X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/4730bca19d5cb04c3c1af5fcf58f0493e705b228..a0895a74fe95997a5d75e5b54c95afb9594554f6:/cmdline/apt-key diff --git a/cmdline/apt-key b/cmdline/apt-key index bf1a5fefb..5f4e02fdf 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -1,6 +1,7 @@ #!/bin/sh set -e +unset GREP_OPTIONS # We don't use a secret keyring, of course, but gpg panics and # implodes if there isn't one available @@ -86,19 +87,23 @@ update() { # add new keys from the package; # we do not use add_keys_with_verify_against_master_keyring here, - # because we "update" is run on regular package updates. A + # because "update" is run on regular package updates. A # attacker might as well replace the master-archive-keyring file # in the package and add his own keys. so this check wouldn't # add any security. we *need* this check on net-update though $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import - # remove no-longer supported/used keys - keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` - for key in $keys; do - if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then - $GPG --quiet --batch --delete-key --yes ${key} - fi - done + if [ -r "$REMOVED_KEYS" ]; then + # remove no-longer supported/used keys + keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` + for key in $keys; do + if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then + $GPG --quiet --batch --delete-key --yes ${key} + fi + done + else + echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 + fi } @@ -114,6 +119,8 @@ usage() { echo " apt-key update - update keys using the keyring package" echo " apt-key net-update - update keys using the network" echo " apt-key list - list keys" + echo " apt-key finger - list fingerprints" + echo " apt-key adv - pass advanced options to gpg (download key)" echo }