complicated ones pipe gpg into gpg. | |
fecfbf2e | 454 | aptkey_execute() { echo >&2 'EXEC:' "$@"; sh "$@"; } |
c1642be5 | 455 | ;; |
3dc55197 DK |
456 | --*) |
457 | echo >&2 "Unknown option: $1" | |
458 | usage | |
459 | exit 1;; | |
460 | *) | |
461 | break;; | |
462 | esac | |
33a22672 | 463 | shift |
3dc55197 DK |
464 | done |
465 | ||
466 | if [ -z "$TRUSTEDFILE" ]; then | |
467 | TRUSTEDFILE="/etc/apt/trusted.gpg" | |
468 | eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) | |
469 | eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) | |
46e39c8e | 470 | fi |
46e39c8e | 471 | |
b3d44315 MV |
472 | command="$1" |
473 | if [ -z "$command" ]; then | |
474 | usage | |
475 | exit 1 | |
476 | fi | |
477 | shift | |
478 | ||
25f27319 DK |
479 | create_gpg_home() { |
480 | # gpg needs (in different versions more or less) files to function correctly, | |
481 | # so we give it its own homedir and generate some valid content for it later on | |
482 | if [ -n "$TMPDIR" ]; then | |
483 | # tmpdir is a directory and current user has rwx access to it | |
484 | # same tests as in apt-pkg/contrib/fileutl.cc GetTempDir() | |
485 | if [ ! -d "$TMPDIR" ] || [ ! -r "$TMPDIR" ] || [ ! -w "$TMPDIR" ] || [ ! -x "$TMPDIR" ]; then | |
486 | unset TMPDIR | |
487 | fi | |
488 | fi | |
489 | GPGHOMEDIR="$(mktemp -d)" | |
bc8f83a5 | 490 | CURRENTTRAP="${CURRENTTRAP} rm -rf '$(escape_shell "${GPGHOMEDIR}")';" |
25f27319 DK |
491 | trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM |
492 | chmod 700 "$GPGHOMEDIR" | |
493 | } | |
494 | ||
495 | prepare_gpg_home() { | |
5f17b19f DK |
496 | # crude detection if we are called from a maintainerscript where the |
497 | # package depends on gnupg or not. We accept recommends here as | |
498 | # well as the script hopefully uses apt-key optionally then like e.g. | |
499 | # debian-archive-keyring for (upgrade) cleanup did | |
500 | if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ]; then | |
2e49f519 | 501 | if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -q gnupg; then |
5f17b19f DK |
502 | cat >&2 <<EOF |
503 | Warning: The $DPKG_MAINTSCRIPT_NAME maintainerscript of the package $DPKG_MAINTSCRIPT_PACKAGE | |
504 | Warning: seems to use apt-key (provided by apt) without depending on gnupg or gnupg2. | |
505 | Warning: This will BREAK in the future and should be fixed by the package maintainer(s). | |
506 | Note: Check first if apt-key functionality is needed at all - it probably isn't! | |
507 | EOF | |
508 | fi | |
509 | fi | |
bc8f83a5 | 510 | eval "$(apt-config shell GPG_EXE Apt::Key::gpgcommand)" |
e23ee4c2 | 511 | if [ -n "$GPG_EXE" ] && command_available "$GPG_EXE"; then |
93d0d08c | 512 | true |
e23ee4c2 | 513 | elif command_available 'gpg'; then |
93d0d08c | 514 | GPG_EXE="gpg" |
e23ee4c2 | 515 | elif command_available 'gpg2'; then |
93d0d08c DK |
516 | GPG_EXE="gpg2" |
517 | else | |
518 | echo >&2 "Error: gnupg or gnupg2 do not seem to be installed," | |
25f27319 | 519 | echo >&2 "Error: but apt-key requires gnupg or gnupg2 for this operation." |
9fda3be1 | 520 | echo >&2 |
93d0d08c | 521 | exit 255 |
9fda3be1 DK |
522 | fi |
523 | ||
25f27319 DK |
524 | create_gpg_home |
525 | ||
05991180 DK |
526 | # create the trustdb with an (empty) dummy keyring |
527 | # older gpgs required it, newer gpgs even warn that it isn't needed, | |
528 | # but require it nonetheless for some commands, so we just play safe | |
529 | # here for the foreseeable future and create a dummy one | |
803491dc | 530 | touch "${GPGHOMEDIR}/empty.gpg" |
fecfbf2e | 531 | if ! "$GPG_EXE" --ignore-time-conflict --no-options --no-default-keyring \ |
803491dc | 532 | --homedir "$GPGHOMEDIR" --quiet --check-trustdb --keyring "${GPGHOMEDIR}/empty.gpg" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then |
fecfbf2e DK |
533 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" |
534 | false | |
535 | fi | |
803491dc DK |
536 | |
537 | # now tell gpg that it shouldn't try to maintain this trustdb file | |
fecfbf2e | 538 | echo "#!/bin/sh |
bc8f83a5 DK |
539 | exec '$(escape_shell "${GPG_EXE}")' --ignore-time-conflict --no-options --no-default-keyring \\ |
540 | --homedir '$(escape_shell "${GPGHOMEDIR}")' --no-auto-check-trustdb --trust-model always \"\$@\"" > "${GPGHOMEDIR}/gpg.0.sh" | |
fecfbf2e DK |
541 | GPG_SH="${GPGHOMEDIR}/gpg.0.sh" |
542 | GPG="$GPG_SH" | |
05991180 | 543 | |
803491dc | 544 | # We don't usually need a secret keyring, of course, but |
bd7fb5aa DK |
545 | # for advanced operations, we might really need a secret keyring after all |
546 | if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then | |
803491dc DK |
547 | if ! aptkey_execute "$GPG" -v --batch --import "$FORCED_SECRET_KEYRING" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then |
548 | cat >&2 "${GPGHOMEDIR}/gpgoutput.log" | |
549 | false | |
550 | fi | |
551 | else | |
552 | # and then, there are older versions of gpg which panic and implode | |
553 | # if there isn't one available - and writeable for imports | |
554 | # and even if not output is littered with the creation of a secring, | |
555 | # so lets call import once to have it create what it wants in silence | |
556 | echo -n | aptkey_execute "$GPG" --batch --import >/dev/null 2>&1 || true | |
bd7fb5aa | 557 | fi |
25f27319 DK |
558 | } |
559 | ||
560 | if [ "$command" != 'help' ] && [ "$command" != 'verify' ]; then | |
561 | prepare_gpg_home | |
b3d44315 MV |
562 | fi |
563 | ||
b3d44315 MV |
564 | case "$command" in |
565 | add) | |
5beb682d DK |
566 | requires_root |
567 | setup_merged_keyring | |
fecfbf2e | 568 | aptkey_execute "$GPG" --quiet --batch --import "$@" |
0dae96a2 | 569 | merge_back_changes |
5beb682d | 570 | aptkey_echo "OK" |
b3d44315 MV |
571 | ;; |
572 | del|rm|remove) | |
5beb682d DK |
573 | requires_root |
574 | foreach_keyring_do 'remove_key_from_keyring' "$@" | |
575 | aptkey_echo "OK" | |
b3d44315 | 576 | ;; |
4a242c5b | 577 | update) |
5beb682d DK |
578 | requires_root |
579 | setup_merged_keyring | |
4a242c5b | 580 | update |
0dae96a2 | 581 | merge_back_changes |
4a242c5b | 582 | ;; |
848ecfa4 | 583 | net-update) |
5beb682d DK |
584 | requires_root |
585 | setup_merged_keyring | |
848ecfa4 | 586 | net_update |
0dae96a2 | 587 | merge_back_changes |
848ecfa4 | 588 | ;; |
b3d44315 | 589 | list) |
0b94a7bc | 590 | foreach_keyring_do 'run_cmd_on_keyring' --list-keys "$@" |
5beb682d | 591 | ;; |
b3d44315 | 592 | finger*) |
0b94a7bc | 593 | foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@" |
5beb682d | 594 | ;; |
4f51a496 | 595 | export|exportall) |
25f27319 | 596 | merge_all_trusted_keyrings_into_pubring |
fecfbf2e | 597 | aptkey_execute "$GPG_SH" --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@" |
5beb682d | 598 | ;; |
b3d44315 | 599 | adv*) |
5beb682d DK |
600 | setup_merged_keyring |
601 | aptkey_echo "Executing: $GPG $*" | |
fecfbf2e | 602 | aptkey_execute "$GPG" "$@" |
0dae96a2 | 603 | merge_back_changes |
5beb682d | 604 | ;; |
c46a36ad | 605 | verify) |
f14cde2c DK |
606 | GPGV='' |
607 | eval $(apt-config shell GPGV Apt::Key::gpgvcommand) | |
e23ee4c2 DK |
608 | if [ -n "$GPGV" ] && command_available "$GPGV"; then true; |
609 | elif command_available 'gpgv'; then GPGV='gpgv'; | |
610 | elif command_available 'gpgv2'; then GPGV='gpgv2'; | |
25f27319 DK |
611 | else |
612 | echo >&2 'ERROR: gpgv or gpgv2 required for verification' | |
613 | exit 29 | |
f14cde2c | 614 | fi |
25f27319 DK |
615 | # for a forced keyid we need gpg --export, so full wrapping required |
616 | if [ -n "$FORCED_KEYID" ]; then | |
617 | prepare_gpg_home | |
618 | else | |
619 | create_gpg_home | |
620 | fi | |
621 | setup_merged_keyring | |
622 | if [ -n "$FORCED_KEYRING" ]; then | |
fecfbf2e | 623 | "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${FORCED_KEYRING}" --ignore-time-conflict "$@" |
c46a36ad | 624 | else |
fecfbf2e | 625 | "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" |
c46a36ad DK |
626 | fi |
627 | ;; | |
b3d44315 MV |
628 | help) |
629 | usage | |
630 | ;; | |
631 | *) | |
632 | usage | |
633 | exit 1 | |
634 | ;; | |
635 | esac |