summaryrefslogtreecommitdiff
path: root/cmdline/apt-key
diff options
context:
space:
mode:
authorDavid Kalnischkies <kalnischkies@gmail.com>2013-11-30 23:07:20 +0100
committerDavid Kalnischkies <kalnischkies@gmail.com>2013-12-01 15:51:33 +0100
commitf87338d2da95ba7d55a1a67b4506717e94d49bca (patch)
tree89df2d1f968a71da3c74d34943c5c6c47ea9d225 /cmdline/apt-key
parent0005fa07886135d6adfec59f2d722df229b7af12 (diff)
cherry-pick ubuntus (disabled) net-update fixes
With the net-update command a special keyring can be downloaded and imported into apt, which must be signed by a master key. Its is currently disabled because of security problems with it – and the only known user before that was Ubuntu.
Diffstat (limited to 'cmdline/apt-key')
-rwxr-xr-xcmdline/apt-key44
1 files changed, 31 insertions, 13 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key
index 713a41c07..64cf5a6f4 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -25,17 +25,15 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
GPG="$GPG_CMD"
-MASTER_KEYRING=""
-#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
+MASTER_KEYRING=''
eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
-ARCHIVE_KEYRING_URI=""
-#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg
-eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
-
-ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
+ARCHIVE_KEYRING='/usr/share/keyrings/debian-archive-keyring.gpg'
eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
-REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
+REMOVED_KEYS='/usr/share/keyrings/debian-archive-removed-keys.gpg'
eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
+ARCHIVE_KEYRING_URI=''
+eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
+TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg
requires_root() {
if [ "$(id -u)" -ne 0 ]; then
@@ -57,7 +55,7 @@ init_keyring() {
add_keys_with_verify_against_master_keyring() {
ADD_KEYRING=$1
MASTER=$2
-
+
if [ ! -f "$ADD_KEYRING" ]; then
echo "ERROR: '$ADD_KEYRING' not found"
return
@@ -72,12 +70,28 @@ add_keys_with_verify_against_master_keyring() {
# all keys that are exported must have a valid signature
# from a key in the $distro-master-keyring
add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
+ all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
+
+ # ensure there are no colisions LP: #857472
+ for all_add_key in $all_add_keys; do
+ for master_key in $master_keys; do
+ if [ "$all_add_key" = "$master_key" ]; then
+ echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
+ return 1
+ fi
+ done
+ done
+
for add_key in $add_keys; do
- ADDED=0
+ # export the add keyring one-by-one
+ rm -f $TMP_KEYRING
+ $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key
+ # check if signed with the master key and only add in this case
+ ADDED=0
for master_key in $master_keys; do
- if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
- $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import
+ if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
+ $GPG --import $TMP_KEYRING
ADDED=1
fi
done
@@ -85,12 +99,16 @@ add_keys_with_verify_against_master_keyring() {
echo >&2 "Key '$add_key' not added. It is not signed with a master key"
fi
done
+ rm -f $TMP_KEYRING
}
# update the current archive signing keyring from a network URI
# the archive-keyring keys needs to be signed with the master key
# (otherwise it does not make sense from a security POV)
net_update() {
+ # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
+ exit 1
+
if [ -z "$ARCHIVE_KEYRING_URI" ]; then
echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
exit 1
@@ -110,7 +128,7 @@ net_update() {
if [ -e $keyring ]; then
old_mtime=$(stat -c %Y $keyring)
fi
- (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI)
+ (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
if [ ! -e $keyring ]; then
return
fi