X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/7db98ffceda347f0bc457c6bdc4ff33d60e26b18..77e53c8c64ff840cd7780816fc591cf0fa9ba095:/cmdline/apt-key diff --git a/cmdline/apt-key b/cmdline/apt-key old mode 100644 new mode 100755 index 583cde191..e2dbd8af7 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -2,6 +2,76 @@ set -e +# We don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available + +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg" +GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg" + + +MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg +ARCHIVE_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg +REMOVED_KEYS=/usr/share/keyrings/ubuntu-archive-removed-keys.gpg + +add_keys_with_verify_against_master_keyring() { + ADD_KEYRING=$1 + MASTER=$2 + + if [ ! -f "$ADD_KEYRING" ]; then + echo "ERROR: '$ADD_KEYRING' not found" + return + fi + if [ ! -f "$MASTER" ]; then + echo "ERROR: '$MASTER' not found" + return + fi + + # when adding new keys, make sure that the archive-master-keyring + # is honored. so: + # all keys that are exported and have the name + # "Ubuntu Archive Automatic Signing Key" must have a valid signature + # from a key in the ubuntu-master-keyring + add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + for add_key in $add_keys; do + ADDED=0 + for master_key in $master_keys; do + if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import + ADDED=1 + fi + done + if [ $ADDED = 0 ]; then + echo >&2 "Key '$add_key' not added. It is not signed with a master key" + fi + done +} + +update() { + if [ ! -f $ARCHIVE_KEYRING ]; then + echo >&2 "ERROR: Can't find the archive-keyring" + echo >&2 "Is the ubuntu-keyring package installed?" + exit 1 + fi + + # add new keys, if no MASTER_KEYRING is used, use the traditional + # way + if [ -z "$MASTER_KEYRING" ]; then + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + else + add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING + fi + + # remove no-longer supported/used keys + keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` + for key in $keys; do + if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then + $GPG --quiet --batch --delete-key --yes ${key} + fi + done +} + + usage() { echo "Usage: apt-key [command] [arguments]" echo @@ -9,6 +79,9 @@ usage() { echo echo " apt-key add - add the key contained in ('-' for stdin)" echo " apt-key del - remove the key " + echo " apt-key export - output the key " + echo " apt-key exportall - output all trusted keys" + echo " apt-key update - update keys using the keyring package" echo " apt-key list - list keys" echo } @@ -26,11 +99,6 @@ if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then echo >&2 fi -# We don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available - -GPG="gpg --no-options --no-default-keyring --keyring /etc/apt/trusted.gpg --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg" - case "$command" in add) $GPG --quiet --batch --import "$1" @@ -40,12 +108,21 @@ case "$command" in $GPG --quiet --batch --delete-key --yes "$1" echo "OK" ;; + update) + update + ;; list) $GPG --batch --list-keys ;; finger*) $GPG --batch --fingerprint ;; + export) + $GPG --armor --export "$1" + ;; + exportall) + $GPG --armor --export + ;; adv*) echo "Executing: $GPG $*" $GPG $*