diff options
| -rw-r--r-- | cmdline/apt-key.in | 21 | ||||
| -rwxr-xr-x | test/integration/test-apt-key | 8 | ||||
| -rwxr-xr-x | test/integration/test-apt-key-net-update | 2 |
3 files changed, 26 insertions, 5 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index a3f8dde3a..74ca4d135 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -25,6 +25,19 @@ requires_root() { fi } +get_fingerprints_of_keyring() { + $GPG_CMD --keyring "$1" --with-colons --fingerprint | while read publine; do + # search for a public key + if [ "${publine%%:*}" != 'pub' ]; then continue; fi + # search for the associated fingerprint (should be the very next line) + while read fprline; do + if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen + elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi + echo "$fprline" | cut -d':' -f 10 + done + done +} + add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 @@ -42,7 +55,7 @@ add_keys_with_verify_against_master_keyring() { # is honored. so: # all keys that are exported must have a valid signature # from a key in the $distro-master-keyring - add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")" all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` @@ -133,7 +146,7 @@ update() { if [ -r "$REMOVED_KEYS" ]; then # remove no-longer supported/used keys - $GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5 | while read key; do + get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do foreach_keyring_do 'remove_key_from_keyring' "$key" done else @@ -154,7 +167,7 @@ remove_key_from_keyring() { local KEY="$1" shift # check if the key is in this keyring: the key id is in the 5 column at the end - if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]*${KEY}:"; then + if ! get_fingerprints_of_keyring "$KEYRINGFILE" | grep -q "^[0-9A-F]*${KEY}$"; then continue fi if [ ! -w "$KEYRINGFILE" ]; then @@ -162,7 +175,7 @@ remove_key_from_keyring() { continue fi # check if it is the only key in the keyring and if so remove the keyring altogether - if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then + if [ '1' = "$(get_fingerprints_of_keyring "$KEYRINGFILE" | wc -l)" ]; then mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg return fi diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index e863e54a4..6bece40d7 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -72,6 +72,14 @@ pub 2048R/DBAC8DAE 2010-08-18' testsuccess test ! -e rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg testsuccess cmp keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg~ + msgtest 'Test key removal with' 'fingerprint' + cleanplate + cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg + testsuccess --nomsg aptkey --fakeroot del 34A8E9D18DB320F367E8EAA05A90D141DBAC8DAE + testempty aptkey list + testsuccess test ! -e rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg + testsuccess cmp keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg~ + msgtest 'Test key removal with' 'single key in softlink' cleanplate ln -s $(readlink -f ./keys/joesixpack.pub) rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index b5fb796d0..b3c118555 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -41,7 +41,7 @@ echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf # test against the "real" webserver testequal "Checking for new archive signing keys now -Key 'E8525D47528144E2' not added. It is not signed with a master key" aptkey --fakeroot net-update +Key 'DE66AECA9151AFA1877EC31DE8525D47528144E2' not added. It is not signed with a master key" aptkey --fakeroot net-update aptkey list | grep '^pub' > aptkey.list testfileequal ./aptkey.list 'pub 1024R/F68C85A3 2013-12-19 |