]>
Commit | Line | Data |
---|---|---|
1 | #!/bin/sh | |
2 | ||
3 | set -e | |
4 | unset GREP_OPTIONS | |
5 | ||
6 | APT_DIR="/" | |
7 | eval $(apt-config shell APT_DIR Dir) | |
8 | ||
9 | MASTER_KEYRING='&keyring-master-filename;' | |
10 | eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) | |
11 | ARCHIVE_KEYRING='&keyring-filename;' | |
12 | eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) | |
13 | REMOVED_KEYS='&keyring-removed-filename;' | |
14 | eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) | |
15 | ARCHIVE_KEYRING_URI='&keyring-uri;' | |
16 | eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) | |
17 | ||
18 | aptkey_echo() { echo "$@"; } | |
19 | ||
20 | requires_root() { | |
21 | if [ "$(id -u)" -ne 0 ]; then | |
22 | echo >&2 "ERROR: This command can only be used by root." | |
23 | exit 1 | |
24 | fi | |
25 | } | |
26 | ||
27 | get_fingerprints_of_keyring() { | |
28 | $GPG_CMD --keyring "$1" --with-colons --fingerprint | while read publine; do | |
29 | # search for a public key | |
30 | if [ "${publine%%:*}" != 'pub' ]; then continue; fi | |
31 | # search for the associated fingerprint (should be the very next line) | |
32 | while read fprline; do | |
33 | if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen | |
34 | elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi | |
35 | echo "$fprline" | cut -d':' -f 10 | |
36 | done | |
37 | done | |
38 | } | |
39 | ||
40 | add_keys_with_verify_against_master_keyring() { | |
41 | ADD_KEYRING=$1 | |
42 | MASTER=$2 | |
43 | ||
44 | if [ ! -f "$ADD_KEYRING" ]; then | |
45 | echo >&2 "ERROR: '$ADD_KEYRING' not found" | |
46 | return | |
47 | fi | |
48 | if [ ! -f "$MASTER" ]; then | |
49 | echo >&2 "ERROR: '$MASTER' not found" | |
50 | return | |
51 | fi | |
52 | ||
53 | # when adding new keys, make sure that the archive-master-keyring | |
54 | # is honored. so: | |
55 | # all keys that are exported must have a valid signature | |
56 | # from a key in the $distro-master-keyring | |
57 | add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")" | |
58 | all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` | |
59 | master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` | |
60 | ||
61 | # ensure there are no colisions LP: #857472 | |
62 | for all_add_key in $all_add_keys; do | |
63 | for master_key in $master_keys; do | |
64 | if [ "$all_add_key" = "$master_key" ]; then | |
65 | echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" | |
66 | return 1 | |
67 | fi | |
68 | done | |
69 | done | |
70 | ||
71 | for add_key in $add_keys; do | |
72 | # export the add keyring one-by-one | |
73 | local TMP_KEYRING="${GPGHOMEDIR}/tmp-keyring.gpg" | |
74 | $GPG_CMD --batch --yes --keyring "$ADD_KEYRING" --output "$TMP_KEYRING" --export "$add_key" | |
75 | if ! $GPG_CMD --batch --yes --keyring "$TMP_KEYRING" --import "$MASTER" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
76 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
77 | false | |
78 | fi | |
79 | # check if signed with the master key and only add in this case | |
80 | ADDED=0 | |
81 | for master_key in $master_keys; do | |
82 | if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then | |
83 | $GPG_CMD --batch --yes --keyring "$ADD_KEYRING" --export "$add_key" | $GPG --batch --yes --import | |
84 | ADDED=1 | |
85 | fi | |
86 | done | |
87 | if [ $ADDED = 0 ]; then | |
88 | echo >&2 "Key '$add_key' not added. It is not signed with a master key" | |
89 | fi | |
90 | rm -f "${TMP_KEYRING}" | |
91 | done | |
92 | } | |
93 | ||
94 | # update the current archive signing keyring from a network URI | |
95 | # the archive-keyring keys needs to be signed with the master key | |
96 | # (otherwise it does not make sense from a security POV) | |
97 | net_update() { | |
98 | # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) | |
99 | APT_KEY_NET_UPDATE_ENABLED="" | |
100 | eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled) | |
101 | if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then | |
102 | exit 1 | |
103 | fi | |
104 | ||
105 | if [ -z "$ARCHIVE_KEYRING_URI" ]; then | |
106 | echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" | |
107 | exit 1 | |
108 | fi | |
109 | # in theory we would need to depend on wget for this, but this feature | |
110 | # isn't useable in debian anyway as we have no keyring uri nor a master key | |
111 | if ! which wget >/dev/null 2>&1; then | |
112 | echo >&2 "ERROR: an installed wget is required for a network-based update" | |
113 | exit 1 | |
114 | fi | |
115 | if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then | |
116 | mkdir -p ${APT_DIR}/var/lib/apt/keyrings | |
117 | fi | |
118 | keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI) | |
119 | old_mtime=0 | |
120 | if [ -e $keyring ]; then | |
121 | old_mtime=$(stat -c %Y $keyring) | |
122 | fi | |
123 | (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) | |
124 | if [ ! -e $keyring ]; then | |
125 | return | |
126 | fi | |
127 | new_mtime=$(stat -c %Y $keyring) | |
128 | if [ $new_mtime -ne $old_mtime ]; then | |
129 | aptkey_echo "Checking for new archive signing keys now" | |
130 | add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING | |
131 | fi | |
132 | } | |
133 | ||
134 | update() { | |
135 | if [ ! -f $ARCHIVE_KEYRING ]; then | |
136 | echo >&2 "ERROR: Can't find the archive-keyring" | |
137 | echo >&2 "Is the &keyring-package; package installed?" | |
138 | exit 1 | |
139 | fi | |
140 | ||
141 | # add new keys from the package; | |
142 | ||
143 | # we do not use add_keys_with_verify_against_master_keyring here, | |
144 | # because "update" is run on regular package updates. A | |
145 | # attacker might as well replace the master-archive-keyring file | |
146 | # in the package and add his own keys. so this check wouldn't | |
147 | # add any security. we *need* this check on net-update though | |
148 | $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import | |
149 | ||
150 | if [ -r "$REMOVED_KEYS" ]; then | |
151 | # remove no-longer supported/used keys | |
152 | get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do | |
153 | foreach_keyring_do 'remove_key_from_keyring' "$key" | |
154 | done | |
155 | else | |
156 | echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" | |
157 | fi | |
158 | } | |
159 | ||
160 | remove_key_from_keyring() { | |
161 | local KEYRINGFILE="$1" | |
162 | shift | |
163 | # non-existent keyrings have by definition no keys | |
164 | if [ ! -e "$KEYRINGFILE" ]; then | |
165 | return | |
166 | fi | |
167 | ||
168 | local GPG="$GPG_CMD --keyring $KEYRINGFILE" | |
169 | for KEY in "$@"; do | |
170 | # check if the key is in this keyring: the key id is in the 5 column at the end | |
171 | if ! get_fingerprints_of_keyring "$KEYRINGFILE" | grep -q "^[0-9A-F]*${KEY}$"; then | |
172 | continue | |
173 | fi | |
174 | if [ ! -w "$KEYRINGFILE" ]; then | |
175 | echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only." | |
176 | continue | |
177 | fi | |
178 | # check if it is the only key in the keyring and if so remove the keyring altogether | |
179 | if [ '1' = "$(get_fingerprints_of_keyring "$KEYRINGFILE" | wc -l)" ]; then | |
180 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg | |
181 | return | |
182 | fi | |
183 | # we can't just modify pointed to files as these might be in /usr or something | |
184 | local REALTARGET | |
185 | if [ -L "$KEYRINGFILE" ]; then | |
186 | REALTARGET="$(readlink -f "$KEYRINGFILE")" | |
187 | mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp" | |
188 | cp -a "$REALTARGET" "$KEYRINGFILE" | |
189 | fi | |
190 | # delete the key from the keyring | |
191 | $GPG --batch --delete-key --yes "$KEY" | |
192 | if [ -n "$REALTARGET" ]; then | |
193 | # the real backup is the old link, not the copy we made | |
194 | mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~" | |
195 | fi | |
196 | done | |
197 | } | |
198 | ||
199 | foreach_keyring_do() { | |
200 | local ACTION="$1" | |
201 | shift | |
202 | # if a --keyring was given, just remove from there | |
203 | if [ -n "$FORCED_KEYRING" ]; then | |
204 | $ACTION "$FORCED_KEYRING" "$@" | |
205 | else | |
206 | # otherwise all known keyrings are up for inspection | |
207 | if [ -s "$TRUSTEDFILE" ]; then | |
208 | $ACTION "$TRUSTEDFILE" "$@" | |
209 | fi | |
210 | local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" | |
211 | eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) | |
212 | if [ -d "$TRUSTEDPARTS" ]; then | |
213 | # strip / suffix as gpg will double-slash in that case (#665411) | |
214 | local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" | |
215 | if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then | |
216 | TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" | |
217 | fi | |
218 | for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do | |
219 | if [ -s "$trusted" ]; then | |
220 | $ACTION "$trusted" "$@" | |
221 | fi | |
222 | done | |
223 | fi | |
224 | fi | |
225 | } | |
226 | ||
227 | run_cmd_on_keyring() { | |
228 | local KEYRINGFILE="$1" | |
229 | shift | |
230 | # fingerprint and co will fail if key isn't in this keyring | |
231 | $GPG_CMD --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true | |
232 | } | |
233 | ||
234 | import_keys_from_keyring() { | |
235 | local IMPORT="$1" | |
236 | local KEYRINGFILE="$2" | |
237 | if ! $GPG_CMD --keyring "$KEYRINGFILE" --batch --import "$IMPORT" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
238 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
239 | false | |
240 | fi | |
241 | } | |
242 | ||
243 | merge_keys_into_keyrings() { | |
244 | local KEYRINGFILE="$1" | |
245 | local IMPORT="$2" | |
246 | if ! $GPG_CMD --keyring "$KEYRINGFILE" --batch --import --import-options 'merge-only' "$IMPORT" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
247 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
248 | false | |
249 | fi | |
250 | } | |
251 | ||
252 | merge_back_changes() { | |
253 | if [ -n "$FORCED_KEYRING" ]; then | |
254 | # if the keyring was forced merge is already done | |
255 | return | |
256 | fi | |
257 | if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then | |
258 | # merge all updated keys | |
259 | foreach_keyring_do 'merge_keys_into_keyrings' "${GPGHOMEDIR}/pubring.gpg" | |
260 | fi | |
261 | # look for keys which were added or removed | |
262 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.orig.gpg" > "${GPGHOMEDIR}/pubring.orig.keylst" | |
263 | get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.gpg" > "${GPGHOMEDIR}/pubring.keylst" | |
264 | sort "${GPGHOMEDIR}/pubring.keylst" "${GPGHOMEDIR}/pubring.orig.keylst" | uniq --unique | while read key; do | |
265 | if grep -q "^${key}$" "${GPGHOMEDIR}/pubring.orig.keylst"; then | |
266 | # key isn't part of new keyring, so remove | |
267 | foreach_keyring_do 'remove_key_from_keyring' "$key" | |
268 | elif grep -q "^${key}$" "${GPGHOMEDIR}/pubring.keylst"; then | |
269 | # key is part of new keyring, so we need to import it | |
270 | create_new_keyring "$TRUSTEDFILE" | |
271 | if ! $GPG --batch --yes --export "$key" | $GPG_CMD --keyring "$TRUSTEDFILE" --batch --yes --import > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then | |
272 | cat "${GPGHOMEDIR}/gpgoutput.log" | |
273 | false | |
274 | fi | |
275 | else | |
276 | echo >&2 "Errror: Key ${key} (dis)appeared out of nowhere" | |
277 | fi | |
278 | done | |
279 | } | |
280 | ||
281 | setup_merged_keyring() { | |
282 | if [ -z "$FORCED_KEYRING" ]; then | |
283 | foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" | |
284 | if [ -r "${GPGHOMEDIR}/pubring.gpg" ]; then | |
285 | cp -a "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
286 | else | |
287 | touch "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg" | |
288 | fi | |
289 | GPG="$GPG --keyring ${GPGHOMEDIR}/pubring.gpg" | |
290 | else | |
291 | GPG="$GPG --keyring $TRUSTEDFILE" | |
292 | create_new_keyring "$TRUSTEDFILE" | |
293 | fi | |
294 | } | |
295 | ||
296 | create_new_keyring() { | |
297 | # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. | |
298 | if ! [ -e "$TRUSTEDFILE" ]; then | |
299 | if [ -w "$(dirname "$TRUSTEDFILE")" ]; then | |
300 | touch -- "$TRUSTEDFILE" | |
301 | chmod 0644 -- "$TRUSTEDFILE" | |
302 | fi | |
303 | fi | |
304 | } | |
305 | ||
306 | usage() { | |
307 | echo "Usage: apt-key [--keyring file] [command] [arguments]" | |
308 | echo | |
309 | echo "Manage apt's list of trusted keys" | |
310 | echo | |
311 | echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)" | |
312 | echo " apt-key del <keyid> - remove the key <keyid>" | |
313 | echo " apt-key export <keyid> - output the key <keyid>" | |
314 | echo " apt-key exportall - output all trusted keys" | |
315 | echo " apt-key update - update keys using the keyring package" | |
316 | echo " apt-key net-update - update keys using the network" | |
317 | echo " apt-key list - list keys" | |
318 | echo " apt-key finger - list fingerprints" | |
319 | echo " apt-key adv - pass advanced options to gpg (download key)" | |
320 | echo | |
321 | echo "If no specific keyring file is given the command applies to all keyring files." | |
322 | } | |
323 | ||
324 | while [ -n "$1" ]; do | |
325 | case "$1" in | |
326 | --keyring) | |
327 | shift | |
328 | TRUSTEDFILE="$1" | |
329 | FORCED_KEYRING="$1" | |
330 | ;; | |
331 | --secret-keyring) | |
332 | shift | |
333 | FORCED_SECRET_KEYRING="$1" | |
334 | ;; | |
335 | --readonly) | |
336 | merge_back_changes() { true; } | |
337 | ;; | |
338 | --fakeroot) | |
339 | requires_root() { true; } | |
340 | ;; | |
341 | --quiet) | |
342 | aptkey_echo() { true; } | |
343 | ;; | |
344 | --*) | |
345 | echo >&2 "Unknown option: $1" | |
346 | usage | |
347 | exit 1;; | |
348 | *) | |
349 | break;; | |
350 | esac | |
351 | shift | |
352 | done | |
353 | ||
354 | if [ -z "$TRUSTEDFILE" ]; then | |
355 | TRUSTEDFILE="/etc/apt/trusted.gpg" | |
356 | eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) | |
357 | eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) | |
358 | fi | |
359 | ||
360 | command="$1" | |
361 | if [ -z "$command" ]; then | |
362 | usage | |
363 | exit 1 | |
364 | fi | |
365 | shift | |
366 | ||
367 | if [ "$command" != "help" ]; then | |
368 | eval $(apt-config shell GPG_EXE Apt::Key::gpgcommand) | |
369 | ||
370 | if [ -n "$GPG_EXE" ] && which "$GPG_EXE" >/dev/null 2>&1; then | |
371 | true | |
372 | elif which gpg >/dev/null 2>&1; then | |
373 | GPG_EXE="gpg" | |
374 | elif which gpg2 >/dev/null 2>&1; then | |
375 | GPG_EXE="gpg2" | |
376 | else | |
377 | echo >&2 "Error: gnupg or gnupg2 do not seem to be installed," | |
378 | echo >&2 "Error: but apt-key requires gnupg or gnupg2 for operation." | |
379 | echo >&2 | |
380 | exit 255 | |
381 | fi | |
382 | ||
383 | GPG_CMD="$GPG_EXE --ignore-time-conflict --no-options --no-default-keyring" | |
384 | ||
385 | # gpg needs (in different versions more or less) files to function correctly, | |
386 | # so we give it its own homedir and generate some valid content for it | |
387 | GPGHOMEDIR="$(mktemp -d)" | |
388 | CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';" | |
389 | trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM | |
390 | chmod 700 "$GPGHOMEDIR" | |
391 | # We don't use a secret keyring, of course, but gpg panics and | |
392 | # implodes if there isn't one available - and writeable for imports | |
393 | SECRETKEYRING="${GPGHOMEDIR}/secring.gpg" | |
394 | touch $SECRETKEYRING | |
395 | GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR" | |
396 | # create the trustdb with an (empty) dummy keyring | |
397 | # older gpgs required it, newer gpgs even warn that it isn't needed, | |
398 | # but require it nonetheless for some commands, so we just play safe | |
399 | # here for the foreseeable future and create a dummy one | |
400 | $GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1 | |
401 | # tell gpg that it shouldn't try to maintain a trustdb file | |
402 | GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" | |
403 | GPG="$GPG_CMD" | |
404 | ||
405 | # for advanced operations, we might really need a secret keyring after all | |
406 | if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then | |
407 | rm -f "$SECRETKEYRING" | |
408 | cp -a "$FORCED_SECRET_KEYRING" "$SECRETKEYRING" | |
409 | fi | |
410 | fi | |
411 | ||
412 | case "$command" in | |
413 | add) | |
414 | requires_root | |
415 | setup_merged_keyring | |
416 | $GPG --quiet --batch --import "$@" | |
417 | merge_back_changes | |
418 | aptkey_echo "OK" | |
419 | ;; | |
420 | del|rm|remove) | |
421 | requires_root | |
422 | foreach_keyring_do 'remove_key_from_keyring' "$@" | |
423 | aptkey_echo "OK" | |
424 | ;; | |
425 | update) | |
426 | requires_root | |
427 | setup_merged_keyring | |
428 | update | |
429 | merge_back_changes | |
430 | ;; | |
431 | net-update) | |
432 | requires_root | |
433 | setup_merged_keyring | |
434 | net_update | |
435 | merge_back_changes | |
436 | ;; | |
437 | list) | |
438 | foreach_keyring_do 'run_cmd_on_keyring' --list-keys "$@" | |
439 | ;; | |
440 | finger*) | |
441 | foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@" | |
442 | ;; | |
443 | export|exportall) | |
444 | foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" | |
445 | $GPG_CMD --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@" | |
446 | ;; | |
447 | adv*) | |
448 | setup_merged_keyring | |
449 | aptkey_echo "Executing: $GPG $*" | |
450 | $GPG "$@" | |
451 | merge_back_changes | |
452 | ;; | |
453 | verify) | |
454 | setup_merged_keyring | |
455 | if which gpgv >/dev/null 2>&1; then | |
456 | gpgv --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@" | |
457 | else | |
458 | $GPG --verify "$@" | |
459 | fi | |
460 | ;; | |
461 | help) | |
462 | usage | |
463 | ;; | |
464 | *) | |
465 | usage | |
466 | exit 1 | |
467 | ;; | |
468 | esac |