summaryrefslogtreecommitdiff
path: root/cmdline
diff options
context:
space:
mode:
Diffstat (limited to 'cmdline')
-rw-r--r--cmdline/apt-key.in38
1 files changed, 25 insertions, 13 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index c9ff4b3f4..723af06ff 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -1,7 +1,7 @@
#!/bin/sh
set -e
-unset GREP_OPTIONS
+unset GREP_OPTIONS GPGHOMEDIR CURRENTTRAP
export IFS="$(printf "\n\b")"
MASTER_KEYRING='&keyring-master-filename;'
@@ -526,6 +526,11 @@ while [ -n "$1" ]; do
# … other more complicated ones pipe gpg into gpg.
aptkey_execute() { echo >&2 'EXEC:' "$@"; sh "$@"; }
;;
+ --homedir)
+ # force usage of a specific homedir instead of creating a temporary
+ shift
+ GPGHOMEDIR="$1"
+ ;;
--*)
echo >&2 "Unknown option: $1"
usage
@@ -593,9 +598,13 @@ cleanup_gpg_home() {
rm -rf "$GPGHOMEDIR"
}
+# gpg needs (in different versions more or less) files to function correctly,
+# so we give it its own homedir and generate some valid content for it later on
create_gpg_home() {
- # gpg needs (in different versions more or less) files to function correctly,
- # so we give it its own homedir and generate some valid content for it later on
+ # for cases in which we want to cache a homedir due to expensive setup
+ if [ -n "$GPGHOMEDIR" ]; then
+ return
+ fi
if [ -n "$TMPDIR" ]; then
# tmpdir is a directory and current user has rwx access to it
# same tests as in apt-pkg/contrib/fileutl.cc GetTempDir()
@@ -603,7 +612,7 @@ create_gpg_home() {
unset TMPDIR
fi
fi
- GPGHOMEDIR="$(mktemp -d)"
+ GPGHOMEDIR="$(mktemp --directory --tmpdir 'apt-key-gpghome.XXXXXXXXXX')"
CURRENTTRAP="${CURRENTTRAP} cleanup_gpg_home;"
trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
if [ -z "$GPGHOMEDIR" ]; then
@@ -644,6 +653,13 @@ EOF
create_gpg_home
+ # now tell gpg that it shouldn't try to maintain this trustdb file
+ echo "#!/bin/sh
+exec '$(escape_shell "${GPG_EXE}")' --ignore-time-conflict --no-options --no-default-keyring \\
+--homedir '$(escape_shell "${GPGHOMEDIR}")' --no-auto-check-trustdb --trust-model always \"\$@\"" > "${GPGHOMEDIR}/gpg.0.sh"
+ GPG_SH="${GPGHOMEDIR}/gpg.0.sh"
+ GPG="$GPG_SH"
+
# create the trustdb with an (empty) dummy keyring
# older gpgs required it, newer gpgs even warn that it isn't needed,
# but require it nonetheless for some commands, so we just play safe
@@ -655,19 +671,15 @@ EOF
false
fi
- # now tell gpg that it shouldn't try to maintain this trustdb file
- echo "#!/bin/sh
-exec '$(escape_shell "${GPG_EXE}")' --ignore-time-conflict --no-options --no-default-keyring \\
---homedir '$(escape_shell "${GPGHOMEDIR}")' --no-auto-check-trustdb --trust-model always \"\$@\"" > "${GPGHOMEDIR}/gpg.0.sh"
- GPG_SH="${GPGHOMEDIR}/gpg.0.sh"
- GPG="$GPG_SH"
-
# We don't usually need a secret keyring, of course, but
# for advanced operations, we might really need a secret keyring after all
if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then
if ! aptkey_execute "$GPG" -v --batch --import "$FORCED_SECRET_KEYRING" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
- cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
- false
+ # already imported keys cause gpg1 to fail for some reason… ignore this error
+ if ! grep -q 'already in secret keyring' "${GPGHOMEDIR}/gpgoutput.log"; then
+ cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
+ false
+ fi
fi
else
# and then, there are older versions of gpg which panic and implode