diff options
| author | David Kalnischkies <kalnischkies@gmail.com> | 2013-08-12 16:19:37 +0200 |
|---|---|---|
| committer | David Kalnischkies <kalnischkies@gmail.com> | 2013-08-12 18:01:38 +0200 |
| commit | 04937adc655ceda0b3367f540e76df10296cfba1 (patch) | |
| tree | 303abe83359ad2db9b15e7cd56892f6fe75d8973 /cmdline | |
| parent | 804d4a0d92a2e107aad38198ac08f1d2d64b5e53 (diff) | |
let apt-key del work better with softlink and single key keyrings
Having fragement files means there is a good chance that there is one
key per keyring, so deal with that as well as with setups in which
keyrings are linked into trusted.gpg.d as we can't just modify those
files (they might be in /usr for example).
Diffstat (limited to 'cmdline')
| -rwxr-xr-x | cmdline/apt-key | 59 |
1 files changed, 56 insertions, 3 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key index a9cbea55c..713a41c07 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -151,6 +151,60 @@ update() { fi } +remove_key_from_keyring() { + local GPG="$GPG_CMD --keyring $1" + # check if the key is in this keyring: the key id is in the 5 column at the end + if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then + return + fi + if [ ! -w "$1" ]; then + echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only." + return + fi + # check if it is the only key in the keyring and if so remove the keyring alltogether + if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then + mv -f "$1" "${1}~" # behave like gpg + return + fi + # we can't just modify pointed to files as these might be in /usr or something + local REALTARGET + if [ -L "$1" ]; then + REALTARGET="$(readlink -f "$1")" + mv -f "$1" "${1}.dpkg-tmp" + cp -a "$REALTARGET" "$1" + ls "$(dirname $1)" + fi + # delete the key from the keyring + $GPG --batch --delete-key --yes "$2" + if [ -n "$REALTARGET" ]; then + # the real backup is the old link, not the copy we made + mv -f "${1}.dpkg-tmp" "${1}~" + fi +} + +remove_key() { + requires_root + + # if a --keyring was given, just remove from there + if [ -n "$FORCED_KEYRING" ]; then + remove_key_from_keyring "$FORCED_KEYRING" "$1" + else + # otherwise all known keyrings are up for inspection + local TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + remove_key_from_keyring "$TRUSTEDFILE" "$1" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do + remove_key_from_keyring "$trusted" "$1" + done + fi + fi + echo "OK" +} + usage() { echo "Usage: apt-key [--keyring file] [command] [arguments]" @@ -175,6 +229,7 @@ while [ -n "$1" ]; do --keyring) shift TRUSTEDFILE="$1" + FORCED_KEYRING="$1" if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" else @@ -239,10 +294,8 @@ case "$command" in echo "OK" ;; del|rm|remove) - requires_root init_keyring "$TRUSTEDFILE" - $GPG --quiet --batch --delete-key --yes "$1" - echo "OK" + remove_key "$1" ;; update) init_keyring "$TRUSTEDFILE" |