1 files changed, 30 insertions, 2 deletions

diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 723af06ff..5bc5462d2 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -249,6 +249,34 @@ accessible_file_exists() {
    return 1
 }
 
+is_supported_keyring() {
+    # empty files are always supported
+    if ! test -s "$1"; then
+	return 0
+    fi
+    local FILEEXT="${1##*.}"
+    if [ "$FILEEXT" = 'gpg' ]; then
+	# 0x98, 0x99 and 0xC6 via octal as hex isn't supported by dashs printf
+	if printf '\231' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	elif printf '\230' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	elif printf '\306' | cmp --silent --bytes=1 - "$1"; then
+	    true
+	else
+	    apt_warn "The key(s) in the keyring $1 are ignored as the file has an unsupported filetype."
+	    return 1
+	fi
+    elif [ "$FILEEXT" = 'asc' ]; then
+	true #dearmor_filename will deal with them
+    else
+	# most callers ignore unsupported extensions silently
+	apt_warn "The key(s) in the keyring $1 are ignored as the file has an unsupported filename extension."
+	return 1
+    fi
+    return 0
+}
+
 foreach_keyring_do() {
    local ACTION="$1"
    shift
@@ -257,7 +285,7 @@ foreach_keyring_do() {
 	$ACTION "$TRUSTEDFILE" "$@"
    else
 	# otherwise all known keyrings are up for inspection
-	if accessible_file_exists "$TRUSTEDFILE"; then
+	if accessible_file_exists "$TRUSTEDFILE" && is_supported_keyring "$TRUSTEDFILE"; then
 	    $ACTION "$TRUSTEDFILE" "$@"
 	fi
 	local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
@@ -266,7 +294,7 @@ foreach_keyring_do() {
 	    TRUSTEDPARTS="$(readlink -f "$TRUSTEDPARTS")"
 	    local TRUSTEDPARTSLIST="$(cd /; find "$TRUSTEDPARTS" -mindepth 1 -maxdepth 1 \( -name '*.gpg' -o -name '*.asc' \))"
 	    for trusted in $(echo "$TRUSTEDPARTSLIST" | sort); do
-		if accessible_file_exists "$trusted"; then
+		if accessible_file_exists "$trusted" && is_supported_keyring "$trusted"; then
 		    $ACTION "$trusted" "$@"
 		fi
 	    done