ensure world-readability for trusted.gpg in postinst

apt-key creates trusted.gpg if it needs it with 644 nowadays, but before
it ensured this, it was gpg creating it, which gives it by default 600.
Not a problem as long as our gpgv is run as root, but now that we drop
privileges we have to ensure that we can also read trusted.gpg files
created by earlier apt-key versions.

Closes: 647001

diff --git a/debian/apt.postinst b/debian/apt.postinst
index deb422aa5d3920bfaf25e21b1f42e8abfd0e6f90..5820db5875febf317b70dd6c73c4cfbdaa17f711 100755 (executable)
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -22,6 +22,10 @@ case "$1" in
                    rm -f "$keyring"
                fi
            done
+           # apt-key before 0.9.8.2 could create 0600 trusted.gpg file
+           if test -e /etc/apt/trusted.gpg ; then
+               chmod -f 0644 /etc/apt/trusted.gpg || true
+           fi
        fi
 
        if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then

diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key
index d5adec5bde08f521b7a1e6665471dcc8d00025ff..e6ac530a6145620c7b6910a7b032df5a1834edea 100755 (executable)
--- a/test/integration/test-apt-key
+++ b/test/integration/test-apt-key
@@ -41,7 +41,14 @@ gpg:              unchanged: 1' aptkey --fakeroot update
 
        testaptkeys 'pub   2048R/DBAC8DAE 2010-08-18'
 
+       testsuccess test ! -e rootdir/etc/apt/trusted.gpg
        testsuccess aptkey --fakeroot add ./keys/rexexpired.pub
+       msgtest 'Check if trusted.gpg is created with permissions set to' '0644'
+       if [ "$(stat -c '%a' rootdir/etc/apt/trusted.gpg )" = '644' ]; then
+               msgpass
+       else
+               msgfail
+       fi
 
        testaptkeys 'pub   2048R/27CE74F9 2013-07-12 [expired: 2013-07-13]
 pub   2048R/DBAC8DAE 2010-08-18'