6 GPG_CMD
="gpg --ignore-time-conflict --no-options --no-default-keyring"
8 # gpg needs (in different versions more or less) files to function correctly,
9 # so we give it its own homedir and generate some valid content for it
10 GPGHOMEDIR
="$(mktemp -d)"
11 CURRENTTRAP
="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';"
12 trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
13 chmod 700 "$GPGHOMEDIR"
14 # We don't use a secret keyring, of course, but gpg panics and
15 # implodes if there isn't one available - and writeable for imports
16 SECRETKEYRING
="${GPGHOMEDIR}/secring.gpg"
18 GPG_CMD
="$GPG_CMD --homedir $GPGHOMEDIR"
19 # create the trustdb with an (empty) dummy keyring
20 # older gpgs required it, newer gpgs even warn that it isn't needed,
21 # but require it nonetheless for some commands, so we just play safe
22 # here for the foreseeable future and create a dummy one
23 $GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev
/null
2>&1
24 # tell gpg that it shouldn't try to maintain a trustdb file
25 GPG_CMD
="$GPG_CMD --no-auto-check-trustdb --trust-model always"
30 eval $(apt-config shell APT_DIR Dir)
32 MASTER_KEYRING
='&keyring-master-filename;'
33 eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
34 ARCHIVE_KEYRING
='&keyring-filename;'
35 eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
36 REMOVED_KEYS
='&keyring-removed-filename;'
37 eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
38 ARCHIVE_KEYRING_URI
='&keyring-uri;'
39 eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
40 TMP_KEYRING
=${APT_DIR}/var
/lib
/apt
/keyrings
/maybe
-import-keyring.gpg
43 if [ "$(id -u)" -ne 0 ]; then
44 echo >&1 "ERROR: This command can only be used by root."
49 # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
52 if ! [ -e "$path" ]; then
59 add_keys_with_verify_against_master_keyring
() {
63 if [ ! -f "$ADD_KEYRING" ]; then
64 echo "ERROR: '$ADD_KEYRING' not found"
67 if [ ! -f "$MASTER" ]; then
68 echo "ERROR: '$MASTER' not found"
72 # when adding new keys, make sure that the archive-master-keyring
74 # all keys that are exported must have a valid signature
75 # from a key in the $distro-master-keyring
76 add_keys
=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
77 all_add_keys
=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
78 master_keys
=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
80 # ensure there are no colisions LP: #857472
81 for all_add_key
in $all_add_keys; do
82 for master_key
in $master_keys; do
83 if [ "$all_add_key" = "$master_key" ]; then
84 echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
90 for add_key
in $add_keys; do
91 # export the add keyring one-by-one
93 $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
94 # check if signed with the master key and only add in this case
96 for master_key
in $master_keys; do
97 if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut
-d: -f5 | grep -q $master_key; then
98 $GPG --import $TMP_KEYRING
102 if [ $ADDED = 0 ]; then
103 echo >&2 "Key '$add_key' not added. It is not signed with a master key"
109 # update the current archive signing keyring from a network URI
110 # the archive-keyring keys needs to be signed with the master key
111 # (otherwise it does not make sense from a security POV)
113 # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
114 APT_KEY_NET_UPDATE_ENABLED
=""
115 eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled)
116 if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then
120 if [ -z "$ARCHIVE_KEYRING_URI" ]; then
121 echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
125 # in theory we would need to depend on wget for this, but this feature
126 # isn't useable in debian anyway as we have no keyring uri nor a master key
127 if ! which wget
>/dev
/null
2>&1; then
128 echo >&2 "ERROR: an installed wget is required for a network-based update"
131 if [ ! -d ${APT_DIR}/var
/lib
/apt
/keyrings
]; then
132 mkdir -p ${APT_DIR}/var
/lib
/apt
/keyrings
134 keyring
=${APT_DIR}/var
/lib
/apt
/keyrings
/$(basename $ARCHIVE_KEYRING_URI)
136 if [ -e $keyring ]; then
137 old_mtime
=$(stat -c %Y $keyring)
139 (cd ${APT_DIR}/var
/lib
/apt
/keyrings
; wget
--timeout=90 -q -N $ARCHIVE_KEYRING_URI)
140 if [ ! -e $keyring ]; then
143 new_mtime
=$(stat -c %Y $keyring)
144 if [ $new_mtime -ne $old_mtime ]; then
145 echo "Checking for new archive signing keys now"
146 add_keys_with_verify_against_master_keyring
$keyring $MASTER_KEYRING
151 if [ ! -f $ARCHIVE_KEYRING ]; then
152 echo >&2 "ERROR: Can't find the archive-keyring"
153 echo >&2 "Is the &keyring-package; package installed?"
158 # add new keys from the package;
160 # we do not use add_keys_with_verify_against_master_keyring here,
161 # because "update" is run on regular package updates. A
162 # attacker might as well replace the master-archive-keyring file
163 # in the package and add his own keys. so this check wouldn't
164 # add any security. we *need* this check on net-update though
165 $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
167 if [ -r "$REMOVED_KEYS" ]; then
168 # remove no-longer supported/used keys
169 keys
=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
171 if $GPG --list-keys --with-colons | grep ^pub
| cut
-d: -f5 | grep -q $key; then
172 $GPG --quiet --batch --delete-key --yes ${key}
176 echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2
180 remove_key_from_keyring
() {
181 local GPG
="$GPG_CMD --keyring $1"
182 # check if the key is in this keyring: the key id is in the 5 column at the end
183 if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then
186 if [ ! -w "$1" ]; then
187 echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only."
190 # check if it is the only key in the keyring and if so remove the keyring altogether
191 if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then
192 mv -f "$1" "${1}~" # behave like gpg
195 # we can't just modify pointed to files as these might be in /usr or something
198 REALTARGET
="$(readlink -f "$1")"
199 mv -f "$1" "${1}.dpkg-tmp"
200 cp -a "$REALTARGET" "$1"
203 # delete the key from the keyring
204 $GPG --batch --delete-key --yes "$2"
205 if [ -n "$REALTARGET" ]; then
206 # the real backup is the old link, not the copy we made
207 mv -f "${1}.dpkg-tmp" "${1}~"
214 # if a --keyring was given, just remove from there
215 if [ -n "$FORCED_KEYRING" ]; then
216 remove_key_from_keyring
"$FORCED_KEYRING" "$1"
218 # otherwise all known keyrings are up for inspection
219 local TRUSTEDFILE
="/etc/apt/trusted.gpg"
220 eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
221 eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
222 remove_key_from_keyring
"$TRUSTEDFILE" "$1"
223 TRUSTEDPARTS
="/etc/apt/trusted.gpg.d"
224 eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
225 if [ -d "$TRUSTEDPARTS" ]; then
226 for trusted
in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
227 remove_key_from_keyring
"$trusted" "$1"
236 echo "Usage: apt-key [--keyring file] [command] [arguments]"
238 echo "Manage apt's list of trusted keys"
240 echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
241 echo " apt-key del <keyid> - remove the key <keyid>"
242 echo " apt-key export <keyid> - output the key <keyid>"
243 echo " apt-key exportall - output all trusted keys"
244 echo " apt-key update - update keys using the keyring package"
245 echo " apt-key net-update - update keys using the network"
246 echo " apt-key list - list keys"
247 echo " apt-key finger - list fingerprints"
248 echo " apt-key adv - pass advanced options to gpg (download key)"
250 echo "If no specific keyring file is given the command applies to all keyring files."
253 while [ -n "$1" ]; do
259 if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then
260 GPG
="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
262 echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable"
268 requires_root
() { true
; }
272 echo >&2 "Unknown option: $1"
280 if [ -z "$TRUSTEDFILE" ]; then
281 TRUSTEDFILE
="/etc/apt/trusted.gpg"
282 eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
283 eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
284 if [ -r "$TRUSTEDFILE" ]; then
285 GPG
="$GPG --keyring $TRUSTEDFILE"
287 GPG
="$GPG --primary-keyring $TRUSTEDFILE"
288 TRUSTEDPARTS
="/etc/apt/trusted.gpg.d"
289 eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
290 if [ -d "$TRUSTEDPARTS" ]; then
291 # strip / suffix as gpg will double-slash in that case (#665411)
292 STRIPPED_TRUSTEDPARTS
="${TRUSTEDPARTS%/}"
293 if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
294 TRUSTEDPARTS
="$STRIPPED_TRUSTEDPARTS"
296 for trusted
in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
297 GPG
="$GPG --keyring $trusted"
303 if [ -z "$command" ]; then
309 if [ "$command" != "help" ] && ! which gpg
>/dev
/null
2>&1; then
310 echo >&2 "Warning: gnupg does not seem to be installed."
311 echo >&2 "Warning: apt-key requires gnupg for most operations."
318 init_keyring
"$TRUSTEDFILE"
319 $GPG --quiet --batch --import "$1"
323 init_keyring
"$TRUSTEDFILE"
327 init_keyring
"$TRUSTEDFILE"
331 init_keyring
"$TRUSTEDFILE"
335 init_keyring
"$TRUSTEDFILE"
336 $GPG --batch --list-keys
339 init_keyring
"$TRUSTEDFILE"
340 $GPG --batch --fingerprint
343 init_keyring
"$TRUSTEDFILE"
344 $GPG --armor --export "$1"
347 init_keyring
"$TRUSTEDFILE"
348 $GPG --armor --export
351 init_keyring
"$TRUSTEDFILE"
352 echo "Executing: $GPG $*"