requires_root() {
if [ "$(id -u)" -ne 0 ]; then
- echo >&2 "ERROR: This command can only be used by root."
+ apt_error "This command can only be used by root."
exit 1
fi
}
MASTER="$2"
if [ ! -f "$ADD_KEYRING" ]; then
- echo >&2 "ERROR: '$ADD_KEYRING' not found"
+ apt_error "Keyring '$ADD_KEYRING' to be added not found"
return
fi
if [ ! -f "$MASTER" ]; then
- echo >&2 "ERROR: '$MASTER' not found"
+ apt_error "Master-Keyring '$MASTER' not found"
return
fi
fi
if [ -z "$ARCHIVE_KEYRING_URI" ]; then
- echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
+ apt_error 'Your distribution is not supported in net-update as no uri for the archive-keyring is set'
exit 1
fi
# in theory we would need to depend on wget for this, but this feature
# isn't useable in debian anyway as we have no keyring uri nor a master key
if ! command_available 'wget'; then
- echo >&2 "ERROR: an installed wget is required for a network-based update"
+ apt_error 'wget is required for a network-based update, but it is not installed'
exit 1
fi
if [ ! -d "${APT_DIR}/var/lib/apt/keyrings" ]; then
fi
fi
if [ ! -f "$ARCHIVE_KEYRING" ]; then
- echo >&2 "ERROR: Can't find the archive-keyring"
- echo >&2 "Is the &keyring-package; package installed?"
+ apt_error "Can't find the archive-keyring (Is the &keyring-package; package installed?)"
exit 1
fi
if [ -r "$REMOVED_KEYS" ]; then
# remove no-longer supported/used keys
- get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do
+ get_fingerprints_of_keyring "$(dearmor_filename "$REMOVED_KEYS")" | while read key; do
foreach_keyring_do 'remove_key_from_keyring' "$key"
done
else
- echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable"
+ apt_warn "Removed keys keyring '$REMOVED_KEYS' missing or not readable"
fi
}
return
fi
- for KEY in "$@"; do
- local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst"
- get_fingerprints_of_keyring "$KEYRINGFILE" > "$FINGERPRINTS"
+ local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst"
+ local DEARMOR="$(dearmor_filename "$KEYRINGFILE")"
+ get_fingerprints_of_keyring "$DEARMOR" > "$FINGERPRINTS"
+ for KEY in "$@"; do
# strip leading 0x, if present:
KEY="$(echo "${KEY#0x}" | tr -d ' ')"
continue
fi
if [ ! -w "$KEYRINGFILE" ]; then
- echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
+ apt_warn "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
continue
fi
# check if it is the only key in the keyring and if so remove the keyring altogether
fi
# we can't just modify pointed to files as these might be in /usr or something
local REALTARGET
- if [ -L "$KEYRINGFILE" ]; then
- REALTARGET="$(readlink -f "$KEYRINGFILE")"
- mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp"
- cp -a "$REALTARGET" "$KEYRINGFILE"
+ if [ -L "$DEARMOR" ]; then
+ REALTARGET="$(readlink -f "$DEARMOR")"
+ mv -f "$DEARMOR" "${DEARMOR}.dpkg-tmp"
+ cp -a "$REALTARGET" "$DEARMOR"
fi
# delete the key from the keyring
- aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch --delete-keys --yes "$KEY"
+ aptkey_execute "$GPG_SH" --keyring "$DEARMOR" --batch --delete-keys --yes "$KEY"
if [ -n "$REALTARGET" ]; then
# the real backup is the old link, not the copy we made
- mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~"
+ mv -f "${DEARMOR}.dpkg-tmp" "${DEARMOR}~"
fi
+ if [ "$DEARMOR" != "$KEYRINGFILE" ]; then
+ mv -f "$KEYRINGFILE" "${KEYRINGFILE}~"
+ create_new_keyring "$KEYRINGFILE"
+ aptkey_execute "$GPG_SH" --keyring "$DEARMOR" --armor --export > "$KEYRINGFILE"
+ fi
+ get_fingerprints_of_keyring "$DEARMOR" > "$FINGERPRINTS"
done
}
if test -r "$1"; then
return 0
fi
- warn "The key(s) in the keyring $1 are ignored as the file is not readable by user '$USER' executing apt-key."
+ apt_warn "The key(s) in the keyring $1 are ignored as the file is not readable by user '$USER' executing apt-key."
return 1
}
shift
# if a --keyring was given, just work on this one
if [ -n "$FORCED_KEYRING" ]; then
- $ACTION "$FORCED_KEYRING" "$@"
+ $ACTION "$TRUSTEDFILE" "$@"
else
# otherwise all known keyrings are up for inspection
if accessible_file_exists "$TRUSTEDFILE"; then
eval "$(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)"
if [ -d "$TRUSTEDPARTS" ]; then
TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")"
- local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg')"
+ local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 \( -name '*.gpg' -o -name '*.asc' \))"
for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do
if accessible_file_exists "$trusted"; then
$ACTION "$trusted" "$@"
fi
}
-run_cmd_on_keyring() {
+list_keys_in_keyring() {
local KEYRINGFILE="$1"
shift
# fingerprint and co will fail if key isn't in this keyring
- aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true
+ aptkey_execute "$GPG_SH" --keyring "$(dearmor_filename "$KEYRINGFILE")" "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2> "${GPGHOMEDIR}/gpgoutput.err" || true
+ if [ ! -s "${GPGHOMEDIR}/gpgoutput.log" ]; then
+ return
+ fi
+ # we fake gpg header here to refer to the real asc file rather than a temp file
+ if [ "${KEYRINGFILE##*.}" = 'asc' ]; then
+ if expr match "$(sed -n '2p' "${GPGHOMEDIR}/gpgoutput.log")" '^-\+$' >/dev/null 2>&1; then
+ echo "$KEYRINGFILE"
+ echo "$KEYRINGFILE" | sed 's#[^-]#-#g'
+ sed '1,2d' "${GPGHOMEDIR}/gpgoutput.log" || true
+ else
+ cat "${GPGHOMEDIR}/gpgoutput.log"
+ fi
+ else
+ cat "${GPGHOMEDIR}/gpgoutput.log"
+ fi
+ if [ -s "${GPGHOMEDIR}/gpgoutput.err" ]; then
+ cat >&2 "${GPGHOMEDIR}/gpgoutput.err"
+ fi
+}
+
+export_key_from_to() {
+ local FROM="$1"
+ local TO="$2"
+ shift 2
+ if ! aptkey_execute "$GPG_SH" --keyring "$(dearmor_filename "$FROM")" --export "$@" > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then
+ cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
+ false
+ else
+ chmod 0644 -- "$TO"
+ fi
}
import_keyring_into_keyring() {
if [ ! -s "$TO" ]; then
if [ -s "$FROM" ]; then
if [ -z "$2" ]; then
- if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${1:+"$1"} > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then
- cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
- false
- else
- chmod 0644 -- "$TO"
+ local OPTS
+ if [ "${TO##*.}" = 'asc' ]; then
+ OPTS='--armor'
fi
+ export_key_from_to "$(dearmor_filename "$FROM")" "$TO" $OPTS ${1:+"$1"}
else
create_new_keyring "$TO"
fi
elif [ -s "$FROM" ]; then
local EXPORTLIMIT="$1"
if [ -n "$1$2" ]; then shift; fi
- if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} \
- | aptkey_execute "$GPG_SH" --keyring "$TO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
+ local DEARMORTO="$(dearmor_filename "$TO")"
+ if ! aptkey_execute "$GPG_SH" --keyring "$(dearmor_filename "$FROM")" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} \
+ | aptkey_execute "$GPG_SH" --keyring "$DEARMORTO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
false
fi
+ if [ "$DEARMORTO" != "$TO" ]; then
+ export_key_from_to "$DEARMORTO" "${DEARMORTO}.asc" --armor
+ if ! cmp -s "$TO" "${DEARMORTO}.asc" 2>/dev/null; then
+ cp -a "$TO" "${TO}~"
+ mv -f "${DEARMORTO}.asc" "$TO"
+ fi
+ fi
fi
}
+dearmor_keyring() {
+ # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831409#67
+ # The awk script is more complex through to skip surrounding garbage and
+ # to support multiple keys in one file (old gpgs generate version headers
+ # which get printed with the original and hence result in garbage input for base64
+ awk '/^-----BEGIN/{ x = 1; }
+/^$/{ if (x == 1) { x = 2; }; }
+/^[^=-]/{ if (x == 2) { print $0; }; }
+/^-----END/{ x = 0; }' | base64 -d
+}
+dearmor_filename() {
+ if [ "${1##*.}" = 'asc' ]; then
+ local trusted="${GPGHOMEDIR}/${1##*/}.gpg"
+ if [ -s "$1" ]; then
+ dearmor_keyring < "$1" > "$trusted"
+ fi
+ echo "$trusted"
+ elif [ "${1##*.}" = 'gpg' ]; then
+ echo "$1"
+ elif [ "$(head -n 1 "$1" 2>/dev/null)" = '-----BEGIN PGP PUBLIC KEY BLOCK-----' ]; then
+ local trusted="${GPGHOMEDIR}/${1##*/}.gpg"
+ dearmor_keyring < "$1" > "$trusted"
+ echo "$trusted"
+ else
+ echo "$1"
+ fi
+}
catfile() {
- cat "$1" >> "$2"
+ cat "$(dearmor_filename "$1")" >> "$2"
}
merge_all_trusted_keyrings_into_pubring() {
merge_back_changes() {
if [ -n "$FORCED_KEYRING" ]; then
# if the keyring was forced merge is already done
+ if [ "$FORCED_KEYRING" != "$TRUSTEDFILE" ]; then
+ mv -f "$FORCED_KEYRING" "${FORCED_KEYRING}~"
+ export_key_from_to "$TRUSTEDFILE" "$FORCED_KEYRING" --armor
+ fi
return
fi
if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then
exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${GPGHOMEDIR}/pubring.gpg")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh"
GPG="${GPGHOMEDIR}/gpg.1.sh"
else
+ TRUSTEDFILE="$(dearmor_filename "$FORCED_KEYRING")"
create_new_keyring "$TRUSTEDFILE"
echo "#!/bin/sh
exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh"
create_new_keyring() {
# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
- if ! [ -e "$TRUSTEDFILE" ]; then
- if [ -w "$(dirname "$TRUSTEDFILE")" ]; then
- touch -- "$TRUSTEDFILE"
- chmod 0644 -- "$TRUSTEDFILE"
+ if ! [ -e "$1" ]; then
+ if [ -w "$(dirname "$1")" ]; then
+ touch -- "$1"
+ chmod 0644 -- "$1"
fi
fi
}
}
GPGSTATUSFD="$(find_gpgv_status_fd "$@")"
-warn() {
+apt_warn() {
if [ -z "$GPGHOMEDIR" ]; then
echo >&2 'W:' "$@"
else
echo >&${GPGSTATUSFD} '[APTKEY:] WARNING' "$@"
fi
}
+apt_error() {
+ if [ -z "$GPGHOMEDIR" ]; then
+ echo >&2 'E:' "$@"
+ else
+ echo 'E:' "$@" > "${GPGHOMEDIR}/aptwarnings.log"
+ fi
+ if [ -n "$GPGSTATUSFD" ]; then
+ echo >&${GPGSTATUSFD} '[APTKEY:] ERROR' "$@"
+ fi
+}
cleanup_gpg_home() {
if [ -z "$GPGHOMEDIR" ]; then return; fi
CURRENTTRAP="${CURRENTTRAP} cleanup_gpg_home;"
trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
if [ -z "$GPGHOMEDIR" ]; then
- echo "ERROR: Could not create temporary gpg home directory in apt-key ($TMPDIR)"
+ apt_error "Could not create temporary gpg home directory in $TMPDIR (wrong permissions?)"
exit 28
fi
chmod 700 "$GPGHOMEDIR"
elif command_available 'gpg1'; then
GPG_EXE="gpg1"
else
- echo >&2 "Error: gnupg, gnupg2 and gnupg1 do not seem to be installed,"
- echo >&2 "Error: but apt-key requires gnupg, gnupg2 or gnupg1 for this operation."
- echo >&2
+ apt_error 'gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation'
exit 255
fi
;;
list|finger*)
warn_on_script_usage
- foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@"
+ foreach_keyring_do 'list_keys_in_keyring' --fingerprint "$@"
;;
export|exportall)
warn_on_script_usage
adv*)
warn_on_script_usage
setup_merged_keyring
- aptkey_echo "Executing: $GPG $*"
+ aptkey_echo "Executing: $GPG" "$@"
aptkey_execute "$GPG" "$@"
merge_back_changes
;;
elif command_available 'gpgv2'; then GPGV='gpgv2';
elif command_available 'gpgv1'; then GPGV='gpgv1';
else
- echo >&2 'ERROR: gpgv, gpgv2 or gpgv1 required for verification'
+ apt_error 'gpgv, gpgv2 or gpgv1 required for verification, but neither seems installed'
exit 29
fi
# for a forced keyid we need gpg --export, so full wrapping required
fi
setup_merged_keyring
if [ -n "$FORCED_KEYRING" ]; then
- "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${FORCED_KEYRING}" --ignore-time-conflict "$@"
+ "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
else
"$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
fi