diff options
| -rwxr-xr-x | cmdline/apt-key | 36 | ||||
| -rw-r--r-- | debian/apt.postinst | 13 |
2 files changed, 27 insertions, 22 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key index 4596e4a47..e010e6e90 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -3,26 +3,26 @@ set -e unset GREP_OPTIONS -# We don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available -SECRETKEYRING="$(mktemp)" -CURRENTTRAP="rm -f '${SECRETKEYRING}';" -trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" -eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) -if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then - # root can read/create the file as needed, so use the default - true -else - # gpg needs a trustdb to function, but it can't be invalid (not even empty) - # so we create a tempory directory to store our fresh readable trustdb in - TRUSTDBDIR="$(mktemp -d)" - CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" - trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM - chmod 700 "$TRUSTDBDIR" -fi +# gpg needs a trustdb to function, but it can't be invalid (not even empty) +# so we create a temporary directory to store our fresh readable trustdb in +TRUSTDBDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +chmod 700 "$TRUSTDBDIR" +# We also don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available - and writeable for imports +SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +touch $SECRETKEYRING +GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" + +# now create the trustdb with an (empty) dummy keyring +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING +# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" + GPG="$GPG_CMD" MASTER_KEYRING="" diff --git a/debian/apt.postinst b/debian/apt.postinst index 9ff1e031c..caa05ccdf 100644 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -15,10 +15,15 @@ set -e case "$1" in configure) - SECRING='/etc/apt/secring.gpg' - # test if secring is an empty normal file - if test -f $SECRING -a ! -s $SECRING; then - rm -f $SECRING + if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then + # we are using tmpfiles for both + rm -f /etc/apt/trustdb.gpg + # this removal was done unconditional since 0.8.15.3 + SECRING='/etc/apt/secring.gpg' + # test if secring is an empty normal file + if test -f $SECRING -a ! -s $SECRING; then + rm -f $SECRING + fi fi apt-key update |