]> git.saurik.com Git - apt.git/blobdiff - cmdline/apt-key
projects / apt.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
do not double-slash paths in apt-key
[apt.git] / cmdline / apt-key
diff --git a/cmdline/apt-key b/cmdline/apt-key
index 4596e4a47623ba8cf8240e2ab7c96705245d07f5..7038be265bcc83c0d573867cdfd074bea1929c40 100755 (executable)
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -3,26 +3,26 @@
 set -e
 unset GREP_OPTIONS
 
-# We don't use a secret keyring, of course, but gpg panics and
-# implodes if there isn't one available
-SECRETKEYRING="$(mktemp)"
-CURRENTTRAP="rm -f '${SECRETKEYRING}';"
-trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
-GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
+GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
 
-eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
-if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then
-   # root can read/create the file as needed, so use the default
-   true
-else
-   # gpg needs a trustdb to function, but it can't be invalid (not even empty)
-   # so we create a tempory directory to store our fresh readable trustdb in
-   TRUSTDBDIR="$(mktemp -d)"
-   CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
-   trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
-   chmod 700 "$TRUSTDBDIR"
-fi
+# gpg needs a trustdb to function, but it can't be invalid (not even empty)
+# so we create a temporary directory to store our fresh readable trustdb in
+TRUSTDBDIR="$(mktemp -d)"
+CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+chmod 700 "$TRUSTDBDIR"
+# We also don't use a secret keyring, of course, but gpg panics and
+# implodes if there isn't one available - and writeable for imports
+SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
+touch $SECRETKEYRING
+GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
 GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+
+# now create the trustdb with an (empty) dummy keyring
+$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
+# and make sure that gpg isn't trying to update the file
+GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
+
 GPG="$GPG_CMD"
 
 MASTER_KEYRING=""
@@ -203,7 +203,12 @@ if [ -z "$TRUSTEDFILE" ]; then
    TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
    eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
    if [ -d "$TRUSTEDPARTS" ]; then
-      for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do
+      # strip / suffix as gpg will double-slash in that case (#665411)
+      STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
+      if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
+        TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
+      fi
+      for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
         GPG="$GPG --keyring $trusted"
       done
    fi
APT (for Cydia)