cmdline/apt-key

   1 #!/bin/sh
   2
   3 set -e
   4 unset GREP_OPTIONS
   5
   6 # We don't use a secret keyring, of course, but gpg panics and
   7 # implodes if there isn't one available
   8 SECRETKEYRING="$(mktemp)"
   9 trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
  10 GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
  11
  12 if [ "$(id -u)" -eq 0 ]; then
  13         # we could use a tmpfile here too, but creation of this tends to be time-consuming
  14         eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
  15         GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
  16 fi
  17
  18 GPG="$GPG_CMD"
  19
  20
  21 # ubuntu keyrings
  22 MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
  23 ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
  24 REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
  25 ARCHIVE_KEYRING_URI=http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg
  26 TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg
  27
  28 requires_root() {
  29         if [ "$(id -u)" -ne 0 ]; then
  30                 echo >&1 "ERROR: This command can only be used by root."
  31                 exit 1
  32         fi
  33 }
  34
  35 add_keys_with_verify_against_master_keyring() {
  36     ADD_KEYRING=$1
  37     MASTER=$2
  38
  39     if [ ! -f "$ADD_KEYRING" ]; then
  40         echo "ERROR: '$ADD_KEYRING' not found"
  41         return
  42     fi
  43     if [ ! -f "$MASTER" ]; then
  44         echo "ERROR: '$MASTER' not found"
  45         return
  46     fi
  47
  48     # when adding new keys, make sure that the archive-master-keyring
  49     # is honored. so:
  50     #   all keys that are exported must have a valid signature
  51     #   from a key in the $distro-master-keyring
  52     add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
  53     all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
  54     master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
  55
  56     # ensure there are no colisions LP: #857472
  57     for all_add_key in $all_add_keys; do
  58         for master_key in $master_keys; do
  59             if [ "$all_add_key" = "$master_key" ]; then
  60                 echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
  61                 return 1
  62             fi
  63         done
  64     done
  65
  66     for add_key in $add_keys; do
  67         # export the add keyring one-by-one
  68         rm -f $TMP_KEYRING
  69         $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
  70         # check if signed with the master key and only add in this case
  71         ADDED=0
  72         for master_key in $master_keys; do
  73             if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
  74                 $GPG --import $TMP_KEYRING
  75                 ADDED=1
  76             fi
  77         done
  78         if [ $ADDED = 0 ]; then
  79             echo >&2 "Key '$add_key' not added. It is not signed with a master key"
  80         fi
  81     done
  82     rm -f $TMP_KEYRING
  83 }
  84
  85 # update the current archive signing keyring from a network URI
  86 # the archive-keyring keys needs to be signed with the master key
  87 # (otherwise it does not make sense from a security POV)
  88 net_update() {
  89     # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
  90     exit 1
  91
  92     if [ -z "$ARCHIVE_KEYRING_URI" ]; then
  93         echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
  94         exit 1
  95     fi
  96     requires_root
  97     # in theory we would need to depend on wget for this, but this feature
  98     # isn't useable in debian anyway as we have no keyring uri nor a master key
  99     if ! which wget >/dev/null 2>&1; then
 100         echo >&2 "ERROR: an installed wget is required for a network-based update"
 101         exit 1
 102     fi
 103     if [ ! -d /var/lib/apt/keyrings ]; then
 104         mkdir -p /var/lib/apt/keyrings
 105     fi
 106     keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING)
 107     old_mtime=0
 108     if [ -e $keyring ]; then
 109         old_mtime=$(stat -c %Y $keyring)
 110     fi
 111     (cd  /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
 112     if [ ! -e $keyring ]; then
 113         return
 114     fi
 115     new_mtime=$(stat -c %Y $keyring)
 116     if [ $new_mtime -ne $old_mtime ]; then
 117         echo "Checking for new archive signing keys now"
 118         add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
 119     fi
 120 }
 121
 122 update() {
 123     if [ ! -f $ARCHIVE_KEYRING ]; then
 124         echo >&2 "ERROR: Can't find the archive-keyring"
 125         echo >&2 "Is the ubuntu-keyring package installed?"
 126         exit 1
 127     fi
 128     requires_root
 129
 130     # add new keys from the package;
 131
 132     # we do not use add_keys_with_verify_against_master_keyring here,
 133     # because "update" is run on regular package updates.  A
 134     # attacker might as well replace the master-archive-keyring file
 135     # in the package and add his own keys. so this check wouldn't
 136     # add any security. we *need* this check on net-update though
 137     $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
 138
 139     if [ -r "$REMOVED_KEYS" ]; then
 140         # remove no-longer supported/used keys
 141         keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
 142         for key in $keys; do
 143             if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
 144                 $GPG --quiet --batch --delete-key --yes ${key}
 145             fi
 146         done
 147     else
 148         echo "Warning: removed keys keyring  $REMOVED_KEYS missing or not readable" >&2
 149     fi
 150 }
 151
 152
 153 usage() {
 154     echo "Usage: apt-key [--keyring file] [command] [arguments]"
 155     echo
 156     echo "Manage apt's list of trusted keys"
 157     echo
 158     echo "  apt-key add <file>          - add the key contained in <file> ('-' for stdin)"
 159     echo "  apt-key del <keyid>         - remove the key <keyid>"
 160     echo "  apt-key export <keyid>      - output the key <keyid>"
 161     echo "  apt-key exportall           - output all trusted keys"
 162     echo "  apt-key update              - update keys using the keyring package"
 163     echo "  apt-key net-update          - update keys using the network"
 164     echo "  apt-key list                - list keys"
 165     echo "  apt-key finger              - list fingerprints"
 166     echo "  apt-key adv                 - pass advanced options to gpg (download key)"
 167     echo
 168     echo "If no specific keyring file is given the command applies to all keyring files."
 169 }
 170
 171 # Determine on which keyring we want to work
 172 if [ "$1" = "--keyring" ]; then
 173         #echo "keyfile given"
 174         shift
 175         TRUSTEDFILE="$1"
 176         if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ]; then
 177                 GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
 178         else
 179                 echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable"
 180                 exit 1
 181         fi
 182         shift
 183 # otherwise use the default
 184 else
 185         #echo "generate list"
 186         TRUSTEDFILE="/etc/apt/trusted.gpg"
 187         eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
 188         eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
 189         if [ -r "$TRUSTEDFILE" ]; then
 190                 GPG="$GPG --keyring $TRUSTEDFILE"
 191         fi
 192         GPG="$GPG --primary-keyring $TRUSTEDFILE"
 193         TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
 194         eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
 195         if [ -d "$TRUSTEDPARTS" ]; then
 196                 #echo "parts active"
 197                 for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do
 198                         #echo "part -> $trusted"
 199                         GPG="$GPG --keyring $trusted"
 200                 done
 201         fi
 202 fi
 203 #echo "COMMAND: $GPG"
 204
 205 command="$1"
 206 if [ -z "$command" ]; then
 207     usage
 208     exit 1
 209 fi
 210 shift
 211
 212 if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
 213     echo >&2 "Warning: gnupg does not seem to be installed."
 214     echo >&2 "Warning: apt-key requires gnupg for most operations."
 215     echo >&2
 216 fi
 217
 218 case "$command" in
 219     add)
 220         requires_root
 221         $GPG --quiet --batch --import "$1"
 222         echo "OK"
 223         ;;
 224     del|rm|remove)
 225         requires_root
 226         $GPG --quiet --batch --delete-key --yes "$1"
 227         echo "OK"
 228         ;;
 229     update)
 230         update
 231         ;;
 232     net-update)
 233         net_update
 234         ;;
 235     list)
 236         $GPG --batch --list-keys
 237         ;;
 238     finger*)
 239         $GPG --batch --fingerprint
 240         ;;
 241     export)
 242         $GPG --armor --export "$1"
 243         ;;
 244     exportall)
 245         $GPG --armor --export
 246         ;;
 247     adv*)
 248         echo "Executing: $GPG $*"
 249         $GPG $*
 250         ;;
 251     help)
 252         usage
 253         ;;
 254     *)
 255         usage
 256         exit 1
 257         ;;
 258 esac