summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xcmdline/apt-key36
-rw-r--r--debian/apt.postinst13
2 files changed, 27 insertions, 22 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key
index 4596e4a47..e010e6e90 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -3,26 +3,26 @@
set -e
unset GREP_OPTIONS
-# We don't use a secret keyring, of course, but gpg panics and
-# implodes if there isn't one available
-SECRETKEYRING="$(mktemp)"
-CURRENTTRAP="rm -f '${SECRETKEYRING}';"
-trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
-GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
+GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
-eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
-if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then
- # root can read/create the file as needed, so use the default
- true
-else
- # gpg needs a trustdb to function, but it can't be invalid (not even empty)
- # so we create a tempory directory to store our fresh readable trustdb in
- TRUSTDBDIR="$(mktemp -d)"
- CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
- trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
- chmod 700 "$TRUSTDBDIR"
-fi
+# gpg needs a trustdb to function, but it can't be invalid (not even empty)
+# so we create a temporary directory to store our fresh readable trustdb in
+TRUSTDBDIR="$(mktemp -d)"
+CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+chmod 700 "$TRUSTDBDIR"
+# We also don't use a secret keyring, of course, but gpg panics and
+# implodes if there isn't one available - and writeable for imports
+SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
+touch $SECRETKEYRING
+GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+
+# now create the trustdb with an (empty) dummy keyring
+$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
+# and make sure that gpg isn't trying to update the file
+GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
+
GPG="$GPG_CMD"
MASTER_KEYRING=""
diff --git a/debian/apt.postinst b/debian/apt.postinst
index 9ff1e031c..caa05ccdf 100644
--- a/debian/apt.postinst
+++ b/debian/apt.postinst
@@ -15,10 +15,15 @@ set -e
case "$1" in
configure)
- SECRING='/etc/apt/secring.gpg'
- # test if secring is an empty normal file
- if test -f $SECRING -a ! -s $SECRING; then
- rm -f $SECRING
+ if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then
+ # we are using tmpfiles for both
+ rm -f /etc/apt/trustdb.gpg
+ # this removal was done unconditional since 0.8.15.3
+ SECRING='/etc/apt/secring.gpg'
+ # test if secring is an empty normal file
+ if test -f $SECRING -a ! -s $SECRING; then
+ rm -f $SECRING
+ fi
fi
apt-key update