summaryrefslogtreecommitdiff
path: root/cmdline/apt-key.in
AgeCommit message (Collapse)Author
2016-07-01warn if apt-key is used in scripts/its output parsedDavid Kalnischkies
apt-key needs gnupg for most of its operations, but depending on it isn't very efficient as apt-key is hardly used by users – and scripts shouldn't use it to begin with as it is just a silly wrapper. To draw more attention on the fact that e.g. 'apt-key add' should not be used in favor of "just" dropping a keyring file into the trusted.gpg.d directory this commit implements the display of warnings.
2016-07-01alias apt-key list to fingerDavid Kalnischkies
There is no real point in having two commands which roughly do the same thing, especially if the difference is just in the display of the fingerprint and hence security sensitive information. Closes: 829232
2016-06-14apt-key: don't search PATH if command is a path alreadyDavid Kalnischkies
2016-06-02apt-key: change to / before find to satisfy its CWD needsDavid Kalnischkies
First seen on hurd, but easily reproducible on all systems by removing the 'execution' bit from the current working directory and watching some tests (mostly the no-output expecting tests) fail due to find printing: "find: Failed to restore initial working directory: …" Samuel Thibault says in the bugreport: | To do its work, find first records the $PWD, then goes to | /etc/apt/trusted.gpg.d/ to find the files, and then goes back to $PWD. | | On Linux, getting $PWD from the 700 directory happens to work by luck | (POSIX says that getcwd can return [EACCES]: Search permission was denied | for the current directory, or read or search permission was denied for a | directory above the current directory in the file hierarchy). And going | back to $PWD fails, and thus find returns 1, but at least it emitted its | output. | | On Hurd, getting $PWD from the 700 directory fails, and find thus aborts | immediately, without emitting any output, and thus no keyring is found. | | So, to summarize, the issue is that since apt-get update runs find as a | non-root user, running it from a 700 directory breaks find. Solved as suggested by changing to '/' before running find, with some paranoia extra care taking to ensure the paths we give to find are really absolute paths first (they really should, but TMPDIR=. or a similar Dir::Etc::trustedparts setting could exist somewhere in the wild). The commit takes also the opportunity to make these lines slightly less error ignoring and the two find calls using (mostly) the same parameters. Thanks: Samuel Thibault for 'finding' the culprit! Closes: 826043
2016-05-01apt-key: add \n to dpkg-query --show --showformatCarsten Hey
Guarding against 'broken' greps not dealing with non-text inputs "just in case" by making the input text with a proper newline. [commit message by David Kalnischkies] Reported-On: IRC Git-Dch: Ignore
2016-05-01warn if apt-key is run unconditionally in maintainerscriptDavid Kalnischkies
We want to stop hard-depending on gnupg and for this it is essential that apt-key isn't used in any critical execution path, which maintainerscript are. Especially as it is likely that these script call apt-key either only for (potentially now outdated cleanup) or still not use the much simpler trusted.gpg.d infrastructure.
2016-03-06add test for apt-key 0xKEY and use parameter expansionDavid Kalnischkies
Fixed in f7bd44bae0d7cb7f9838490b5eece075da83899e already, but the commit misses the Closes tag and while we are at it we can add a simple regression test and micro-optimize it a bit. Thanks: James McCoy for the suggestion. Closes: 816691
2016-03-04apt-key del should correctly handle keyids prefixed with 0xDaniel Kahn Gillmor
2015-12-19avoid triggering gpg2 migration in apt-keyDavid Kalnischkies
The presents (even of an empty) secring.gpg is indication enough for gpg2 to tigger the migration code which not only produces a bunch of output on each apt-key call, but also takes a while to complete as an agent needs to be started and all that. We workaround the first part by forcing the migration to happen always in a call we forced into silence, but that leaves us with an agent to start all the time – with a bit of reordering we can make it so that we do not explicitly create the secring, but let gpg create it if needed, which prevents the migration from being triggered and we have at least a bit less of a need for an agent. Changes - even to public only keyrings - still require one, but such actions are infrequent in comparison to verification calls, so that should be a net improvement.
2015-12-19avoid evaluating shell in paths used in apt-keyDavid Kalnischkies
apt-key creates internally a script (since ~1.1) which it will call to avoid dealing with an array of different options in the code itself, but while writing this script it wraps the values in "", which will cause the shell to evaluate its content upon execution. To make 'use' of this either set a absolute gpg command or TMPDIR to something as interesting as: "/tmp/This is fü\$\$ing cràzy, \$(man man | head -n1 | cut -d' ' -f1)\$!" If such paths can be encountered in reality is a different question…
2015-12-07part revert, part redo 'which' replacementDavid Kalnischkies
In e75e5879 'replace "which" with "command -v" for portability' I missed that command -v isn't actually required to be available in debian, so for the 5 files we are using it: Two (abicheck/run_abi_test & test/integration/framework) are called in environments were I believe sh is at least dash or 'better' as the first one is "interactive" for apt developers and the later is sourced by ~200 tests in the same directory run by hand and ci-services – for the later we have pulled some uglier hacks for worser things already, so if there should actually end up needing something more compatible we will notice eventually (and the later actually had a command -v call for some time already and nobody came running). debian/rules and debian/apt.cron.daily I switched back to which as that is more or less debian-specific or at least highly non-critical. That leaves cmdline/apt-key.in with a bunch of calls where I will implement that functionality in shell as this is relatively short-lived as it is used to detect wget (for net-update, which Michael wants to revive and in that process will properly use apt-helper instead of wget) and to detect gpg vs. gpg2 systems, where the earlier is supposed to go away in the longrun (or the later, but by replacing the earlier…). [and this gpg/gpg2 detection is new in sid, so I have some sympathy for that being a problem now.] Thanks: Jakub Wilk for pointing out #747320
2015-12-06replace run-parts with find|sort to avoid debianutils usageDavid Kalnischkies
After e75e5879 the reason for an implicit dependency on debianutils (which is essential for debian, but likely not on other systems) was just two uses of run-parts, which can be replaced with the a lot more portable find-piped-into-sort duo.
2015-12-06replace "which" with "command -v" for portabilityDavid Kalnischkies
which is a debian specific tool packaged in debianutils (essential) while command is a shell builtin defined by POSIX. Closes: 807144 Thanks: Mingye Wang for the suggestion.
2015-09-14deal with spaces in path, command and filepaths in apt-keyDavid Kalnischkies
Filenames we get could include spaces, but also the tmpdir we work in and the failures we print in return a very generic and unhelpful… Properly supporting spaces is a bit painful as we constructed gpg command before, which is now moved to (multilevel) calls to temporary scripts instead.
2015-08-27fix various typos reported by codespellDavid Kalnischkies
Reported-By: codespell
2015-08-10merge keyrings with cat instead of gpg in apt-keyDavid Kalnischkies
If all keyrings are simple keyrings we can merge the keyrings with cat rather than doing a detour over gpg --export | --import (see #790665), which means 'apt-key verify' can do without gpg and just use gpgv as before the merging change. We declare this gpgv usage explicit now in the dependencies. This isn't a new dependency as gnupg as well as debian-archive-keyring depend on and we used it before unconditionally, just that we didn't declare it. The handling of the merged keyring needs to be slightly different as our merged keyring can end up containing the same key multiple times, but at least currently gpg does remove only the first occurrence with --delete-keys, so we move the handling to a if one is gone, all are gone rather than an (implicit) quid pro quo or even no effect. Thanks: Daniel Kahn Gillmor for the suggestion
2015-08-10support gpg 2.1.x in apt-keyDavid Kalnischkies
The output of gpg slightly changes in 2.1 which breaks the testcase, but the real problem is that this branch introduces a new default keyring format (which is called keybox) and mixing it with simple keyrings (the previous default format) has various problems like failing in the keybox to keyring import (#790665) or [older] gpgv versions not being able to deal with keyboxes (and newer versions as well currently: https://bugs.gnupg.org/gnupg/issue2025). We fix this by being a bit more careful in who creates keyrings (aka: we do it or we take a simple keyring as base) to ensure we always have a keyring instead of a keybox. This way we can ensure that any version combination of gpv/gpgv2 and gnupg/gnupg2 without doing explicit version checks and use the same code for all of them. Closes: 781042
2015-08-10enhance apt-key debugging optionsDavid Kalnischkies
It is sometimes handy to know how apt-key exactly called gpg, so adding a pair of options to be able to see this if wanted is added. Two are needed as some commands output is redirected to /dev/null, while sfor others stdout is piped into another gpg call so in both cases you wouldn't see all and hence you can choose. Git-Dch: Ignore
2015-08-10implement Signed-By option for sources.listDavid Kalnischkies
Limits which key(s) can be used to sign a repository. Not immensely useful from a security perspective all by itself, but if the user has additional measures in place to confine a repository (like pinning) an attacker who gets the key for such a repository is limited to its potential and can't use the key to sign its attacks for an other (maybe less limited) repository… (yes, this is as weak as it sounds, but having the capability might come in handy for implementing other stuff later).
2015-04-19Merge branch 'debian/jessie' into debian/experimentalDavid Kalnischkies
Conflicts: apt-pkg/acquire-item.cc cmdline/apt-key.in methods/https.cc test/integration/test-apt-key test/integration/test-multiarch-foreign
2015-04-07keyids in "apt-key del" should be case-insensitiveDavid Kalnischkies
gnupg is case-insensitive about keyids, so back then apt-key called it directly any keyid was accepted, but now that we work more with the keyid ourself we regressed to require uppercase keyids by accident. This is also inconsistent with other apt-key commands which still use gnupg directly. A single case-insensitive grep and we are fine again. Closes: 781696
2014-11-28support long keyids in "apt-key del" instead of ignoring themJames McCoy
apt-key given a long keyid reports just "OK" all the time, but doesn't delete the mentioned key as it doesn't find the key. Note: In debian/experimental this was closed with 29f1b977100aeb6d6ebd38923eeb7a623e264ffe which just added the testcase as the rewrite of apt-key had fixed this as well. Closes: 754436
2014-10-20test if TMPDIR is accessible before usingDavid Kalnischkies
Private temporary directories as created by e.g. libpam-tmpdir are nice, but they are also very effective in preventing our priviledge dropping to work as TMPDIR will be set to a directory only root has access to, so working with it as _apt will fail. We circumvent this by extending our check for a usable TMPDIR setting by checking access rights. Closes: 765951
2014-09-29Test if TMPDIR is a directory in apt-key and if not unset itMichael Vogt
This prevents a failure in mktemp -d - it will blindly trust TMPDIR and not use something else if the dir is not there.
2014-09-27add and use 'apt-key verify' which prefers gpgv over gpgDavid Kalnischkies
gnupg/gnupg2 can do verify just fine of course, so we don't need to use gpgv here, but it is what we always used in the past, so there might be scripts expecting a certain output and more importantly the output of apt-cdrom contains messages from gpg and even with all the settings we activate to prevent it, it still shows (in some versions) a quiet scary: "gpg: WARNING: Using untrusted key!" message. Keeping the use of gpgv is the simplest way to prevent it. We are increasing also the "Breaks: apt" version from libapt as it requires a newer apt-key than might be installed in partial upgrades.
2014-09-27miscellaneous small cleanups in apt-keyDavid Kalnischkies
Git-Dch: Ignore
2014-09-27add --readonly option for apt-key advDavid Kalnischkies
Some advanced commands can be executed without the keyring being modified like --verify, so this adds an option to disable the mergeback and uses it for our gpg calling code. Git-Dch: Ignore
2014-09-27use only one --keyring in gpg interactionsDavid Kalnischkies
We were down to at most two keyrings before, but gnupg upstream plans dropping support for multiple keyrings in the longrun, so with a single keyring we hope to be future proof – and 'apt-key adv' isn't a problem anymore as every change to the keys is merged back, so we have now the same behavior as before, but support an unlimited amount of trusted.gpg.d keyrings.
2014-09-27add --secret-keyring option for apt-keyDavid Kalnischkies
For some advanced usecases it might be handy to specify the secret keyring to be used (e.g. as it is used in the testcases), but specifying it via a normal option for gnupg might not be available forever: http://lists.gnupg.org/pipermail/gnupg-users/2013-August/047180.html Git-Dch: Ignore
2014-09-27allow to specify fingerprints in 'apt-key del'David Kalnischkies
2014-09-27add a test for apt-key export{,all}David Kalnischkies
Git-Dch: Ignore
2014-09-27respect --keyring also in merged keyring commandsDavid Kalnischkies
Git-Dch: Ignore
2014-09-27support gnupg2 as drop-in replacement for gnupgDavid Kalnischkies
If both are available APT will still prefer gpg over gpg2 as it is a bit more lightweight, but it shouldn't be a problem to use one or the other (at least at the moment, who knows what will happen in the future).
2014-09-27delay gnupg setup in apt-key until it is neededDavid Kalnischkies
'apt-key help' and incorrect usage do not need a functioning gnupg setup, as well as we shouldn't try to setup gnupg before we actually test if it is available (and print a message if it is not).
2014-09-27merge fragment keyrings in apt-key to avoid hitting gpg limitsDavid Kalnischkies
gnupg has a hardlimit of 40 (at the moment) keyrings per invocation, which can be exceeded with (many) repositories. That is rather misfortune as the longrun goal was to drop gnupg dependency at some point in the future, but this can now be considered missed and dropped. It also means that 'apt-key adv' commands might not have the behaviour one would expect it to have as it mainly operates on a big temporary keyring, so commands modifying keys will break. Doing this was never a good idea anyway through, so lets just hope nothing break too badly. Closes: 733028
2014-09-27refactor key removal code to reuse it in next stepDavid Kalnischkies
Git-Dch: Ignore
2014-09-27set a primary-keyring only if we have access to itDavid Kalnischkies
2014-09-27support (multiple) arguments properly in apt-keyDavid Kalnischkies
2014-09-27only create new trusted.gpg if directory is writeableDavid Kalnischkies
2014-09-27all errors should be printed to stderrDavid Kalnischkies
Git-Dch: Ignore
2014-09-27add a (hidden) --quiet option for apt-keyDavid Kalnischkies
2014-09-27remove leftover debug output from multikey softlinkDavid Kalnischkies
Git-Dch: Ignore
2014-02-22Fix typos in documentation (codespell)Michael Vogt
2014-01-16use gpg --homedir instead of explicit file placementDavid Kalnischkies
Avoids that gpg gets the idea it could use files from the user which weren't overridden specifically like secret keyring and trustdb as before.
2013-12-19fix apt-key net-update test to use the buildin webserverMichael Vogt
2013-12-13make apt-key net-update actually testableMichael Vogt
2013-12-01generate apt-key script with vendor info about keysDavid Kalnischkies
The apt-key script uses quiet a few keyring files for operation which are specific to the distribution it is build on and is hence one of the most patched parts – even if it is not that often used anymore now that a fragment directory for trusted.gpg exists.