]> git.saurik.com Git - apt.git/blame_incremental - cmdline/apt-key
projects / apt.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
do not double-slash paths in apt-key
[apt.git] / cmdline / apt-key
... / ...
CommitLineData
1#!/bin/sh
2
3set -e
4unset GREP_OPTIONS
5
6GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
7
8# gpg needs a trustdb to function, but it can't be invalid (not even empty)
9# so we create a temporary directory to store our fresh readable trustdb in
10TRUSTDBDIR="$(mktemp -d)"
11CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
12trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
13chmod 700 "$TRUSTDBDIR"
14# We also don't use a secret keyring, of course, but gpg panics and
15# implodes if there isn't one available - and writeable for imports
16SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
17touch $SECRETKEYRING
18GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
19GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
20
21# now create the trustdb with an (empty) dummy keyring
22$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
23# and make sure that gpg isn't trying to update the file
24GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
25
26GPG="$GPG_CMD"
27
28MASTER_KEYRING=""
29ARCHIVE_KEYRING_URI=""
30#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
31#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
32
33ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
34REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
35
36requires_root() {
37 if [ "$(id -u)" -ne 0 ]; then
38 echo >&1 "ERROR: This command can only be used by root."
39 exit 1
40 fi
41}
42
43# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
44init_keyring() {
45 for path; do
46 if ! [ -e "$path" ]; then
47 touch -- "$path"
48 chmod 0644 -- "$path"
49 fi
50 done
51}
52
53add_keys_with_verify_against_master_keyring() {
54 ADD_KEYRING=$1
55 MASTER=$2
56
57 if [ ! -f "$ADD_KEYRING" ]; then
58 echo "ERROR: '$ADD_KEYRING' not found"
59 return
60 fi
61 if [ ! -f "$MASTER" ]; then
62 echo "ERROR: '$MASTER' not found"
63 return
64 fi
65
66 # when adding new keys, make sure that the archive-master-keyring
67 # is honored. so:
68 # all keys that are exported must have a valid signature
69 # from a key in the $distro-master-keyring
70 add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
71 master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
72 for add_key in $add_keys; do
73 ADDED=0
74 for master_key in $master_keys; do
75 if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
76 $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import
77 ADDED=1
78 fi
79 done
80 if [ $ADDED = 0 ]; then
81 echo >&2 "Key '$add_key' not added. It is not signed with a master key"
82 fi
83 done
84}
85
86# update the current archive signing keyring from a network URI
87# the archive-keyring keys needs to be signed with the master key
88# (otherwise it does not make sense from a security POV)
89net_update() {
90 if [ -z "$ARCHIVE_KEYRING_URI" ]; then
91 echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
92 exit 1
93 fi
94 requires_root
95 # in theory we would need to depend on wget for this, but this feature
96 # isn't useable in debian anyway as we have no keyring uri nor a master key
97 if ! which wget >/dev/null 2>&1; then
98 echo >&2 "ERROR: an installed wget is required for a network-based update"
99 exit 1
100 fi
101 if [ ! -d /var/lib/apt/keyrings ]; then
102 mkdir -p /var/lib/apt/keyrings
103 fi
104 keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
105 old_mtime=0
106 if [ -e $keyring ]; then
107 old_mtime=$(stat -c %Y $keyring)
108 fi
109 (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
110 if [ ! -e $keyring ]; then
111 return
112 fi
113 new_mtime=$(stat -c %Y $keyring)
114 if [ $new_mtime -ne $old_mtime ]; then
115 echo "Checking for new archive signing keys now"
116 add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
117 fi
118}
119
120update() {
121 if [ ! -f $ARCHIVE_KEYRING ]; then
122 echo >&2 "ERROR: Can't find the archive-keyring"
123 echo >&2 "Is the debian-archive-keyring package installed?"
124 exit 1
125 fi
126 requires_root
127
128 # add new keys from the package;
129
130 # we do not use add_keys_with_verify_against_master_keyring here,
131 # because "update" is run on regular package updates. A
132 # attacker might as well replace the master-archive-keyring file
133 # in the package and add his own keys. so this check wouldn't
134 # add any security. we *need* this check on net-update though
135 $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
136
137 if [ -r "$REMOVED_KEYS" ]; then
138 # remove no-longer supported/used keys
139 keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
140 for key in $keys; do
141 if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
142 $GPG --quiet --batch --delete-key --yes ${key}
143 fi
144 done
145 else
146 echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2
147 fi
148}
149
150
151usage() {
152 echo "Usage: apt-key [--keyring file] [command] [arguments]"
153 echo
154 echo "Manage apt's list of trusted keys"
155 echo
156 echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
157 echo " apt-key del <keyid> - remove the key <keyid>"
158 echo " apt-key export <keyid> - output the key <keyid>"
159 echo " apt-key exportall - output all trusted keys"
160 echo " apt-key update - update keys using the keyring package"
161 echo " apt-key net-update - update keys using the network"
162 echo " apt-key list - list keys"
163 echo " apt-key finger - list fingerprints"
164 echo " apt-key adv - pass advanced options to gpg (download key)"
165 echo
166 echo "If no specific keyring file is given the command applies to all keyring files."
167}
168
169while [ -n "$1" ]; do
170 case "$1" in
171 --keyring)
172 shift
173 TRUSTEDFILE="$1"
174 if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then
175 GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
176 else
177 echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable"
178 exit 1
179 fi
180 shift
181 ;;
182 --fakeroot)
183 requires_root() { true; }
184 shift
185 ;;
186 --*)
187 echo >&2 "Unknown option: $1"
188 usage
189 exit 1;;
190 *)
191 break;;
192 esac
193done
194
195if [ -z "$TRUSTEDFILE" ]; then
196 TRUSTEDFILE="/etc/apt/trusted.gpg"
197 eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
198 eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
199 if [ -r "$TRUSTEDFILE" ]; then
200 GPG="$GPG --keyring $TRUSTEDFILE"
201 fi
202 GPG="$GPG --primary-keyring $TRUSTEDFILE"
203 TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
204 eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
205 if [ -d "$TRUSTEDPARTS" ]; then
206 # strip / suffix as gpg will double-slash in that case (#665411)
207 STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
208 if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
209 TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
210 fi
211 for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
212 GPG="$GPG --keyring $trusted"
213 done
214 fi
215fi
216
217command="$1"
218if [ -z "$command" ]; then
219 usage
220 exit 1
221fi
222shift
223
224if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
225 echo >&2 "Warning: gnupg does not seem to be installed."
226 echo >&2 "Warning: apt-key requires gnupg for most operations."
227 echo >&2
228fi
229
230case "$command" in
231 add)
232 requires_root
233 init_keyring "$TRUSTEDFILE"
234 $GPG --quiet --batch --import "$1"
235 echo "OK"
236 ;;
237 del|rm|remove)
238 requires_root
239 init_keyring "$TRUSTEDFILE"
240 $GPG --quiet --batch --delete-key --yes "$1"
241 echo "OK"
242 ;;
243 update)
244 init_keyring "$TRUSTEDFILE"
245 update
246 ;;
247 net-update)
248 init_keyring "$TRUSTEDFILE"
249 net_update
250 ;;
251 list)
252 init_keyring "$TRUSTEDFILE"
253 $GPG --batch --list-keys
254 ;;
255 finger*)
256 init_keyring "$TRUSTEDFILE"
257 $GPG --batch --fingerprint
258 ;;
259 export)
260 init_keyring "$TRUSTEDFILE"
261 $GPG --armor --export "$1"
262 ;;
263 exportall)
264 init_keyring "$TRUSTEDFILE"
265 $GPG --armor --export
266 ;;
267 adv*)
268 init_keyring "$TRUSTEDFILE"
269 echo "Executing: $GPG $*"
270 $GPG $*
271 ;;
272 help)
273 usage
274 ;;
275 *)
276 usage
277 exit 1
278 ;;
279esac
APT (for Cydia)