summaryrefslogtreecommitdiff
path: root/cmdline
diff options
context:
space:
mode:
Diffstat (limited to 'cmdline')
-rwxr-xr-xcmdline/apt-key36
1 files changed, 18 insertions, 18 deletions
diff --git a/cmdline/apt-key b/cmdline/apt-key
index 4596e4a47..e010e6e90 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -3,26 +3,26 @@
set -e
unset GREP_OPTIONS
-# We don't use a secret keyring, of course, but gpg panics and
-# implodes if there isn't one available
-SECRETKEYRING="$(mktemp)"
-CURRENTTRAP="rm -f '${SECRETKEYRING}';"
-trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
-GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
+GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring"
-eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
-if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then
- # root can read/create the file as needed, so use the default
- true
-else
- # gpg needs a trustdb to function, but it can't be invalid (not even empty)
- # so we create a tempory directory to store our fresh readable trustdb in
- TRUSTDBDIR="$(mktemp -d)"
- CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
- trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
- chmod 700 "$TRUSTDBDIR"
-fi
+# gpg needs a trustdb to function, but it can't be invalid (not even empty)
+# so we create a temporary directory to store our fresh readable trustdb in
+TRUSTDBDIR="$(mktemp -d)"
+CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+chmod 700 "$TRUSTDBDIR"
+# We also don't use a secret keyring, of course, but gpg panics and
+# implodes if there isn't one available - and writeable for imports
+SECRETKEYRING="${TRUSTDBDIR}/secring.gpg"
+touch $SECRETKEYRING
+GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING"
GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+
+# now create the trustdb with an (empty) dummy keyring
+$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING
+# and make sure that gpg isn't trying to update the file
+GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
+
GPG="$GPG_CMD"
MASTER_KEYRING=""