]> git.saurik.com Git - apt.git/blame_incremental - cmdline/apt-key.in
projects / apt.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
add --secret-keyring option for apt-key
[apt.git] / cmdline / apt-key.in
... / ...
CommitLineData
1#!/bin/sh
2
3set -e
4unset GREP_OPTIONS
5
6APT_DIR="/"
7eval $(apt-config shell APT_DIR Dir)
8
9MASTER_KEYRING='&keyring-master-filename;'
10eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
11ARCHIVE_KEYRING='&keyring-filename;'
12eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
13REMOVED_KEYS='&keyring-removed-filename;'
14eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
15ARCHIVE_KEYRING_URI='&keyring-uri;'
16eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
17TMP_KEYRING=${APT_DIR}/var/lib/apt/keyrings/maybe-import-keyring.gpg
18
19aptkey_echo() { echo "$@"; }
20
21requires_root() {
22 if [ "$(id -u)" -ne 0 ]; then
23 echo >&2 "ERROR: This command can only be used by root."
24 exit 1
25 fi
26}
27
28get_fingerprints_of_keyring() {
29 $GPG_CMD --keyring "$1" --with-colons --fingerprint | while read publine; do
30 # search for a public key
31 if [ "${publine%%:*}" != 'pub' ]; then continue; fi
32 # search for the associated fingerprint (should be the very next line)
33 while read fprline; do
34 if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen
35 elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi
36 echo "$fprline" | cut -d':' -f 10
37 done
38 done
39}
40
41add_keys_with_verify_against_master_keyring() {
42 ADD_KEYRING=$1
43 MASTER=$2
44
45 if [ ! -f "$ADD_KEYRING" ]; then
46 echo >&2 "ERROR: '$ADD_KEYRING' not found"
47 return
48 fi
49 if [ ! -f "$MASTER" ]; then
50 echo >&2 "ERROR: '$MASTER' not found"
51 return
52 fi
53
54 # when adding new keys, make sure that the archive-master-keyring
55 # is honored. so:
56 # all keys that are exported must have a valid signature
57 # from a key in the $distro-master-keyring
58 add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")"
59 all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
60 master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
61
62 # ensure there are no colisions LP: #857472
63 for all_add_key in $all_add_keys; do
64 for master_key in $master_keys; do
65 if [ "$all_add_key" = "$master_key" ]; then
66 echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
67 return 1
68 fi
69 done
70 done
71
72 for add_key in $add_keys; do
73 # export the add keyring one-by-one
74 rm -f $TMP_KEYRING
75 $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
76 # check if signed with the master key and only add in this case
77 ADDED=0
78 for master_key in $master_keys; do
79 if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
80 $GPG --import $TMP_KEYRING
81 ADDED=1
82 fi
83 done
84 if [ $ADDED = 0 ]; then
85 echo >&2 "Key '$add_key' not added. It is not signed with a master key"
86 fi
87 done
88 rm -f $TMP_KEYRING
89}
90
91# update the current archive signing keyring from a network URI
92# the archive-keyring keys needs to be signed with the master key
93# (otherwise it does not make sense from a security POV)
94net_update() {
95 # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
96 APT_KEY_NET_UPDATE_ENABLED=""
97 eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled)
98 if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then
99 exit 1
100 fi
101
102 if [ -z "$ARCHIVE_KEYRING_URI" ]; then
103 echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
104 exit 1
105 fi
106 # in theory we would need to depend on wget for this, but this feature
107 # isn't useable in debian anyway as we have no keyring uri nor a master key
108 if ! which wget >/dev/null 2>&1; then
109 echo >&2 "ERROR: an installed wget is required for a network-based update"
110 exit 1
111 fi
112 if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then
113 mkdir -p ${APT_DIR}/var/lib/apt/keyrings
114 fi
115 keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI)
116 old_mtime=0
117 if [ -e $keyring ]; then
118 old_mtime=$(stat -c %Y $keyring)
119 fi
120 (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
121 if [ ! -e $keyring ]; then
122 return
123 fi
124 new_mtime=$(stat -c %Y $keyring)
125 if [ $new_mtime -ne $old_mtime ]; then
126 aptkey_echo "Checking for new archive signing keys now"
127 add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
128 fi
129}
130
131update() {
132 if [ ! -f $ARCHIVE_KEYRING ]; then
133 echo >&2 "ERROR: Can't find the archive-keyring"
134 echo >&2 "Is the &keyring-package; package installed?"
135 exit 1
136 fi
137
138 # add new keys from the package;
139
140 # we do not use add_keys_with_verify_against_master_keyring here,
141 # because "update" is run on regular package updates. A
142 # attacker might as well replace the master-archive-keyring file
143 # in the package and add his own keys. so this check wouldn't
144 # add any security. we *need* this check on net-update though
145 $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
146
147 if [ -r "$REMOVED_KEYS" ]; then
148 # remove no-longer supported/used keys
149 get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do
150 foreach_keyring_do 'remove_key_from_keyring' "$key"
151 done
152 else
153 echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable"
154 fi
155}
156
157remove_key_from_keyring() {
158 local KEYRINGFILE="$1"
159 shift
160 # non-existent keyrings have by definition no keys
161 if [ ! -e "$KEYRINGFILE" ]; then
162 return
163 fi
164
165 local GPG="$GPG_CMD --keyring $KEYRINGFILE"
166 while [ -n "$1" ]; do
167 local KEY="$1"
168 shift
169 # check if the key is in this keyring: the key id is in the 5 column at the end
170 if ! get_fingerprints_of_keyring "$KEYRINGFILE" | grep -q "^[0-9A-F]*${KEY}$"; then
171 continue
172 fi
173 if [ ! -w "$KEYRINGFILE" ]; then
174 echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
175 continue
176 fi
177 # check if it is the only key in the keyring and if so remove the keyring altogether
178 if [ '1' = "$(get_fingerprints_of_keyring "$KEYRINGFILE" | wc -l)" ]; then
179 mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg
180 return
181 fi
182 # we can't just modify pointed to files as these might be in /usr or something
183 local REALTARGET
184 if [ -L "$KEYRINGFILE" ]; then
185 REALTARGET="$(readlink -f "$KEYRINGFILE")"
186 mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp"
187 cp -a "$REALTARGET" "$KEYRINGFILE"
188 fi
189 # delete the key from the keyring
190 $GPG --batch --delete-key --yes "$KEY"
191 if [ -n "$REALTARGET" ]; then
192 # the real backup is the old link, not the copy we made
193 mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~"
194 fi
195 done
196}
197
198foreach_keyring_do() {
199 local ACTION="$1"
200 shift
201 # if a --keyring was given, just remove from there
202 if [ -n "$FORCED_KEYRING" ]; then
203 $ACTION "$FORCED_KEYRING" "$@"
204 else
205 # otherwise all known keyrings are up for inspection
206 if [ -s "$TRUSTEDFILE" ]; then
207 $ACTION "$TRUSTEDFILE" "$@"
208 fi
209 local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
210 eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
211 if [ -d "$TRUSTEDPARTS" ]; then
212 # strip / suffix as gpg will double-slash in that case (#665411)
213 local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
214 if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
215 TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
216 fi
217 for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
218 if [ -s "$trusted" ]; then
219 $ACTION "$trusted" "$@"
220 fi
221 done
222 fi
223 fi
224}
225
226list_keys_from_keyring() {
227 local KEYRINGFILE="$1"
228 shift
229 # don't show the error message if this keyring doesn't include the key
230 $GPG_CMD --keyring "$KEYRINGFILE" --batch --list-keys "$@" 2>/dev/null || true
231}
232
233fingerprint_keys_from_keyring() {
234 local KEYRINGFILE="$1"
235 shift
236 # don't show the error message if this keyring doesn't include the fingerprint
237 $GPG_CMD --keyring "$KEYRINGFILE" --batch --fingerprint "$@" 2>/dev/null || true
238}
239
240import_keys_from_keyring() {
241 local IMPORT="$1"
242 local KEYRINGFILE="$2"
243 $GPG_CMD --keyring "$KEYRINGFILE" --batch --import "$IMPORT" >/dev/null 2>&1
244}
245
246setup_merged_keyring() {
247 if [ -z "$FORCED_KEYRING" ]; then
248 local TRUSTEDFILE_BAK="$TRUSTEDFILE"
249 TRUSTEDFILE='/dev/null'
250 foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg"
251 TRUSTEDFILE="$TRUSTEDFILE_BAK"
252 # mark it as non-writeable so users get errors if gnupg tries to modify it
253 if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then
254 chmod -w "${GPGHOMEDIR}/pubring.gpg"
255 GPG="$GPG --keyring ${GPGHOMEDIR}/pubring.gpg"
256 fi
257 fi
258 if [ -r "$TRUSTEDFILE" ]; then
259 GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
260 fi
261}
262
263
264usage() {
265 echo "Usage: apt-key [--keyring file] [command] [arguments]"
266 echo
267 echo "Manage apt's list of trusted keys"
268 echo
269 echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
270 echo " apt-key del <keyid> - remove the key <keyid>"
271 echo " apt-key export <keyid> - output the key <keyid>"
272 echo " apt-key exportall - output all trusted keys"
273 echo " apt-key update - update keys using the keyring package"
274 echo " apt-key net-update - update keys using the network"
275 echo " apt-key list - list keys"
276 echo " apt-key finger - list fingerprints"
277 echo " apt-key adv - pass advanced options to gpg (download key)"
278 echo
279 echo "If no specific keyring file is given the command applies to all keyring files."
280}
281
282while [ -n "$1" ]; do
283 case "$1" in
284 --keyring)
285 shift
286 TRUSTEDFILE="$1"
287 FORCED_KEYRING="$1"
288 shift
289 ;;
290 --secret-keyring)
291 shift
292 FORCED_SECRET_KEYRING="$1"
293 shift
294 ;;
295 --fakeroot)
296 requires_root() { true; }
297 shift
298 ;;
299 --quiet)
300 aptkey_echo() { true; }
301 shift
302 ;;
303 --*)
304 echo >&2 "Unknown option: $1"
305 usage
306 exit 1;;
307 *)
308 break;;
309 esac
310done
311
312if [ -z "$TRUSTEDFILE" ]; then
313 TRUSTEDFILE="/etc/apt/trusted.gpg"
314 eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
315 eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
316fi
317
318command="$1"
319if [ -z "$command" ]; then
320 usage
321 exit 1
322fi
323shift
324
325if [ "$command" != "help" ]; then
326 eval $(apt-config shell GPG_EXE Apt::Key::gpgcommand)
327
328 if [ -n "$GPG_EXE" ] && which "$GPG_EXE" >/dev/null 2>&1; then
329 true
330 elif which gpg >/dev/null 2>&1; then
331 GPG_EXE="gpg"
332 elif which gpg2 >/dev/null 2>&1; then
333 GPG_EXE="gpg2"
334 else
335 echo >&2 "Error: gnupg or gnupg2 do not seem to be installed,"
336 echo >&2 "Error: but apt-key requires gnupg or gnupg2 for operation."
337 echo >&2
338 exit 255
339 fi
340
341 GPG_CMD="$GPG_EXE --ignore-time-conflict --no-options --no-default-keyring"
342
343 # gpg needs (in different versions more or less) files to function correctly,
344 # so we give it its own homedir and generate some valid content for it
345 GPGHOMEDIR="$(mktemp -d)"
346 CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';"
347 trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
348 chmod 700 "$GPGHOMEDIR"
349 # We don't use a secret keyring, of course, but gpg panics and
350 # implodes if there isn't one available - and writeable for imports
351 SECRETKEYRING="${GPGHOMEDIR}/secring.gpg"
352 touch $SECRETKEYRING
353 GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR"
354 # create the trustdb with an (empty) dummy keyring
355 # older gpgs required it, newer gpgs even warn that it isn't needed,
356 # but require it nonetheless for some commands, so we just play safe
357 # here for the foreseeable future and create a dummy one
358 $GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1
359 # tell gpg that it shouldn't try to maintain a trustdb file
360 GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
361 GPG="$GPG_CMD"
362
363 # for advanced operations, we might really need a secret keyring after all
364 if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then
365 rm -f "$SECRETKEYRING"
366 cp -a "$FORCED_SECRET_KEYRING" "$SECRETKEYRING"
367 fi
368
369 # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
370 if ! [ -e "$TRUSTEDFILE" ]; then
371 if [ -w "$(dirname "$TRUSTEDFILE")" ]; then
372 touch -- "$TRUSTEDFILE"
373 chmod 0644 -- "$TRUSTEDFILE"
374 fi
375 fi
376fi
377
378case "$command" in
379 add)
380 requires_root
381 setup_merged_keyring
382 $GPG --quiet --batch --import "$@"
383 aptkey_echo "OK"
384 ;;
385 del|rm|remove)
386 requires_root
387 foreach_keyring_do 'remove_key_from_keyring' "$@"
388 aptkey_echo "OK"
389 ;;
390 update)
391 requires_root
392 setup_merged_keyring
393 update
394 ;;
395 net-update)
396 requires_root
397 setup_merged_keyring
398 net_update
399 ;;
400 list)
401 foreach_keyring_do 'list_keys_from_keyring' "$@"
402 ;;
403 finger*)
404 foreach_keyring_do 'fingerprint_keys_from_keyring' "$@"
405 ;;
406 export|exportall)
407 foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg"
408 $GPG_CMD --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@"
409 ;;
410 adv*)
411 setup_merged_keyring
412 aptkey_echo "Executing: $GPG $*"
413 $GPG "$@"
414 ;;
415 help)
416 usage
417 ;;
418 *)
419 usage
420 exit 1
421 ;;
422esac
APT (for Cydia)