#!/bin/sh
set -e
+unset GREP_OPTIONS
# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available
# add new keys from the package;
# we do not use add_keys_with_verify_against_master_keyring here,
- # because we "update" is run on regular package updates. A
+ # because "update" is run on regular package updates. A
# attacker might as well replace the master-archive-keyring file
# in the package and add his own keys. so this check wouldn't
# add any security. we *need* this check on net-update though
$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
- # remove no-longer supported/used keys
- keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
- for key in $keys; do
- if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
- $GPG --quiet --batch --delete-key --yes ${key}
- fi
- done
+ if [ -r "$REMOVED_KEYS" ]; then
+ # remove no-longer supported/used keys
+ keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ for key in $keys; do
+ if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
+ $GPG --quiet --batch --delete-key --yes ${key}
+ fi
+ done
+ else
+ echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2
+ fi
}
echo " apt-key update - update keys using the keyring package"
echo " apt-key net-update - update keys using the network"
echo " apt-key list - list keys"
+ echo " apt-key finger - list fingerprints"
+ echo " apt-key adv - pass advanced options to gpg (download key)"
echo
}
projects / apt.git / blobdiff