]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | ||
3 | set -e | |
4 | ||
5 | # We don't use a secret keyring, of course, but gpg panics and | |
6 | # implodes if there isn't one available | |
7 | ||
8 | GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg" | |
9 | GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg" | |
10 | ||
11 | ||
12 | MASTER_KEYRING="" | |
13 | #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg | |
14 | ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg | |
15 | REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg | |
16 | ||
17 | add_keys_with_verify_against_master_keyring() { | |
18 | ADD_KEYRING=$1 | |
19 | MASTER=$2 | |
20 | ||
21 | if [ ! -f "$ADD_KEYRING" ]; then | |
22 | echo "ERROR: '$ADD_KEYRING' not found" | |
23 | return | |
24 | fi | |
25 | if [ ! -f "$MASTER" ]; then | |
26 | echo "ERROR: '$MASTER' not found" | |
27 | return | |
28 | fi | |
29 | ||
30 | # when adding new keys, make sure that the archive-master-keyring | |
31 | # is honored. so: | |
32 | # all keys that are exported and have the name | |
33 | # "Ubuntu Archive Automatic Signing Key" must have a valid signature | |
34 | # from a key in the ubuntu-master-keyring | |
35 | add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
36 | master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
37 | for add_key in $add_keys; do | |
38 | for master_key in $master_keys; do | |
39 | if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then | |
40 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import | |
41 | fi | |
42 | done | |
43 | done | |
44 | } | |
45 | ||
46 | update() { | |
47 | if [ ! -f $ARCHIVE_KEYRING ]; then | |
48 | echo >&2 "ERROR: Can't find the archive-keyring" | |
49 | echo >&2 "Is the debian-archive-keyring package installed?" | |
50 | exit 1 | |
51 | fi | |
52 | ||
53 | # add new keys, if no MASTER_KEYRING is used, use the traditional | |
54 | # way | |
55 | if [ -z "$MASTER_KEYRING" ]; then | |
56 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import | |
57 | else | |
58 | add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING | |
59 | fi | |
60 | ||
61 | # remove no-longer supported/used keys | |
62 | keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
63 | for key in $keys; do | |
64 | if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then | |
65 | $GPG --quiet --batch --delete-key --yes ${key} | |
66 | fi | |
67 | done | |
68 | } | |
69 | ||
70 | ||
71 | usage() { | |
72 | echo "Usage: apt-key [command] [arguments]" | |
73 | echo | |
74 | echo "Manage apt's list of trusted keys" | |
75 | echo | |
76 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
77 | echo " apt-key del <keyid> - remove the key <keyid>" | |
78 | echo " apt-key export <keyid> - output the key <keyid>" | |
79 | echo " apt-key exportall - output all trusted keys" | |
80 | echo " apt-key update - update keys using the keyring package" | |
81 | echo " apt-key list - list keys" | |
82 | echo | |
83 | } | |
84 | ||
85 | command="$1" | |
86 | if [ -z "$command" ]; then | |
87 | usage | |
88 | exit 1 | |
89 | fi | |
90 | shift | |
91 | ||
92 | if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then | |
93 | echo >&2 "Warning: gnupg does not seem to be installed." | |
94 | echo >&2 "Warning: apt-key requires gnupg for most operations." | |
95 | echo >&2 | |
96 | fi | |
97 | ||
98 | case "$command" in | |
99 | add) | |
100 | $GPG --quiet --batch --import "$1" | |
101 | echo "OK" | |
102 | ;; | |
103 | del|rm|remove) | |
104 | $GPG --quiet --batch --delete-key --yes "$1" | |
105 | echo "OK" | |
106 | ;; | |
107 | update) | |
108 | update | |
109 | ;; | |
110 | list) | |
111 | $GPG --batch --list-keys | |
112 | ;; | |
113 | finger*) | |
114 | $GPG --batch --fingerprint | |
115 | ;; | |
116 | export) | |
117 | $GPG --armor --export "$1" | |
118 | ;; | |
119 | exportall) | |
120 | $GPG --armor --export | |
121 | ;; | |
122 | adv*) | |
123 | echo "Executing: $GPG $*" | |
124 | $GPG $* | |
125 | ;; | |
126 | help) | |
127 | usage | |
128 | ;; | |
129 | *) | |
130 | usage | |
131 | exit 1 | |
132 | ;; | |
133 | esac |