]> git.saurik.com Git - apt.git/commitdiff
add apt-key support for armored GPG key files (*.asc)
authorDavid Kalnischkies <david@kalnischkies.de>
Sun, 13 Nov 2016 19:52:18 +0000 (20:52 +0100)
committerDavid Kalnischkies <david@kalnischkies.de>
Thu, 24 Nov 2016 23:15:12 +0000 (00:15 +0100)
Having binary files in /etc is kinda annoying – not that the armored
files are much better – but it is hard to keep tabs on which format the
file has ("simple" or "keybox") and different gnupg versions have
different default binary formats which can be confusing for users to
work with (beside that it is binary).

Adding support for this now will enable us in some distant future to
move to armored later on, much like we added trusted.gpg.d years before
the world picked it up.

cmdline/apt-key.in
test/integration/test-apt-key

index 5e8332bcbf028170c0ec37e75ad522735f486d3a..c9ff4b3f44c4277bcdb0c247d71021510c905fb1 100644 (file)
@@ -179,7 +179,7 @@ update() {
 
     if [ -r "$REMOVED_KEYS" ]; then
        # remove no-longer supported/used keys
-       get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do
+       get_fingerprints_of_keyring "$(dearmor_filename "$REMOVED_KEYS")" | while read key; do
            foreach_keyring_do 'remove_key_from_keyring' "$key"
        done
     else
@@ -195,10 +195,11 @@ remove_key_from_keyring() {
        return
     fi
 
-    for KEY in "$@"; do
-       local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst"
-       get_fingerprints_of_keyring "$KEYRINGFILE" > "$FINGERPRINTS"
+    local FINGERPRINTS="${GPGHOMEDIR}/keyringfile.keylst"
+    local DEARMOR="$(dearmor_filename "$KEYRINGFILE")"
+    get_fingerprints_of_keyring "$DEARMOR" > "$FINGERPRINTS"
 
+    for KEY in "$@"; do
        # strip leading 0x, if present:
        KEY="$(echo "${KEY#0x}" | tr -d ' ')"
 
@@ -207,7 +208,7 @@ remove_key_from_keyring() {
            continue
        fi
        if [ ! -w "$KEYRINGFILE" ]; then
-           echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
+           apt_warn "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
            continue
        fi
        # check if it is the only key in the keyring and if so remove the keyring altogether
@@ -217,17 +218,23 @@ remove_key_from_keyring() {
        fi
        # we can't just modify pointed to files as these might be in /usr or something
        local REALTARGET
-       if [ -L "$KEYRINGFILE" ]; then
-           REALTARGET="$(readlink -f "$KEYRINGFILE")"
-           mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp"
-           cp -a "$REALTARGET" "$KEYRINGFILE"
+       if [ -L "$DEARMOR" ]; then
+           REALTARGET="$(readlink -f "$DEARMOR")"
+           mv -f "$DEARMOR" "${DEARMOR}.dpkg-tmp"
+           cp -a "$REALTARGET" "$DEARMOR"
        fi
        # delete the key from the keyring
-       aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch --delete-keys --yes "$KEY"
+       aptkey_execute "$GPG_SH" --keyring "$DEARMOR" --batch --delete-keys --yes "$KEY"
        if [ -n "$REALTARGET" ]; then
            # the real backup is the old link, not the copy we made
-           mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~"
+           mv -f "${DEARMOR}.dpkg-tmp" "${DEARMOR}~"
+       fi
+       if [ "$DEARMOR" != "$KEYRINGFILE" ]; then
+           mv -f "$KEYRINGFILE" "${KEYRINGFILE}~"
+           create_new_keyring "$KEYRINGFILE"
+           aptkey_execute "$GPG_SH" --keyring "$DEARMOR" --armor --export > "$KEYRINGFILE"
        fi
+       get_fingerprints_of_keyring "$DEARMOR" > "$FINGERPRINTS"
     done
 }
 
@@ -247,7 +254,7 @@ foreach_keyring_do() {
    shift
    # if a --keyring was given, just work on this one
    if [ -n "$FORCED_KEYRING" ]; then
-       $ACTION "$FORCED_KEYRING" "$@"
+       $ACTION "$TRUSTEDFILE" "$@"
    else
        # otherwise all known keyrings are up for inspection
        if accessible_file_exists "$TRUSTEDFILE"; then
@@ -257,7 +264,7 @@ foreach_keyring_do() {
        eval "$(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)"
        if [ -d "$TRUSTEDPARTS" ]; then
            TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")"
-           local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 -name '*.gpg')"
+           local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 \( -name '*.gpg' -o -name '*.asc' \))"
            for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do
                if accessible_file_exists "$trusted"; then
                    $ACTION "$trusted" "$@"
@@ -267,11 +274,41 @@ foreach_keyring_do() {
    fi
 }
 
-run_cmd_on_keyring() {
+list_keys_in_keyring() {
     local KEYRINGFILE="$1"
     shift
     # fingerprint and co will fail if key isn't in this keyring
-    aptkey_execute "$GPG_SH" --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true
+    aptkey_execute "$GPG_SH" --keyring "$(dearmor_filename "$KEYRINGFILE")" "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2> "${GPGHOMEDIR}/gpgoutput.err" || true
+    if [ ! -s "${GPGHOMEDIR}/gpgoutput.log" ]; then
+       return
+    fi
+    # we fake gpg header here to refer to the real asc file rather than a temp file
+    if [ "${KEYRINGFILE##*.}" = 'asc' ]; then
+       if expr match "$(sed -n '2p' "${GPGHOMEDIR}/gpgoutput.log")" '^-\+$' >/dev/null 2>&1; then
+           echo "$KEYRINGFILE"
+           echo "$KEYRINGFILE" | sed 's#[^-]#-#g'
+           sed '1,2d' "${GPGHOMEDIR}/gpgoutput.log" || true
+       else
+           cat "${GPGHOMEDIR}/gpgoutput.log"
+       fi
+    else
+       cat "${GPGHOMEDIR}/gpgoutput.log"
+    fi
+    if [ -s "${GPGHOMEDIR}/gpgoutput.err" ]; then
+       cat >&2 "${GPGHOMEDIR}/gpgoutput.err"
+    fi
+}
+
+export_key_from_to() {
+    local FROM="$1"
+    local TO="$2"
+    shift 2
+    if ! aptkey_execute "$GPG_SH" --keyring "$(dearmor_filename "$FROM")" --export "$@" > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then
+       cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
+       false
+    else
+       chmod 0644 -- "$TO"
+    fi
 }
 
 import_keyring_into_keyring() {
@@ -289,12 +326,11 @@ import_keyring_into_keyring() {
     if [ ! -s "$TO" ]; then
        if [ -s "$FROM" ]; then
            if [ -z "$2" ]; then
-               if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${1:+"$1"} > "$TO" 2> "${GPGHOMEDIR}/gpgoutput.log"; then
-                   cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
-                   false
-               else
-                   chmod 0644 -- "$TO"
+               local OPTS
+               if [ "${TO##*.}" = 'asc' ]; then
+                   OPTS='--armor'
                fi
+               export_key_from_to "$(dearmor_filename "$FROM")" "$TO" $OPTS ${1:+"$1"}
            else
                create_new_keyring "$TO"
            fi
@@ -304,16 +340,51 @@ import_keyring_into_keyring() {
     elif [ -s "$FROM" ]; then
        local EXPORTLIMIT="$1"
        if [ -n "$1$2" ]; then shift; fi
-       if ! aptkey_execute "$GPG_SH" --keyring "$FROM" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} \
-          | aptkey_execute "$GPG_SH" --keyring "$TO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
+       local DEARMORTO="$(dearmor_filename "$TO")"
+       if ! aptkey_execute "$GPG_SH" --keyring "$(dearmor_filename "$FROM")" --export ${EXPORTLIMIT:+"$EXPORTLIMIT"} \
+          | aptkey_execute "$GPG_SH" --keyring "$DEARMORTO" --batch --import "$@" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
            cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
            false
        fi
+       if [ "$DEARMORTO" != "$TO" ]; then
+           export_key_from_to "$DEARMORTO" "${DEARMORTO}.asc" --armor
+           if ! cmp -s "$TO" "${DEARMORTO}.asc" 2>/dev/null; then
+               cp -a "$TO" "${TO}~"
+               mv -f "${DEARMORTO}.asc" "$TO"
+           fi
+       fi
     fi
 }
 
+dearmor_keyring() {
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831409#67
+    # The awk script is more complex through to skip surrounding garbage and
+    # to support multiple keys in one file (old gpgs generate version headers
+    # which get printed with the original and hence result in garbage input for base64
+    awk '/^-----BEGIN/{ x = 1; }
+/^$/{ if (x == 1) { x = 2; }; }
+/^[^=-]/{ if (x == 2) { print $0; }; }
+/^-----END/{ x = 0; }' | base64 -d
+}
+dearmor_filename() {
+    if [ "${1##*.}" = 'asc' ]; then
+       local trusted="${GPGHOMEDIR}/${1##*/}.gpg"
+       if [ -s "$1" ]; then
+           dearmor_keyring < "$1" > "$trusted"
+       fi
+       echo "$trusted"
+    elif [ "${1##*.}" = 'gpg' ]; then
+       echo "$1"
+    elif [ "$(head -n 1 "$1" 2>/dev/null)" = '-----BEGIN PGP PUBLIC KEY BLOCK-----' ]; then
+       local trusted="${GPGHOMEDIR}/${1##*/}.gpg"
+       dearmor_keyring < "$1" > "$trusted"
+       echo "$trusted"
+    else
+       echo "$1"
+    fi
+}
 catfile() {
-   cat "$1" >> "$2"
+    cat "$(dearmor_filename "$1")" >> "$2"
 }
 
 merge_all_trusted_keyrings_into_pubring() {
@@ -337,6 +408,10 @@ merge_keys_into_keyrings() {
 merge_back_changes() {
     if [ -n "$FORCED_KEYRING" ]; then
        # if the keyring was forced merge is already done
+       if [ "$FORCED_KEYRING" != "$TRUSTEDFILE" ]; then
+           mv -f "$FORCED_KEYRING" "${FORCED_KEYRING}~"
+           export_key_from_to "$TRUSTEDFILE" "$FORCED_KEYRING" --armor
+       fi
        return
     fi
     if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then
@@ -380,6 +455,7 @@ exec sh '($(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")'
 exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${GPGHOMEDIR}/pubring.gpg")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh"
        GPG="${GPGHOMEDIR}/gpg.1.sh"
     else
+       TRUSTEDFILE="$(dearmor_filename "$FORCED_KEYRING")"
        create_new_keyring "$TRUSTEDFILE"
        echo "#!/bin/sh
 exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")' \"\$@\"" > "${GPGHOMEDIR}/gpg.1.sh"
@@ -389,10 +465,10 @@ exec sh '$(escape_shell "${GPG}")' --keyring '$(escape_shell "${TRUSTEDFILE}")'
 
 create_new_keyring() {
     # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
-    if ! [ -e "$TRUSTEDFILE" ]; then
-       if [ -w "$(dirname "$TRUSTEDFILE")" ]; then
-           touch -- "$TRUSTEDFILE"
-           chmod 0644 -- "$TRUSTEDFILE"
+    if ! [ -e "$1" ]; then
+       if [ -w "$(dirname "$1")" ]; then
+           touch -- "$1"
+           chmod 0644 -- "$1"
        fi
     fi
 }
@@ -648,7 +724,7 @@ case "$command" in
        ;;
     list|finger*)
        warn_on_script_usage
-       foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@"
+       foreach_keyring_do 'list_keys_in_keyring' --fingerprint "$@"
        ;;
     export|exportall)
        warn_on_script_usage
@@ -658,7 +734,7 @@ case "$command" in
     adv*)
        warn_on_script_usage
        setup_merged_keyring
-       aptkey_echo "Executing: $GPG $*"
+       aptkey_echo "Executing: $GPG" "$@"
        aptkey_execute "$GPG" "$@"
        merge_back_changes
        ;;
@@ -681,7 +757,7 @@ case "$command" in
        fi
        setup_merged_keyring
        if [ -n "$FORCED_KEYRING" ]; then
-           "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${FORCED_KEYRING}" --ignore-time-conflict "$@"
+           "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "$(dearmor_filename "${FORCED_KEYRING}")" --ignore-time-conflict "$@"
        else
            "$GPGV" --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
        fi
index 96cfe41fa62c1686c0374695fdbc2f3b74dca391..4fd1510a21ff7e937d21bd72a192113b6a179085 100755 (executable)
@@ -24,13 +24,23 @@ testmultigpg() {
        testsuccess grep "^gpgv: Can't check signature" "${ROOTDIR}/tmp/testfailure.output"
        testsuccess grep '^gpgv: Good signature from' "${ROOTDIR}/tmp/testfailure.output"
 }
+testaptkeyskeyring() {
+       local KEYRING="$1"
+       shift
+       local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/aptkeylistkeyring.output"
+       if ! aptkey --keyring "$KEYRING" list --with-colon | grep '^pub' | cut -d':' -f 5 > "$OUTPUT"; then
+               echo -n > "$OUTPUT"
+       fi
+       testfileequal "$OUTPUT" "$(mapkeynametokeyid "$@")"
+}
 
 testrun() {
-       echo "APT::Key::ArchiveKeyring \"${KEYDIR}/joesixpack.pub\";
-APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub\";" > "${ROOTDIR}/etc/apt/apt.conf.d/aptkey.conf"
+       local EXT="${1:-gpg}"
+       echo "APT::Key::ArchiveKeyring \"${KEYDIR}/joesixpack.pub.gpg\";
+APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub.gpg\";" > "${ROOTDIR}/etc/apt/apt.conf.d/aptkey.conf"
 
        cleanplate
-       ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testaptkeys 'Joe Sixpack'
 
        testsuccess aptkey list
@@ -41,23 +51,26 @@ APT::Key::RemovedKeys \"${KEYDIR}/rexexpired.pub\";" > "${ROOTDIR}/etc/apt/apt.c
        msgtest 'Check that paths in finger output are not' 'double-slashed'
        testfailure --nomsg grep '//' "${ROOTDIR}/tmp/testsuccess.output"
 
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${KEYDIR}/joesixpack.pub.${EXT}.bak"
        testequalor2 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1' 'gpg: key 5A90D141DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) <joe@example.org>" not changed
 gpg: Total number processed: 1
 gpg:              unchanged: 1' aptkey --fakeroot update
+       testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${KEYDIR}/joesixpack.pub.${EXT}.bak"
 
        testaptkeys 'Joe Sixpack'
        testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg"
 
-       testsuccess aptkey --fakeroot add "${KEYDIR}/rexexpired.pub"
+       testsuccess aptkey --fakeroot add "${KEYDIR}/rexexpired.pub.${EXT}"
        testfilestats "${ROOTDIR}/etc/apt/trusted.gpg" '%a' '=' '644'
 
        testaptkeys 'Rex Expired' 'Joe Sixpack'
 
        msgtest 'Check that Sixpack key can be' 'exported'
        aptkey export 'Sixpack' > "${TMPWORKINGDIRECTORY}/aptkey.export"
-       aptkey --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg" exportall > "${TMPWORKINGDIRECTORY}/aptkey.exportall"
+       aptkey --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" exportall > "${TMPWORKINGDIRECTORY}/aptkey.exportall"
        testsuccess --nomsg cmp "${TMPWORKINGDIRECTORY}/aptkey.export" "${TMPWORKINGDIRECTORY}/aptkey.exportall"
        testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.export"
        testsuccess test -s "${TMPWORKINGDIRECTORY}/aptkey.exportall"
@@ -75,116 +88,130 @@ gpg:              unchanged: 1' aptkey --fakeroot update
        testsuccess aptkey --fakeroot del DBAC8DAE
        testempty aptkey list
 
+       ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testaptkeys 'Joe Sixpack'
+       msgtest "Remove a key from" 'forced keyring in trusted.d.gpg'
+       testsuccess --nomsg aptkey --fakeroot --keyring "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}" del DBAC8DAE
+       testsuccess cmp -s "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
+       testempty aptkey list
+
+       cp -a "${KEYDIR}/marvinparanoid.pub.asc" "${ROOTDIR}/etc/foobar.pub"
+       testsuccess aptkey --fakeroot --keyring "${ROOTDIR}/etc/foobar.pub" add "${KEYDIR}/rexexpired.pub.asc" "${KEYDIR}/joesixpack.pub.gpg"
+       testfilestats "${ROOTDIR}/etc/foobar.pub" '%a' '=' '644'
+       testaptkeyskeyring "${ROOTDIR}/etc/foobar.pub" 'Marvin Paranoid' 'Rex Expired' 'Joe Sixpack'
+       testempty aptkey list
+
        msgtest 'Test key removal with' 'lowercase key ID' #keylength somewhere between 8byte and short
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del d141dbac8dae
        testempty aptkey list
 
        if [ "$(id -u)" != '0' ]; then
                msgtest 'Test key removal with' 'unreadable key'
                cleanplate
-               cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-               echo 'foobar' > "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
-               chmod 000 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
+               cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+               echo 'foobar' > "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
+               chmod 000 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
                testwarning --nomsg aptkey --fakeroot del d141dbac8dae
                testwarning aptkey list
-               chmod 644 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
-               rm -f "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
+               chmod 644 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
+               rm -f "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
                grep -v '^W: ' "${ROOTDIR}/tmp/testwarning.output" > "${ROOTDIR}/aptkeylist.output" || true
                testempty cat "${ROOTDIR}/aptkeylist.output"
        fi
 
        msgtest 'Test key removal with' 'single key in real file'
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
        testempty aptkey list
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
        msgtest 'Test key removal with' 'different key specs'
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       cp -a "${KEYDIR}/marvinparanoid.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       cp -a "${KEYDIR}/marvinparanoid.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del 0xDBAC8DAE 528144E2
        testempty aptkey list
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.gpg"
-       testsuccess cmp "${KEYDIR}/marvinparanoid.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}"
+       testsuccess cmp "${KEYDIR}/marvinparanoid.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/marvinparanoid.${EXT}~"
 
        msgtest 'Test key removal with' 'long key ID'
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
        testempty aptkey list
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
        msgtest 'Test key removal with' 'fingerprint'
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE
        testempty aptkey list
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
        msgtest 'Test key removal with' 'spaced fingerprint'
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del '34A8 E9D1 8DB3 20F3 67E8 EAA0 5A90 D141 DBAC 8DAE'
        testempty aptkey list
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
        msgtest 'Test key removal with' 'single key in softlink'
        cleanplate
-       ln -s "$(readlink -f "${KEYDIR}/joesixpack.pub")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
+       ln -sf "$(readlink -f "${KEYDIR}/joesixpack.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
        testempty aptkey list
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
 
        cleanplate
-       testsuccess aptkey --fakeroot add "${KEYDIR}/joesixpack.pub"
-       ln -sf "$(readlink -f "${KEYDIR}/marvinparanoid.pub")" "${KEYDIR}/marvin paránöid.pub"
-       testsuccess aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub"
+       testsuccess aptkey --fakeroot add "${KEYDIR}/joesixpack.pub.${EXT}"
+       ln -sf "$(readlink -f "${KEYDIR}/marvinparanoid.pub.${EXT}")" "${KEYDIR}/marvin paránöid.pub.${EXT}"
+       testsuccess aptkey --fakeroot add "${KEYDIR}/marvin paránöid.pub.${EXT}"
        testaptkeys 'Joe Sixpack' 'Marvin Paranoid'
-       cp -a "${ROOTDIR}/etc/apt/trusted.gpg" "${KEYDIR}/testcase-multikey.pub" # store for reuse
+       cp -a "${ROOTDIR}/etc/apt/trusted.gpg" "${KEYDIR}/testcase-multikey.pub.gpg" # store for reuse
+       gpg --no-default-keyring --keyring "${KEYDIR}/testcase-multikey.pub.gpg" --armor --export > "${KEYDIR}/testcase-multikey.pub.asc"
 
        msgtest 'Test key removal with' 'multi key in real file'
        cleanplate
-       cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
+       cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
        testaptkeys 'Marvin Paranoid'
-       testsuccess cmp "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~"
+       testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 
        msgtest 'Test key removal with' 'multi key in softlink'
        cleanplate
-       ln -s "$(readlink -f "${KEYDIR}/testcase-multikey.pub")" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
+       ln -s "$(readlink -f "${KEYDIR}/testcase-multikey.pub.${EXT}")" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
        testaptkeys 'Marvin Paranoid'
-       testsuccess cmp "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~"
-       testfailure test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
-       testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~"
+       testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
+       testfailure test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
+       testsuccess test -L "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 
        msgtest 'Test key removal with' 'multiple files including key'
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
        testsuccess --nomsg aptkey --fakeroot del DBAC8DAE
        testaptkeys 'Marvin Paranoid'
-       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       testsuccess cmp "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg~"
-       testsuccess cmp "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg~"
+       testfailure test -e "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       testsuccess cmp "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}~"
+       testsuccess cmp "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}~"
 
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
        testaptkeys 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
        msgtest 'Test merge-back of' 'added keys'
-       testsuccess --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub"
+       testsuccess --nomsg aptkey adv --batch --yes --import "${KEYDIR}/rexexpired.pub.${EXT}"
        testaptkeys 'Rex Expired' 'Joe Sixpack' 'Joe Sixpack' 'Marvin Paranoid'
 
        msgtest 'Test merge-back of' 'removed keys'
@@ -196,18 +223,18 @@ gpg:              unchanged: 1' aptkey --fakeroot update
        testaptkeys 'Marvin Paranoid'
 
        cleanplate
-       cp -a "${KEYDIR}/joesixpack.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.gpg"
-       cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
+       cp -a "${KEYDIR}/joesixpack.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/joesixpack.${EXT}"
+       cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
        local SIGNATURE="${TMPWORKINGDIRECTORY}/signature"
        msgtest 'Test signing a file' 'with a key'
        echo 'Verify me. This is my signature.' > "$SIGNATURE"
        echo 'lalalalala' > "${SIGNATURE}2"
-       testsuccess --nomsg aptkey --quiet --keyring "${KEYDIR}/marvinparanoid.pub" --secret-keyring "${KEYDIR}/marvinparanoid.sec" --readonly \
+       testsuccess --nomsg aptkey --quiet --keyring "${KEYDIR}/marvinparanoid.pub.gpg" --secret-keyring "${KEYDIR}/marvinparanoid.sec" --readonly \
                adv --batch --yes --default-key 'Marvin' --armor --detach-sign --sign --output "${SIGNATURE}.gpg" "${SIGNATURE}"
        testsuccess test -s "${SIGNATURE}.gpg" -a -s "${SIGNATURE}"
 
        msgtest 'Test verify a file' 'with no sig'
-       testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub" verify "${SIGNATURE}" "${SIGNATURE}2"
+       testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub.${EXT}" verify "${SIGNATURE}" "${SIGNATURE}2"
 
        for GPGV in '' 'gpgv' 'gpgv1' 'gpgv2'; do
                echo "APT::Key::GPGVCommand \"$GPGV\";" > "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd"
@@ -218,23 +245,23 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
                if [ "$(id -u)" != '0' ]; then
                        msgtest 'Test verify a file' 'with unreadable key'
-                       echo 'foobar' > "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
-                       chmod 000 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
+                       echo 'foobar' > "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
+                       chmod 000 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
                        testwarning --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
                        testwarning aptkey list
-                       chmod 644 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
-                       rm -f "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.gpg"
+                       chmod 644 "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
+                       rm -f "${ROOTDIR}/etc/apt/trusted.gpg.d/unreadablekey.${EXT}"
                fi
 
                msgtest 'Test verify a file' 'with good keyring'
-               testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
                msgtest 'Test fail verify a file' 'with bad keyring'
-               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/joesixpack.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/joesixpack.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
                msgtest 'Test fail verify a file' 'with non-existing keyring'
-               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/does-not-exist.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
-               testfailure test -e "${KEYDIR}/does-not-exist.pub"
+               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/does-not-exist.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testfailure test -e "${KEYDIR}/does-not-exist.pub.${EXT}"
 
                # note: this isn't how apts gpgv method implements keyid for verify
                msgtest 'Test verify a file' 'with good keyid'
@@ -252,15 +279,16 @@ gpg:              unchanged: 1' aptkey --fakeroot update
        rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgvcmd"
 
        msgtest 'Test verify a file' 'with good keyring'
-       testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+       testsuccess --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/testcase-multikey.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
        cleanplate
-       cat "${KEYDIR}/joesixpack.pub" "${KEYDIR}/marvinparanoid.pub" > "${KEYDIR}/double.pub"
+       cat "${KEYDIR}/joesixpack.pub.gpg" "${KEYDIR}/marvinparanoid.pub.gpg" > "${KEYDIR}/double.pub.gpg"
+       cat "${KEYDIR}/joesixpack.pub.asc" "${KEYDIR}/marvinparanoid.pub.asc" > "${KEYDIR}/double.pub.asc"
        cat "${KEYDIR}/joesixpack.sec" "${KEYDIR}/marvinparanoid.sec" > "${KEYDIR}/double.sec"
-       cp -a "${KEYDIR}/double.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/double.gpg"
-       cp -a "${KEYDIR}/testcase-multikey.pub" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.gpg"
+       cp -a "${KEYDIR}/double.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/double.${EXT}"
+       cp -a "${KEYDIR}/testcase-multikey.pub.${EXT}" "${ROOTDIR}/etc/apt/trusted.gpg.d/multikey.${EXT}"
        rm -f "${SIGNATURE}.gpg"
-       testsuccess aptkey --quiet --keyring "${KEYDIR}/double.pub" --secret-keyring "${KEYDIR}/double.sec" --readonly \
+       testsuccess aptkey --quiet --keyring "${KEYDIR}/double.pub.gpg" --secret-keyring "${KEYDIR}/double.sec" --readonly \
                adv --batch --yes -u 'Marvin' -u 'Joe' --armor --detach-sign --sign --output "${SIGNATURE}.gpg" "${SIGNATURE}"
        testsuccess test -s "${SIGNATURE}.gpg" -a -s "${SIGNATURE}"
 
@@ -272,17 +300,17 @@ gpg:              unchanged: 1' aptkey --fakeroot update
                testsuccess --nomsg aptkey --quiet --readonly verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
                msgtest 'Test verify a doublesigned file' 'with good keyring joe'
-               testmultigpg --keyring "${KEYDIR}/joesixpack.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testmultigpg --keyring "${KEYDIR}/joesixpack.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
                msgtest 'Test verify a doublesigned file' 'with good keyring marvin'
-               testmultigpg --keyring "${KEYDIR}/marvinparanoid.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testmultigpg --keyring "${KEYDIR}/marvinparanoid.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
                msgtest 'Test fail verify a doublesigned file' 'with bad keyring'
-               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/rexexpired.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/rexexpired.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
 
                msgtest 'Test fail verify a doublesigned file' 'with non-existing keyring'
-               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/does-not-exist.pub" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
-               testfailure test -e "${KEYDIR}/does-not-exist.pub"
+               testfailure --nomsg aptkey --quiet --readonly --keyring "${KEYDIR}/does-not-exist.pub.${EXT}" verify "${SIGNATURE}.gpg" "${SIGNATURE}"
+               testfailure test -e "${KEYDIR}/does-not-exist.pub.${EXT}"
 
                # note: this isn't how apts gpgv method implements keyid for verify
                msgtest 'Test verify a doublesigned file' 'with good keyid'
@@ -322,6 +350,11 @@ setupgpgcommand() {
        testsuccess grep "^gpg (GnuPG) $1\." "${TMPWORKINGDIRECTORY}/aptkey.version"
 }
 
+(cd /; find "${TMPWORKINGDIRECTORY}/keys" -name '*.pub' -type f) | while read trusted; do
+       testsuccess aptkey --keyring "$trusted" adv --armor --export --output "${trusted}.asc"
+       cp -a "$trusted" "${trusted}.gpg"
+done
+
 # run with default (whatever this is) in current CWD with relative paths
 ROOTDIR="./rootdir"
 KEYDIR="./keys"
@@ -339,3 +372,7 @@ setupgpgcommand '1'
 testrun
 setupgpgcommand '2'
 testrun
+
+msgmsg 'Tests to be run with' 'asc files'
+rm -f "${ROOTDIR}/etc/apt/apt.conf.d/00gpgcmd"
+testrun 'asc'