summaryrefslogtreecommitdiff
path: root/cmdline/apt-key
diff options
context:
space:
mode:
authorDavid Kalnischkies <kalnischkies@gmail.com>2013-07-11 20:07:22 +0200
committerDavid Kalnischkies <kalnischkies@gmail.com>2013-08-12 18:01:37 +0200
commitc0a013221d296e97d68b4e9a66fef5c886d2bbb0 (patch)
tree26db1a3a6114fb3a53d0b79bf78edbe92fed6aa3 /cmdline/apt-key
parent3dc55197095e0536aae4d5c0c91e28bfd4740ec6 (diff)
always use our own trustdb.gpg in apt-key
APT doesn't care for the trustdb.gpg, but gnupg requires one even for the simplest commands, so we either use the one root has available in /etc or if we don't have access to it (as only root can read that file) we create a temporary directory to store a trustdb.gpg in it. We can't create just a temporary file as gpg requires the given trustdb.gpg file to be valid (if it exists), so we would have to remove the file before calling gnupg which would allow mktemp (and co) to hand exactly this filename out to another program (unlikely, but still).
Diffstat (limited to 'cmdline/apt-key')
-rwxr-xr-xcmdline/apt-key20
1 files changed, 14 insertions, 6 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key
index 89e224923..4596e4a47 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -6,15 +6,23 @@ unset GREP_OPTIONS
# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available
SECRETKEYRING="$(mktemp)"
-trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+CURRENTTRAP="rm -f '${SECRETKEYRING}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
-if [ "$(id -u)" -eq 0 ]; then
- # we could use a tmpfile here too, but creation of this tends to be time-consuming
- eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
- GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
+if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then
+ # root can read/create the file as needed, so use the default
+ true
+else
+ # gpg needs a trustdb to function, but it can't be invalid (not even empty)
+ # so we create a tempory directory to store our fresh readable trustdb in
+ TRUSTDBDIR="$(mktemp -d)"
+ CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+ trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+ chmod 700 "$TRUSTDBDIR"
fi
-
+GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
GPG="$GPG_CMD"
MASTER_KEYRING=""