git.saurik.com Git - apt.git/blame_incremental

... / ...

Commit	Line	Data
	1	#!/bin/sh
	2
	3	set -e
	4
	5	# We don't use a secret keyring, of course, but gpg panics and
	6	# implodes if there isn't one available
	7
	8	GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
	9	GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
	10
	11
	12	MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
	13	ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
	14	REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
	15
	16	add_keys_with_verify_against_master_keyring() {
	17	ADD_KEYRING=$1
	18	MASTER=$2
	19
	20	if [ ! -f "$ADD_KEYRING" ]; then
	21	echo "ERROR: '$ADD_KEYRING' not found"
	22	return
	23	fi
	24	if [ ! -f "$MASTER" ]; then
	25	echo "ERROR: '$MASTER' not found"
	26	return
	27	fi
	28
	29	# when adding new keys, make sure that the archive-master-keyring
	30	# is honored. so:
	31	# all keys that are exported and have the name
	32	# "Ubuntu Archive Automatic Signing Key" must have a valid signature
	33	# from a key in the ubuntu-master-keyring
	34	add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys \| grep ^pub \| cut -d: -f5`
	35	master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys \| grep ^pub \| cut -d: -f5`
	36	for add_key in $add_keys; do
	37	ADDED=0
	38	for master_key in $master_keys; do
	39	if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key \| grep ^sig \| cut -d: -f5 \| grep -q $master_key; then
	40	$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key \| $GPG --import
	41	ADDED=1
	42	fi
	43	done
	44	if [ $ADDED = 0 ]; then
	45	echo >&2 "Key '$add_key' not added. It is not signed with a master key"
	46	fi
	47	done
	48	}
	49
	50	update() {
	51	if [ ! -f $ARCHIVE_KEYRING ]; then
	52	echo >&2 "ERROR: Can't find the archive-keyring"
	53	echo >&2 "Is the ubuntu-keyring package installed?"
	54	exit 1
	55	fi
	56
	57	# add new keys, if no MASTER_KEYRING is used, use the traditional
	58	# way
	59	if [ -z "$MASTER_KEYRING" ]; then
	60	$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export \| $GPG --import
	61	else
	62	add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING
	63	fi
	64
	65	# remove no-longer supported/used keys
	66	keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys \| grep ^pub \| cut -d: -f5`
	67	for key in $keys; do
	68	if $GPG --list-keys --with-colons \| grep ^pub \| cut -d: -f5 \| grep -q $key; then
	69	$GPG --quiet --batch --delete-key --yes ${key}
	70	fi
	71	done
	72	}
	73
	74
	75	usage() {
	76	echo "Usage: apt-key [command] [arguments]"
	77	echo
	78	echo "Manage apt's list of trusted keys"
	79	echo
	80	echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
	81	echo " apt-key del <keyid> - remove the key <keyid>"
	82	echo " apt-key export <keyid> - output the key <keyid>"
	83	echo " apt-key exportall - output all trusted keys"
	84	echo " apt-key update - update keys using the keyring package"
	85	echo " apt-key list - list keys"
	86	echo
	87	}
	88
	89	command="$1"
	90	if [ -z "$command" ]; then
	91	usage
	92	exit 1
	93	fi
	94	shift
	95
	96	if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
	97	echo >&2 "Warning: gnupg does not seem to be installed."
	98	echo >&2 "Warning: apt-key requires gnupg for most operations."
	99	echo >&2
	100	fi
	101
	102	case "$command" in
	103	add)
	104	$GPG --quiet --batch --import "$1"
	105	echo "OK"
	106	;;
	107	del\|rm\|remove)
	108	$GPG --quiet --batch --delete-key --yes "$1"
	109	echo "OK"
	110	;;
	111	update)
	112	update
	113	;;
	114	list)
	115	$GPG --batch --list-keys
	116	;;
	117	finger*)
	118	$GPG --batch --fingerprint
	119	;;
	120	export)
	121	$GPG --armor --export "$1"
	122	;;
	123	exportall)
	124	$GPG --armor --export
	125	;;
	126	adv*)
	127	echo "Executing: $GPG $*"
	128	$GPG $*
	129	;;
	130	help)
	131	usage
	132	;;
	133	*)
	134	usage
	135	exit 1
	136	;;
	137	esac