summaryrefslogtreecommitdiff
path: root/cmdline
diff options
context:
space:
mode:
Diffstat (limited to 'cmdline')
-rwxr-xr-xcmdline/apt-key20
1 files changed, 14 insertions, 6 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key
index 89e224923..4596e4a47 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -6,15 +6,23 @@ unset GREP_OPTIONS
# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available
SECRETKEYRING="$(mktemp)"
-trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+CURRENTTRAP="rm -f '${SECRETKEYRING}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
-if [ "$(id -u)" -eq 0 ]; then
- # we could use a tmpfile here too, but creation of this tends to be time-consuming
- eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
- GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
+if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then
+ # root can read/create the file as needed, so use the default
+ true
+else
+ # gpg needs a trustdb to function, but it can't be invalid (not even empty)
+ # so we create a tempory directory to store our fresh readable trustdb in
+ TRUSTDBDIR="$(mktemp -d)"
+ CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+ trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+ chmod 700 "$TRUSTDBDIR"
fi
-
+GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
GPG="$GPG_CMD"
MASTER_KEYRING=""