X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/803491dc568d2994745c3c4359f68053f7261658..ae2a6be8a2155c136f9535abfbcc750c8c395cd2:/cmdline/apt-key.in diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 80eee6265..7c12c72a3 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -23,6 +23,7 @@ requires_root() { } command_available() { + if [ -x "$1" ]; then return 0; fi # command -v "$1" >/dev/null 2>&1 # not required by policy, see #747320 # which "$1" >/dev/null 2>&1 # is in debianutils (essential) but not on non-debian systems local OLDIFS="$IFS" @@ -191,6 +192,10 @@ remove_key_from_keyring() { for KEY in "$@"; do local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst" get_fingerprints_of_keyring "$KEYRINGFILE" > "$FINGERPRINTS" + + # strip leading 0x, if present: + KEY="${KEY#0x}" + # check if the key is in this keyring if ! grep -iq "^[0-9A-F]*${KEY}$" "$FINGERPRINTS"; then continue @@ -234,12 +239,9 @@ foreach_keyring_do() { local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" eval "$(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)" if [ -d "$TRUSTEDPARTS" ]; then - # strip / suffix as gpg will double-slash in that case (#665411) - local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" - if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then - TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" - fi - for trusted in $(find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -regex '^.*\.gpg$' | sort); do + TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")" + local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg')" + for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do if [ -s "$trusted" ]; then $ACTION "$trusted" "$@" fi @@ -297,7 +299,7 @@ merge_all_trusted_keyrings_into_pubring() { # does the same as: # foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg" # but without using gpg, just cat and find - local PUBRING="${GPGHOMEDIR}/pubring.gpg" + local PUBRING="$(readlink -f "${GPGHOMEDIR}/pubring.gpg")" # if a --keyring was given, just use this one if [ -n "$FORCED_KEYRING" ]; then if [ -s "$FORCED_KEYRING" ]; then @@ -308,13 +310,12 @@ merge_all_trusted_keyrings_into_pubring() { local TRUSTEDPARTS="/etc/apt/trusted.gpg.d" eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) if [ -d "$TRUSTEDPARTS" ]; then - # ignore errors mostly for non-existing $TRUSTEDFILE - { - cat "$TRUSTEDFILE" || true - for parts in $(find -L "$TRUSTEDPARTS" -type f -name '*.gpg'); do - cat "$parts" || true - done - } > "$PUBRING" 2>/dev/null + rm -f "$PUBRING" + if [ -s "$TRUSTEDFILE" ]; then + cat "$TRUSTEDFILE" > "$PUBRING" + fi + TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")" + (cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg' -exec cat {} + >> "$PUBRING";) elif [ -s "$TRUSTEDFILE" ]; then cp --dereference "$TRUSTEDFILE" "$PUBRING" fi @@ -489,8 +490,21 @@ create_gpg_home() { } prepare_gpg_home() { + # crude detection if we are called from a maintainerscript where the + # package depends on gnupg or not. We accept recommends here as + # well as the script hopefully uses apt-key optionally then like e.g. + # debian-archive-keyring for (upgrade) cleanup did + if [ -n "$DPKG_MAINTSCRIPT_PACKAGE" ]; then + if ! dpkg-query --show --showformat '${Pre-Depends}${Depends}${Recommends}\n' "$DPKG_MAINTSCRIPT_PACKAGE" 2>/dev/null | grep -q gnupg; then + cat >&2 <