summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2016-08-25 15:22:28 +0200
committerJulian Andres Klode <jak@debian.org>2016-11-23 16:22:27 +0100
commit522c30a0a1a8dedf87ad0bf87a6b94f8c71feee2 (patch)
tree1d1dd3b795407a368115cc7f78c3f6e3d3cd4926
parent9b95f842ca105c9a0370240369dce80c1dd6aa52 (diff)
show apt-key warnings in apt update
In 105503b4b470c124bc0c271bd8a50e25ecbe9133 we got a warning implemented for unreadable files which greatly improves the behavior of apt update already as everything will work as long as we don't need the keys included in these files. The behavior if they are needed is still strange through as update will fail claiming missing keys and a manual test (which the user will likely perform as root) will be successful. Passing the new warning generated by apt-key through to apt is a bit strange from an interface point of view, but basically duplicating the warning code in multiple places doesn't feel right either. That means we have no translation for the message through as apt-key has no i18n yet. It also means that if the user has a bunch of sources each of them will generate a warning for each unreadable file which could result in quite a few duplicated warnings, but "too many" is better than none. Closes: 834973 (cherry picked from commit 29c590951f812d9e9c4f17706e34f2c3315fb1f6)
-rw-r--r--cmdline/apt-key.in15
-rw-r--r--methods/gpgv.cc3
-rwxr-xr-xtest/integration/test-releasefile-verification13
3 files changed, 31 insertions, 0 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index e231d6f61..eab5805b0 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -466,8 +466,23 @@ if [ -z "$command" ]; then
fi
shift
+find_gpgv_status_fd() {
+ while [ -n "$1" ]; do
+ if [ "$1" = '--status-fd' ]; then
+ shift
+ echo "$1"
+ break
+ fi
+ shift
+ done
+}
+GPGSTATUSFD="$(find_gpgv_status_fd "$@")"
+
warn() {
echo >&2 'W:' "$@"
+ if [ -n "$GPGSTATUSFD" ]; then
+ echo >&${GPGSTATUSFD} '[APTKEY:] WARNING' "$@"
+ fi
}
create_gpg_home() {
diff --git a/methods/gpgv.cc b/methods/gpgv.cc
index 473465ba6..3f16ac0e0 100644
--- a/methods/gpgv.cc
+++ b/methods/gpgv.cc
@@ -39,6 +39,7 @@ using std::vector;
#define GNUPGKEYEXPIRED "[GNUPG:] KEYEXPIRED"
#define GNUPGREVKEYSIG "[GNUPG:] REVKEYSIG"
#define GNUPGNODATA "[GNUPG:] NODATA"
+#define APTKEYWARNING "[APTKEY:] WARNING"
struct Digest {
enum class State {
@@ -243,6 +244,8 @@ string GPGVMethod::VerifyGetSigners(const char *file, const char *outfile,
ValidSigners.push_back(string(sig));
}
+ else if (strncmp(buffer, APTKEYWARNING, sizeof(APTKEYWARNING)-1) == 0)
+ Warning("%s", buffer + sizeof(APTKEYWARNING));
}
fclose(pipein);
free(buffer);
diff --git a/test/integration/test-releasefile-verification b/test/integration/test-releasefile-verification
index 1b9b9512f..0510d6744 100755
--- a/test/integration/test-releasefile-verification
+++ b/test/integration/test-releasefile-verification
@@ -109,6 +109,19 @@ runtest() {
" aptcache show apt
installaptold
+ if [ "$(id -u)" != '0' ]; then
+ msgmsg 'Cold archive signed by' 'Joe Sixpack + unreadable key'
+ rm -rf rootdir/var/lib/apt/lists
+ echo 'foobar' > rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+ chmod 000 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+ updatewithwarnings '^W: .* is not readable by user'
+ chmod 644 rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+ rm -f rootdir/etc/apt/trusted.gpg.d/unreadablekey.gpg
+ testsuccessequal "$(cat "${PKGFILE}")
+" aptcache show apt
+ installaptold
+ fi
+
msgmsg 'Good warm archive signed by' 'Joe Sixpack'
prepare "${PKGFILE}-new"
signreleasefiles 'Joe Sixpack'