diff options
author | David Kalnischkies <kalnischkies@gmail.com> | 2013-07-11 20:07:22 +0200 |
---|---|---|
committer | David Kalnischkies <kalnischkies@gmail.com> | 2013-08-12 18:01:37 +0200 |
commit | c0a013221d296e97d68b4e9a66fef5c886d2bbb0 (patch) | |
tree | 26db1a3a6114fb3a53d0b79bf78edbe92fed6aa3 /cmdline/apt-key | |
parent | 3dc55197095e0536aae4d5c0c91e28bfd4740ec6 (diff) |
always use our own trustdb.gpg in apt-key
APT doesn't care for the trustdb.gpg, but gnupg requires one even for
the simplest commands, so we either use the one root has available in
/etc or if we don't have access to it (as only root can read that file)
we create a temporary directory to store a trustdb.gpg in it.
We can't create just a temporary file as gpg requires the given
trustdb.gpg file to be valid (if it exists), so we would have to remove
the file before calling gnupg which would allow mktemp (and co) to hand
exactly this filename out to another program (unlikely, but still).
Diffstat (limited to 'cmdline/apt-key')
-rwxr-xr-x | cmdline/apt-key | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key index 89e224923..4596e4a47 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -6,15 +6,23 @@ unset GREP_OPTIONS # We don't use a secret keyring, of course, but gpg panics and # implodes if there isn't one available SECRETKEYRING="$(mktemp)" -trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +CURRENTTRAP="rm -f '${SECRETKEYRING}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" -if [ "$(id -u)" -eq 0 ]; then - # we could use a tmpfile here too, but creation of this tends to be time-consuming - eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) - GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" +eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) +if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then + # root can read/create the file as needed, so use the default + true +else + # gpg needs a trustdb to function, but it can't be invalid (not even empty) + # so we create a tempory directory to store our fresh readable trustdb in + TRUSTDBDIR="$(mktemp -d)" + CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" + trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM + chmod 700 "$TRUSTDBDIR" fi - +GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" GPG="$GPG_CMD" MASTER_KEYRING="" |