| Age | Commit message (Collapse) | Author |
|---|
|
The apt-key script uses quiet a few keyring files for operation which
are specific to the distribution it is build on and is hence one of the
most patched parts – even if it is not that often used anymore now that
a fragment directory for trusted.gpg exists.
|
|
With the net-update command a special keyring can be downloaded and
imported into apt, which must be signed by a master key. Its is
currently disabled because of security problems with it – and the only
known user before that was Ubuntu.
|
|
Having fragement files means there is a good chance that there is one
key per keyring, so deal with that as well as with setups in which
keyrings are linked into trusted.gpg.d as we can't just modify those
files (they might be in /usr for example).
|
|
Might come in handy for more than just a simple testcase.
|
|
Closes: 665411
|
|
for some "interesting" reason gpg decides that it needs to update its
trustdb.gpg file in a --list-keys command even if right before gpg is
asked to --check-trustdb. That wouldn't be as bad if it wouldn't modify
the keyring being listed at that moment as well, which generates not
only warnings which are not a problem for us, but as the keyring
modified can be in /usr it modified files which aren't allowed to be
modified.
The suggested solution in the bugreport is running --check-trustdb
unconditionally in an 'apt-key update' call, but this command will not
be used in the future and this could still potentially bite us in
net-update or adv calls. All of this just to keep a file around, which
we do not need…
The commit therefore switches to the use of a temporary created
trusted.gpg file for everyone and asks gpg to not try to update the
trustdb after its intial creation, which seems to avoid the problem
altogether.
It is using your also faked secring btw as calling the check-trustdb
without a keyring is a lot slower …
Closes: #687611
Thanks: Andreas Beckmann for the initial patch!
|
|
APT doesn't care for the trustdb.gpg, but gnupg requires one even for
the simplest commands, so we either use the one root has available in
/etc or if we don't have access to it (as only root can read that file)
we create a temporary directory to store a trustdb.gpg in it.
We can't create just a temporary file as gpg requires the given
trustdb.gpg file to be valid (if it exists), so we would have to remove
the file before calling gnupg which would allow mktemp (and co) to hand
exactly this filename out to another program (unlikely, but still).
|
|
Usually, most apt-key commands require root, so the script is checking
for being run as root, but in your tests we use a non-root location, so
we don't need to be root and therefore need an option to skip the check.
Git-Dch: Ignore
|
|
|
|
|
|
- do not hardcode /etc but use Dir::Etc instead
|
|
- if command is 'add' do not error out if the specified
keyring doesn't exist, it will be created by gpg
|
|
that it doesn't like that… remove superficial quoting to fix apt-key
|
|
- use a tmpfile instead of /etc/apt/secring.gpg (Closes: #632596)
* debian/apt.postinst:
- remove /etc/apt/secring.gpg if it is an empty file
|
|
- create doxygen directory to avoid depending on magic (Closes: #628799)
* cmdline/apt-key:
- explicitly state that net-update is not supported if no url is set
- require to be root for add, rm, update and net-update
- clarify update vs. net-update in different distros (Closes: #632043)
* debian/apt.symbols:
- forgot 'mips' in the list for all architecture dependent symbols
- comment out gcc-4.5 specific symbols as gcc-4.6 is now default
- the symbol for PrintStatus() is architecture dependent
* apt-pkg/policy.cc:
- do not segfault in pinning if a package with this name doesn't exist.
Thanks to Ferdinand Thommes for the report!
- Defaults is a vector of Pin not of PkgPin
- ensure that only the first specific stanza for a package is used
- save all stanzas which had no effect in Unmatched
- allow package:architecure in Package:
|
|
* cmdline/apt-key:
- fix root test which prevented setting of trustdb-name
which lets gpg fail if it adds/remove keys from trusted.gpg
as it tries to open the (maybe) not existent /root/.gnupg
|
|
- don't set trustdb-name as non-root so 'list' and 'finger'
can be used without being root (Closes: #393005, #592107)
|
|
- support also Dir::Etc::Trusted so that apt-key works in the same
way as the library part which works with the trusted files
|
|
- Honor Apt::GPGV::TrustedKeyring (Closes: #316390)
|
|
* spot & fix various typos in all manpages
* German manpage translation update
* cmdline/apt-cache.cc:
- remove translatable marker from the "%4i %s\n" string
* buildlib/po4a_manpage.mak:
- instruct debiandoc to build files with utf-8 encoding
* buildlib/tools.m4:
- fix some warning from the buildtools
* apt-pkg/acquire-item.cc:
- add configuration PDiffs::Limit-options to not download
too many or too big patches (Closes: #554349)
* debian/control:
- let all packages depend on ${misc:Depends}
* share/*-archive.gpg:
- remove the horrible outdated files. We already depend on
the keyring so we don't need to ship our own version
* cmdline/apt-key:
- errors out if wget is not installed (Closes: #545754)
- add --keyring option as we have now possibly many
* methods/gpgv.cc:
- pass all keyrings (TrustedParts) to gpgv instead of
using only one trusted.gpg keyring (Closes: #304846)
* methods/https.cc:
- finally merge the rest of the patchset from Arnaud Ebalard
with the CRL and Issuers options, thanks! (Closes: #485963)
|
|
- Emit a warning if removed keys keyring is missing and skip associated
checks (LP: #218971)
|
|
|
|
|
|
|
|
closes: #350575)
|
|
|
|
in update. it does not add any security in update (see comment in the source for rational)
|
|
|
|
|
|
add_keys_with_verify_against_master_keyring
|
|
- add support for net-update command that verifies all keys
against the master key keyring
|
|
|
|
|
|
- add support for a master-keyring that contains signing keys
that can be used to sign the archive signing keys. This should
make key-rollover easier.
|
|
apt-get to ignore time conflicts, closes: #451328.
|
|
C. Litzenberger" <dlitz@dlitz.net> for the patch (closes: #441942)
|
|
* Fix broken use of awk in apt-key that caused removal of the wrong keys
from the keyring. Closes: #412572
|
|
|
|
baz diff before a commit)
|
|
|
|
Patches applied:
* apt@packages.debian.org/apt--main--0--patch-80
Merge michael.vogt@ubuntu.com--2005/apt--fixes--0
* apt@packages.debian.org/apt--main--0--patch-81
Open 0.6.37
* apt@packages.debian.org/apt--main--0--patch-82
merge bubulle@debian.org--2005/apt--main--0
* apt@packages.debian.org/apt--main--0--patch-83
Update changelog
* apt@packages.debian.org/apt--main--0--patch-84
Fix build of French man pages (now using XML, not SGML)
* apt@packages.debian.org/apt--main--0--patch-85
Merge patch from Philippe Batailler for French man page build
* apt@packages.debian.org/apt--main--0--patch-86
add Welsh translations from Dafydd Harries
* apt@packages.debian.org/apt--main--0--patch-87
Update changelog
* apt@packages.debian.org/apt--main--0--patch-88
Change debian/bugscript to use #!/bin/bash (Closes: #313402)
* apt@packages.debian.org/apt--main--0--patch-89
Branch for Debian
* apt@packages.debian.org/apt--main--0--patch-90
Update version in configure
* apt@packages.debian.org/apt--main--0--patch-91
Fix French man page build
* apt@packages.debian.org/apt--main--0--patch-92
Add the current Debian archive signing key
* bubulle@debian.org--2005/apt--main--0--patch-66
Italian translation complete
* bubulle@debian.org--2005/apt--main--0--patch-67
Sync with Matt
* bubulle@debian.org--2005/apt--main--0--patch-68
Sync with Matt
* bubulle@debian.org--2005/apt--main--0--patch-69
Sync with Matt
* bubulle@debian.org--2005/apt--main--0--patch-70
Re-generate the POT and PO files from sources
* bubulle@debian.org--2005/apt--main--0--patch-71
Update French translation
* bubulle@debian.org--2005/apt--main--0--patch-72
Merge with Matt
* bubulle@debian.org--2005/apt--main--0--patch-73
Basque translation update
* bubulle@debian.org--2005/apt--main--0--patch-74
Hebres translation update
* bubulle@debian.org--2005/apt--main--0--patch-75
Merge with Matt
* bubulle@debian.org--2005/apt--main--0--patch-76
Correct the Hebrew translation for #306658
* bubulle@debian.org--2005/apt--main--0--patch-77
Update French man pages translations
* bubulle@debian.org--2005/apt--main--0--patch-78
Merge with Matt
* bubulle@debian.org--2005/apt--main--0--patch-79
Correct syntax errors in Hebrew translation
* bubulle@debian.org--2005/apt--main--0--patch-80
Revert changes to debian/changelog and debian/apt.cron.daily
* bubulle@debian.org--2005/apt--main--0--patch-81
Portuguese translation update
* daf@muse.19inch.net--2005/apt--main--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-85
* daf@muse.19inch.net--2005/apt--main--0--patch-1
add Welsh translation
* michael.vogt@ubuntu.com--2005/apt--fixes--0--patch-6
* build fix for apt--main--0
* philippe.batailler@free.fr--2005/apt--mainBubulle--0.1--patch-1
Passage sous arch
* philippe.batailler@free.fr--2005/apt--mainMatt--0--patch-1
fix xml error
|
|
the clock may be totally broken)
|
|
|
|
|
|
Patches applied:
* apt@arch.ubuntu.com/apt--experimental--0.6--base-0
tag of apt@arch.ubuntu.com/apt--MAIN--0--patch-1190
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-1
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-2
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-3
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-4
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-5
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-6
Creation of branch v0_6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-7
Merge working copy of v0.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-8
0.6.0 is headed for experimental, not unstable
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-9
Date
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-10
Update LIB_APT_PKG_MAJOR
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-11
- Fix a heap corruption bug in pkgSrcRecords::pkgSrcRec...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-12
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-13
* Merge apt 0.5.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-14
* Rearrange Release file authentication code to be more...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-15
* Convert distribution "../project/experimental" to "ex...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-16
Merge 1.11
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-17
Merge 1.7
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-18
Merge 1.10
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-19
* Make a number of Release file errors into warnings; f...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-20
* Add space between package names when multiple unauthe...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-21
* Provide apt-key with a secret keyring and a trustdb, ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-22
* Fix typo in apt-key(8) (standard input is '-', not '/')
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-23
0.6.2
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-24
Resynch
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-25
* Fix MetaIndexURI for flat ("foo/") sources
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-26
0.6.3
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-27
* Use the top-level Release file in LoadReleaseInfo, ra...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-28
0.6.4
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-29
Clarify
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-30
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-31
* Fix display of unauthenticated packages when they are...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-32
* Move the authentication check into a separate functio...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-33
* Restore the ugly hack I removed from indexRecords::Lo...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-34
0.6.6
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-35
* Forgot to revert part of the changes to tagfile in 0....
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-36
* Add a config option and corresponding command line option
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-37
0.6.8
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-38
hopefully avoid more segfaults
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-39
XXX
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-40
* Another tagfile workaround
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-41
* Use "Codename" (woody, sarge, etc.) to supply the val...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-42
* Support IMS requests of Release.gpg and Release
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-43
* Have pkgAcquireIndex calculate an MD5 sum if one is n...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-44
* Merge 0.5.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-45
apt (0.6.13) experimental; urgency=low
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-46
0.6.13
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-47
Merge 0.5.20
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-48
The source list works a bit differently in 0.6; fix the...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-49
* s/Debug::Acquire::gpg/&v/
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-50
* Honor the [vendor] syntax in sources.list again (thou...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-51
* Don't ship vendors.list(5) since it isn't used yet
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-52
* Revert change from 0.6.10; it was right in the first ...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-53
* Fix some cases where the .gpg file could be left in p...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-54
Print a warning if gnupg is not installed
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-55
* Handle more IMS stuff correctly
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-56
0.6.17
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-57
* Merge 0.5.21
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-58
* Add new Debian Archive Automatic Signing Key to the d...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-59
0.6.18
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-60
* Merge 0.5.22
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-61
* Convert apt-key(8) to docbook XML
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-62
Merge 0.5.23
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-63
Remove bogus partial 0.5.22 changelog entry
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-64
Make the auth warning a bit less redundant
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-65
* Merge 0.5.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-66
* Make the unauthenticated packages prompt more intuiti...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-67
Merge 0.5.25
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-68
* Remove obsolete pkgIterator::TargetVer() (Closes: #230159)
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-69
* Reverse test in CheckAuth to match new prompt (Closes...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-70
Update version
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-71
Fix backwards sense of CheckAuth prompt
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-72
0.6.24
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-73
Close bug
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-74
* Fix handling of two-part sources for sources.list deb...
* apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
0.6.25
* apt@packages.debian.org/apt--authentication--0--base-0
tag of apt@arch.ubuntu.com/apt--experimental--0.6--patch-75
* apt@packages.debian.org/apt--authentication--0--patch-1
Michael Vogt's merge of apt--experimental--0 onto apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-2
Merge from apt--main--0
* apt@packages.debian.org/apt--authentication--0--patch-3
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-4
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-5
Update version number in configure.in
* apt@packages.debian.org/apt--authentication--0--patch-6
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-7
Merge from main
* apt@packages.debian.org/apt--authentication--0--patch-8
Merge from mvo's branch
* apt@packages.debian.org/apt--authentication--0--patch-9
Merge from mvo's tree
* apt@packages.debian.org/apt--authentication--0--patch-10
Merge from mvo
* apt@packages.debian.org/apt--authentication--0--patch-11
Fix permissions AGAIN
* apt@packages.debian.org/apt--bzip2-debs--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-30
* apt@packages.debian.org/apt--bzip2-debs--0--patch-1
Create baz branch
* apt@packages.debian.org/apt--bzip2-debs--0--patch-2
Implement data.tar.bz2 support
* apt@packages.debian.org/apt--main--0--patch-30
Fix changelog
* apt@packages.debian.org/apt--main--0--patch-31
Fix permissions again
* apt@packages.debian.org/apt--main--0--patch-32
Fix permissions again
* apt@packages.debian.org/apt--main--0--patch-33
Use baz instead of tla
* apt@packages.debian.org/apt--main--0--patch-34
Merge bzip2-debs branch
* apt@packages.debian.org/apt--main--0--patch-35
Fix changelog
* apt@packages.debian.org/apt--main--0--patch-36
untagged-source precious
* apt@packages.debian.org/apt--main--0--patch-37
Add .arch-inventory files
* apt@packages.debian.org/apt--main--0--patch-38
Fix permissions again
* apt@packages.debian.org/apt--main--0--patch-39
Merge apt--authentication--0
* apt@packages.debian.org/apt--main--0--patch-40
Merge misc-abi-changes
* apt@packages.debian.org/apt--main--0--patch-41
Merge from mvo
* apt@packages.debian.org/apt--misc-abi-changes--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-16
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-1
Fix apt-get -s remove to not display the candidate version
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-2
Merge from main
* apt@packages.debian.org/apt--misc-abi-changes--0--patch-3
Use pid_t throughout to hold process IDs
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--base-0
tag of michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--patch-1
* star-merged matt's changes (bz2 support for data-members in debs)
* michael.vogt@canonical.com--2004--laptop/apt--authentication-mvo--0--patch-2
* ignore errors when a Packages.bz2/Sources.bz2 can't be found and try with Packages.gz/Sources.gz again
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-34
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-1
* merged matt's tree (with all those apt-authentication changes)
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-2
don't display a error if a bzip2 package can not be downloaded, just ignore (Ign) it
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-3
* "chmod 755 cmdline/apt-key", changed version to 0.6.27ubuntu1
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-4
* fix for a stupid merge error (from 0.5->0.6)
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-5
* unstable should really be hoary
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-6
* stronger dependencies for libapt-pkg-dev (depends on the source version of apt and apt-watch now)
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-7
* distro really should be hoary, not unstable :/
* michael.vogt@canonical.com--2004--laptop/apt--mvo--0--patch-8
* documented the "--allow-unauthenticated" switch
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-1
tag of apt@packages.debian.org/apt--authentication--0--base-0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-2
merged "tla apply-delta -A foo@ apt@arch.ubuntu.com/apt--MAIN--0--patch-1190 apt@arch.ubuntu.com/apt--MAIN--0--patch-1343" and cleaned up conflicts
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-3
* missing bits from the merge added
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-4
* star-merged with apt@packages.debian.org/apt--main--0
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-5
* tree-synced to the apt--authentication tree
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-6
* use the ubuntu-key in this version
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-7
* imported the patches from mdz
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-8
* apt-get update --print-uris works now as before (fallback to 0.5.x behaviour)
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-9
* fix for the "if any source unauthenticated, all other sources are unauthenticated too" problem
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-10
* reworked the "--print-uris" patch. it no longer uses: "APT::Get::Print-URIs" in the library
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-11
* version of the library set to 3.6
* michael.vogt@canonical.com--2004/apt--authentication-mvo--0--patch-12
* changelog finallized, will upload to people.ubuntulinux.org/~mvo/apt-authentication
* michael.vogt@canonical.com--2004/apt--main-authentication--0--base-0
tag of apt@packages.debian.org/apt--main--0--patch-22
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-1
* star-merge from apt--experimental--0.6
* michael.vogt@canonical.com--2004/apt--main-authentication--0--patch-2
* compile failure fix for methods/http.cc, po-file fixes
|
