6 # We don't use a secret keyring, of course, but gpg panics and 
   7 # implodes if there isn't one available 
   8 SECRETKEYRING
="$(mktemp)" 
   9 trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
 
  10 GPG_CMD
="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" 
  12 if [ "$(id -u)" -eq 0 ]; then 
  13         # we could use a tmpfile here too, but creation of this tends to be time-consuming 
  14         eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) 
  15         GPG_CMD
="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" 
  21 ARCHIVE_KEYRING_URI
="" 
  22 #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg 
  23 #ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg 
  25 ARCHIVE_KEYRING
=/usr
/share
/keyrings
/debian
-archive-keyring.gpg
 
  26 REMOVED_KEYS
=/usr
/share
/keyrings
/debian
-archive-removed-keys.gpg
 
  29         if [ "$(id -u)" -ne 0 ]; then 
  30                 echo >&1 "ERROR: This command can only be used by root." 
  35 add_keys_with_verify_against_master_keyring
() { 
  39     if [ ! -f "$ADD_KEYRING" ]; then 
  40         echo "ERROR: '$ADD_KEYRING' not found" 
  43     if [ ! -f "$MASTER" ]; then 
  44         echo "ERROR: '$MASTER' not found" 
  48     # when adding new keys, make sure that the archive-master-keyring 
  50     #   all keys that are exported must have a valid signature 
  51     #   from a key in the $distro-master-keyring 
  52     add_keys
=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` 
  53     master_keys
=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` 
  54     for add_key 
in $add_keys; do 
  56         for master_key 
in $master_keys; do 
  57             if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig 
| cut 
-d: -f5 | grep -q $master_key; then 
  58                 $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import 
  62         if [ $ADDED = 0 ]; then 
  63             echo >&2 "Key '$add_key' not added. It is not signed with a master key" 
  68 # update the current archive signing keyring from a network URI 
  69 # the archive-keyring keys needs to be signed with the master key 
  70 # (otherwise it does not make sense from a security POV) 
  72     if [ -z "$ARCHIVE_KEYRING_URI" ]; then 
  73         echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" 
  77     # in theory we would need to depend on wget for this, but this feature 
  78     # isn't useable in debian anyway as we have no keyring uri nor a master key 
  79     if ! which wget 
>/dev
/null 
2>&1; then 
  80         echo >&2 "ERROR: an installed wget is required for a network-based update" 
  83     if [ ! -d /var
/lib
/apt
/keyrings 
]; then 
  84         mkdir -p /var
/lib
/apt
/keyrings
 
  86     keyring
=/var
/lib
/apt
/keyrings
/$(basename $ARCHIVE_KEYRING) 
  88     if [ -e $keyring ]; then 
  89         old_mtime
=$(stat -c %Y $keyring) 
  91     (cd  /var
/lib
/apt
/keyrings
; wget 
-q -N $ARCHIVE_KEYRING_URI) 
  92     if [ ! -e $keyring ]; then 
  95     new_mtime
=$(stat -c %Y $keyring) 
  96     if [ $new_mtime -ne $old_mtime ]; then 
  97         echo "Checking for new archive signing keys now" 
  98         add_keys_with_verify_against_master_keyring 
$keyring $MASTER_KEYRING 
 103     if [ ! -f $ARCHIVE_KEYRING ]; then 
 104         echo >&2 "ERROR: Can't find the archive-keyring" 
 105         echo >&2 "Is the debian-archive-keyring package installed?" 
 110     # add new keys from the package; 
 112     # we do not use add_keys_with_verify_against_master_keyring here, 
 113     # because "update" is run on regular package updates.  A 
 114     # attacker might as well replace the master-archive-keyring file 
 115     # in the package and add his own keys. so this check wouldn't 
 116     # add any security. we *need* this check on net-update though 
 117     $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import 
 119     if [ -r "$REMOVED_KEYS" ]; then 
 120         # remove no-longer supported/used keys 
 121         keys
=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` 
 123             if $GPG --list-keys --with-colons | grep ^pub 
| cut 
-d: -f5 | grep -q $key; then 
 124                 $GPG --quiet --batch --delete-key --yes ${key} 
 128         echo "Warning: removed keys keyring  $REMOVED_KEYS missing or not readable" >&2 
 134     echo "Usage: apt-key [--keyring file] [command] [arguments]" 
 136     echo "Manage apt's list of trusted keys" 
 138     echo "  apt-key add <file>          - add the key contained in <file> ('-' for stdin)" 
 139     echo "  apt-key del <keyid>         - remove the key <keyid>" 
 140     echo "  apt-key export <keyid>      - output the key <keyid>" 
 141     echo "  apt-key exportall           - output all trusted keys" 
 142     echo "  apt-key update              - update keys using the keyring package" 
 143     echo "  apt-key net-update          - update keys using the network" 
 144     echo "  apt-key list                - list keys" 
 145     echo "  apt-key finger              - list fingerprints" 
 146     echo "  apt-key adv                 - pass advanced options to gpg (download key)" 
 148     echo "If no specific keyring file is given the command applies to all keyring files." 
 151 # Determine on which keyring we want to work 
 152 if [ "$1" = "--keyring" ]; then 
 153         #echo "keyfile given" 
 156         if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ]; then 
 157                 GPG
="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" 
 159                 echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" 
 163 # otherwise use the default 
 165         #echo "generate list" 
 166         TRUSTEDFILE
="/etc/apt/trusted.gpg" 
 167         eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) 
 168         eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) 
 169         if [ -r "$TRUSTEDFILE" ]; then 
 170                 GPG
="$GPG --keyring $TRUSTEDFILE" 
 172         GPG
="$GPG --primary-keyring $TRUSTEDFILE" 
 173         TRUSTEDPARTS
="/etc/apt/trusted.gpg.d" 
 174         eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) 
 175         if [ -d "$TRUSTEDPARTS" ]; then 
 177                 for trusted 
in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do 
 178                         #echo "part -> $trusted" 
 179                         GPG
="$GPG --keyring $trusted" 
 183 #echo "COMMAND: $GPG" 
 186 if [ -z "$command" ]; then 
 192 if [ "$command" != "help" ] && ! which gpg 
>/dev
/null 
2>&1; then 
 193     echo >&2 "Warning: gnupg does not seem to be installed." 
 194     echo >&2 "Warning: apt-key requires gnupg for most operations." 
 201         $GPG --quiet --batch --import "$1" 
 206         $GPG --quiet --batch --delete-key --yes "$1" 
 216         $GPG --batch --list-keys 
 219         $GPG --batch --fingerprint 
 222         $GPG --armor --export "$1" 
 225         $GPG --armor --export 
 228         echo "Executing: $GPG $*"