+
+ local GPG="$GPG_CMD --keyring $KEYRINGFILE"
+ for KEY in "$@"; do
+ local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst"
+ get_fingerprints_of_keyring "$KEYRINGFILE" > "$FINGERPRINTS"
+ # check if the key is in this keyring
+ if ! grep -iq "^[0-9A-F]*${KEY}$" "$FINGERPRINTS"; then
+ continue
+ fi
+ if [ ! -w "$KEYRINGFILE" ]; then
+ echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
+ continue
+ fi
+ # check if it is the only key in the keyring and if so remove the keyring altogether
+ if [ '1' = "$(uniq "$FINGERPRINTS" | wc -l)" ]; then
+ mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg
+ return
+ fi
+ # we can't just modify pointed to files as these might be in /usr or something
+ local REALTARGET
+ if [ -L "$KEYRINGFILE" ]; then
+ REALTARGET="$(readlink -f "$KEYRINGFILE")"
+ mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp"
+ cp -a "$REALTARGET" "$KEYRINGFILE"
+ fi
+ # delete the key from the keyring
+ $GPG --batch --delete-keys --yes "$KEY"
+ if [ -n "$REALTARGET" ]; then
+ # the real backup is the old link, not the copy we made
+ mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~"
+ fi
+ done
+}
+
+foreach_keyring_do() {
+ local ACTION="$1"
+ shift
+ # if a --keyring was given, just work on this one
+ if [ -n "$FORCED_KEYRING" ]; then
+ $ACTION "$FORCED_KEYRING" "$@"
+ else
+ # otherwise all known keyrings are up for inspection
+ if [ -s "$TRUSTEDFILE" ]; then
+ $ACTION "$TRUSTEDFILE" "$@"
+ fi
+ local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
+ eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
+ if [ -d "$TRUSTEDPARTS" ]; then
+ # strip / suffix as gpg will double-slash in that case (#665411)
+ local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
+ if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
+ TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
+ fi
+ for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
+ if [ -s "$trusted" ]; then
+ $ACTION "$trusted" "$@"
+ fi
+ done
+ fi
+ fi
+}
+
+run_cmd_on_keyring() {
+ local KEYRINGFILE="$1"
+ shift
+ # fingerprint and co will fail if key isn't in this keyring
+ $GPG_CMD --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true
+}
+
+import_keyring_into_keyring() {
+ local FROM="${1:-${GPGHOMEDIR}/pubring.gpg}"
+ local TO="${2:-${GPGHOMEDIR}/pubring.gpg}"
+ shift 2
+ rm -f "${GPGHOMEDIR}/gpgoutput.log"
+ # the idea is simple: We take keys from one keyring and copy it to another
+ # we do this with so many checks inbetween to ensure that WE control the
+ # creation, so we know that the (potentially) created $TO keyring is a
+ # simple keyring rather than a keybox as gpg2 would create it which in turn
+ # can't be read by gpgv.
+ # BEWARE: This is designed more in the way to work with the current
+ # callers, than to have a well defined it would be easy to add new callers to.
+ if [ ! -s "$TO" ]; then
+ if [ -s "$FROM" ]; then
+ if [ -z "$2" ]; then
+ if ! $GPG_CMD --keyring "$FROM" --export ${1:+"$1"} > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then
+ cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
+ false
+ else
+ chmod 0644 -- "$TO"
+ fi
+ else
+ create_new_keyring "$TO"
+ fi
+ else
+ create_new_keyring "$TO"
+ fi
+ elif [ -s "$FROM" ]; then
+ local EXPORTLIMIT="$1"
+ if [ -n "$1$2" ]; then shift; fi
+ if ! $GPG_CMD --keyring "$FROM" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} | $GPG_CMD --keyring "$TO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
+ cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
+ false
+ fi