]> git.saurik.com Git - apt.git/blob - cmdline/apt-key
merged from apt-authentication-reliability
[apt.git] / cmdline / apt-key
1 #!/bin/sh
2
3 set -e
4
5 # We don't use a secret keyring, of course, but gpg panics and
6 # implodes if there isn't one available
7
8 GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
9 GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
10
11
12 MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg
13 ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg
14 REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
15
16 add_keys_with_verify_against_master_keyring() {
17 ADD_KEYRING=$1
18 MASTER=$2
19
20 if [ ! -f "$ADD_KEYRING" ]; then
21 echo "ERROR: '$ADD_KEYRING' not found"
22 return
23 fi
24 if [ ! -f "$MASTER" ]; then
25 echo "ERROR: '$MASTER' not found"
26 return
27 fi
28
29 # when adding new keys, make sure that the archive-master-keyring
30 # is honored. so:
31 # all keys that are exported and have the name
32 # "Ubuntu Archive Automatic Signing Key" must have a valid signature
33 # from a key in the ubuntu-master-keyring
34 add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
35 master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
36 for add_key in $add_keys; do
37 for master_key in $master_keys; do
38 if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
39 $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import
40 fi
41 done
42 done
43 }
44
45 update() {
46 if [ ! -f $ARCHIVE_KEYRING ]; then
47 echo >&2 "ERROR: Can't find the archive-keyring"
48 echo >&2 "Is the ubuntu-keyring package installed?"
49 exit 1
50 fi
51
52 # add new keys, if no MASTER_KEYRING is used, use the traditional
53 # way
54 if [ -z "$MASTER_KEYRING" ]; then
55 $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
56 else
57 add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING
58 fi
59
60 # remove no-longer supported/used keys
61 keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
62 for key in $keys; do
63 if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
64 $GPG --quiet --batch --delete-key --yes ${key}
65 fi
66 done
67 }
68
69
70 usage() {
71 echo "Usage: apt-key [command] [arguments]"
72 echo
73 echo "Manage apt's list of trusted keys"
74 echo
75 echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
76 echo " apt-key del <keyid> - remove the key <keyid>"
77 echo " apt-key export <keyid> - output the key <keyid>"
78 echo " apt-key exportall - output all trusted keys"
79 echo " apt-key update - update keys using the keyring package"
80 echo " apt-key list - list keys"
81 echo
82 }
83
84 command="$1"
85 if [ -z "$command" ]; then
86 usage
87 exit 1
88 fi
89 shift
90
91 if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
92 echo >&2 "Warning: gnupg does not seem to be installed."
93 echo >&2 "Warning: apt-key requires gnupg for most operations."
94 echo >&2
95 fi
96
97 case "$command" in
98 add)
99 $GPG --quiet --batch --import "$1"
100 echo "OK"
101 ;;
102 del|rm|remove)
103 $GPG --quiet --batch --delete-key --yes "$1"
104 echo "OK"
105 ;;
106 update)
107 update
108 ;;
109 list)
110 $GPG --batch --list-keys
111 ;;
112 finger*)
113 $GPG --batch --fingerprint
114 ;;
115 export)
116 $GPG --armor --export "$1"
117 ;;
118 exportall)
119 $GPG --armor --export
120 ;;
121 adv*)
122 echo "Executing: $GPG $*"
123 $GPG $*
124 ;;
125 help)
126 usage
127 ;;
128 *)
129 usage
130 exit 1
131 ;;
132 esac