]> git.saurik.com Git - apt.git/blob - cmdline/apt-key.in
projects / apt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
allow to specify fingerprints in 'apt-key del'
[apt.git] / cmdline / apt-key.in
1 #!/bin/sh
2
3 set -e
4 unset GREP_OPTIONS
5
6 APT_DIR="/"
7 eval $(apt-config shell APT_DIR Dir)
8
9 MASTER_KEYRING='&keyring-master-filename;'
10 eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
11 ARCHIVE_KEYRING='&keyring-filename;'
12 eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
13 REMOVED_KEYS='&keyring-removed-filename;'
14 eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
15 ARCHIVE_KEYRING_URI='&keyring-uri;'
16 eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
17 TMP_KEYRING=${APT_DIR}/var/lib/apt/keyrings/maybe-import-keyring.gpg
18
19 aptkey_echo() { echo "$@"; }
20
21 requires_root() {
22 if [ "$(id -u)" -ne 0 ]; then
23 echo >&2 "ERROR: This command can only be used by root."
24 exit 1
25 fi
26 }
27
28 get_fingerprints_of_keyring() {
29 $GPG_CMD --keyring "$1" --with-colons --fingerprint | while read publine; do
30 # search for a public key
31 if [ "${publine%%:*}" != 'pub' ]; then continue; fi
32 # search for the associated fingerprint (should be the very next line)
33 while read fprline; do
34 if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen
35 elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi
36 echo "$fprline" | cut -d':' -f 10
37 done
38 done
39 }
40
41 add_keys_with_verify_against_master_keyring() {
42 ADD_KEYRING=$1
43 MASTER=$2
44
45 if [ ! -f "$ADD_KEYRING" ]; then
46 echo >&2 "ERROR: '$ADD_KEYRING' not found"
47 return
48 fi
49 if [ ! -f "$MASTER" ]; then
50 echo >&2 "ERROR: '$MASTER' not found"
51 return
52 fi
53
54 # when adding new keys, make sure that the archive-master-keyring
55 # is honored. so:
56 # all keys that are exported must have a valid signature
57 # from a key in the $distro-master-keyring
58 add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")"
59 all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
60 master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
61
62 # ensure there are no colisions LP: #857472
63 for all_add_key in $all_add_keys; do
64 for master_key in $master_keys; do
65 if [ "$all_add_key" = "$master_key" ]; then
66 echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
67 return 1
68 fi
69 done
70 done
71
72 for add_key in $add_keys; do
73 # export the add keyring one-by-one
74 rm -f $TMP_KEYRING
75 $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
76 # check if signed with the master key and only add in this case
77 ADDED=0
78 for master_key in $master_keys; do
79 if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
80 $GPG --import $TMP_KEYRING
81 ADDED=1
82 fi
83 done
84 if [ $ADDED = 0 ]; then
85 echo >&2 "Key '$add_key' not added. It is not signed with a master key"
86 fi
87 done
88 rm -f $TMP_KEYRING
89 }
90
91 # update the current archive signing keyring from a network URI
92 # the archive-keyring keys needs to be signed with the master key
93 # (otherwise it does not make sense from a security POV)
94 net_update() {
95 # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
96 APT_KEY_NET_UPDATE_ENABLED=""
97 eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled)
98 if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then
99 exit 1
100 fi
101
102 if [ -z "$ARCHIVE_KEYRING_URI" ]; then
103 echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
104 exit 1
105 fi
106 # in theory we would need to depend on wget for this, but this feature
107 # isn't useable in debian anyway as we have no keyring uri nor a master key
108 if ! which wget >/dev/null 2>&1; then
109 echo >&2 "ERROR: an installed wget is required for a network-based update"
110 exit 1
111 fi
112 if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then
113 mkdir -p ${APT_DIR}/var/lib/apt/keyrings
114 fi
115 keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI)
116 old_mtime=0
117 if [ -e $keyring ]; then
118 old_mtime=$(stat -c %Y $keyring)
119 fi
120 (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
121 if [ ! -e $keyring ]; then
122 return
123 fi
124 new_mtime=$(stat -c %Y $keyring)
125 if [ $new_mtime -ne $old_mtime ]; then
126 aptkey_echo "Checking for new archive signing keys now"
127 add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
128 fi
129 }
130
131 update() {
132 if [ ! -f $ARCHIVE_KEYRING ]; then
133 echo >&2 "ERROR: Can't find the archive-keyring"
134 echo >&2 "Is the &keyring-package; package installed?"
135 exit 1
136 fi
137
138 # add new keys from the package;
139
140 # we do not use add_keys_with_verify_against_master_keyring here,
141 # because "update" is run on regular package updates. A
142 # attacker might as well replace the master-archive-keyring file
143 # in the package and add his own keys. so this check wouldn't
144 # add any security. we *need* this check on net-update though
145 $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
146
147 if [ -r "$REMOVED_KEYS" ]; then
148 # remove no-longer supported/used keys
149 get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do
150 foreach_keyring_do 'remove_key_from_keyring' "$key"
151 done
152 else
153 echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable"
154 fi
155 }
156
157 remove_key_from_keyring() {
158 local KEYRINGFILE="$1"
159 shift
160 # non-existent keyrings have by definition no keys
161 if [ ! -e "$KEYRINGFILE" ]; then
162 return
163 fi
164
165 local GPG="$GPG_CMD --keyring $KEYRINGFILE"
166 while [ -n "$1" ]; do
167 local KEY="$1"
168 shift
169 # check if the key is in this keyring: the key id is in the 5 column at the end
170 if ! get_fingerprints_of_keyring "$KEYRINGFILE" | grep -q "^[0-9A-F]*${KEY}$"; then
171 continue
172 fi
173 if [ ! -w "$KEYRINGFILE" ]; then
174 echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
175 continue
176 fi
177 # check if it is the only key in the keyring and if so remove the keyring altogether
178 if [ '1' = "$(get_fingerprints_of_keyring "$KEYRINGFILE" | wc -l)" ]; then
179 mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg
180 return
181 fi
182 # we can't just modify pointed to files as these might be in /usr or something
183 local REALTARGET
184 if [ -L "$KEYRINGFILE" ]; then
185 REALTARGET="$(readlink -f "$KEYRINGFILE")"
186 mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp"
187 cp -a "$REALTARGET" "$KEYRINGFILE"
188 fi
189 # delete the key from the keyring
190 $GPG --batch --delete-key --yes "$KEY"
191 if [ -n "$REALTARGET" ]; then
192 # the real backup is the old link, not the copy we made
193 mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~"
194 fi
195 done
196 }
197
198 foreach_keyring_do() {
199 local ACTION="$1"
200 shift
201 # if a --keyring was given, just remove from there
202 if [ -n "$FORCED_KEYRING" ]; then
203 $ACTION "$FORCED_KEYRING" "$@"
204 else
205 # otherwise all known keyrings are up for inspection
206 if [ -s "$TRUSTEDFILE" ]; then
207 $ACTION "$TRUSTEDFILE" "$@"
208 fi
209 local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
210 eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
211 if [ -d "$TRUSTEDPARTS" ]; then
212 # strip / suffix as gpg will double-slash in that case (#665411)
213 local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
214 if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
215 TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
216 fi
217 for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
218 if [ -s "$trusted" ]; then
219 $ACTION "$trusted" "$@"
220 fi
221 done
222 fi
223 fi
224 }
225
226 list_keys_from_keyring() {
227 local KEYRINGFILE="$1"
228 shift
229 # don't show the error message if this keyring doesn't include the key
230 $GPG_CMD --keyring "$KEYRINGFILE" --batch --list-keys "$@" 2>/dev/null || true
231 }
232
233 fingerprint_keys_from_keyring() {
234 local KEYRINGFILE="$1"
235 shift
236 # don't show the error message if this keyring doesn't include the fingerprint
237 $GPG_CMD --keyring "$KEYRINGFILE" --batch --fingerprint "$@" 2>/dev/null || true
238 }
239
240 import_keys_from_keyring() {
241 local IMPORT="$1"
242 local KEYRINGFILE="$2"
243 $GPG_CMD --keyring "$KEYRINGFILE" --batch --import "$IMPORT" >/dev/null 2>&1
244 }
245
246 setup_merged_keyring() {
247 if [ -z "$FORCED_KEYRING" ]; then
248 local TRUSTEDFILE_BAK="$TRUSTEDFILE"
249 TRUSTEDFILE='/dev/null'
250 foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg"
251 TRUSTEDFILE="$TRUSTEDFILE_BAK"
252 # mark it as non-writeable so users get errors if gnupg tries to modify it
253 if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then
254 chmod -w "${GPGHOMEDIR}/pubring.gpg"
255 GPG="$GPG --keyring ${GPGHOMEDIR}/pubring.gpg"
256 fi
257 fi
258 if [ -r "$TRUSTEDFILE" ]; then
259 GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE"
260 fi
261 }
262
263
264 usage() {
265 echo "Usage: apt-key [--keyring file] [command] [arguments]"
266 echo
267 echo "Manage apt's list of trusted keys"
268 echo
269 echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
270 echo " apt-key del <keyid> - remove the key <keyid>"
271 echo " apt-key export <keyid> - output the key <keyid>"
272 echo " apt-key exportall - output all trusted keys"
273 echo " apt-key update - update keys using the keyring package"
274 echo " apt-key net-update - update keys using the network"
275 echo " apt-key list - list keys"
276 echo " apt-key finger - list fingerprints"
277 echo " apt-key adv - pass advanced options to gpg (download key)"
278 echo
279 echo "If no specific keyring file is given the command applies to all keyring files."
280 }
281
282 while [ -n "$1" ]; do
283 case "$1" in
284 --keyring)
285 shift
286 TRUSTEDFILE="$1"
287 FORCED_KEYRING="$1"
288 shift
289 ;;
290 --fakeroot)
291 requires_root() { true; }
292 shift
293 ;;
294 --quiet)
295 aptkey_echo() { true; }
296 shift
297 ;;
298 --*)
299 echo >&2 "Unknown option: $1"
300 usage
301 exit 1;;
302 *)
303 break;;
304 esac
305 done
306
307 if [ -z "$TRUSTEDFILE" ]; then
308 TRUSTEDFILE="/etc/apt/trusted.gpg"
309 eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
310 eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
311 fi
312
313 command="$1"
314 if [ -z "$command" ]; then
315 usage
316 exit 1
317 fi
318 shift
319
320 if [ "$command" != "help" ]; then
321 eval $(apt-config shell GPG_EXE Apt::Key::gpgcommand)
322
323 if [ -n "$GPG_EXE" ] && which "$GPG_EXE" >/dev/null 2>&1; then
324 true
325 elif which gpg >/dev/null 2>&1; then
326 GPG_EXE="gpg"
327 elif which gpg2 >/dev/null 2>&1; then
328 GPG_EXE="gpg2"
329 else
330 echo >&2 "Error: gnupg or gnupg2 do not seem to be installed,"
331 echo >&2 "Error: but apt-key requires gnupg or gnupg2 for operation."
332 echo >&2
333 exit 255
334 fi
335
336 GPG_CMD="$GPG_EXE --ignore-time-conflict --no-options --no-default-keyring"
337
338 # gpg needs (in different versions more or less) files to function correctly,
339 # so we give it its own homedir and generate some valid content for it
340 GPGHOMEDIR="$(mktemp -d)"
341 CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';"
342 trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
343 chmod 700 "$GPGHOMEDIR"
344 # We don't use a secret keyring, of course, but gpg panics and
345 # implodes if there isn't one available - and writeable for imports
346 SECRETKEYRING="${GPGHOMEDIR}/secring.gpg"
347 touch $SECRETKEYRING
348 GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR"
349 # create the trustdb with an (empty) dummy keyring
350 # older gpgs required it, newer gpgs even warn that it isn't needed,
351 # but require it nonetheless for some commands, so we just play safe
352 # here for the foreseeable future and create a dummy one
353 $GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1
354 # tell gpg that it shouldn't try to maintain a trustdb file
355 GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
356 GPG="$GPG_CMD"
357
358 # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
359 if ! [ -e "$TRUSTEDFILE" ]; then
360 if [ -w "$(dirname "$TRUSTEDFILE")" ]; then
361 touch -- "$TRUSTEDFILE"
362 chmod 0644 -- "$TRUSTEDFILE"
363 fi
364 fi
365 fi
366
367 case "$command" in
368 add)
369 requires_root
370 setup_merged_keyring
371 $GPG --quiet --batch --import "$@"
372 aptkey_echo "OK"
373 ;;
374 del|rm|remove)
375 requires_root
376 foreach_keyring_do 'remove_key_from_keyring' "$@"
377 aptkey_echo "OK"
378 ;;
379 update)
380 requires_root
381 setup_merged_keyring
382 update
383 ;;
384 net-update)
385 requires_root
386 setup_merged_keyring
387 net_update
388 ;;
389 list)
390 foreach_keyring_do 'list_keys_from_keyring' "$@"
391 ;;
392 finger*)
393 foreach_keyring_do 'fingerprint_keys_from_keyring' "$@"
394 ;;
395 export|exportall)
396 foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg"
397 $GPG_CMD --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@"
398 ;;
399 adv*)
400 setup_merged_keyring
401 aptkey_echo "Executing: $GPG $*"
402 $GPG "$@"
403 ;;
404 help)
405 usage
406 ;;
407 *)
408 usage
409 exit 1
410 ;;
411 esac
APT (for Cydia)