From c0a013221d296e97d68b4e9a66fef5c886d2bbb0 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <kalnischkies@gmail.com>
Date: Thu, 11 Jul 2013 20:07:22 +0200
Subject: always use our own trustdb.gpg in apt-key

APT doesn't care for the trustdb.gpg, but gnupg requires one even for
the simplest commands, so we either use the one root has available in
/etc or if we don't have access to it (as only root can read that file)
we create a temporary directory to store a trustdb.gpg in it.

We can't create just a temporary file as gpg requires the given
trustdb.gpg file to be valid (if it exists), so we would have to remove
the file before calling gnupg which would allow mktemp (and co) to hand
exactly this filename out to another program (unlikely, but still).
---
 cmdline/apt-key | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/cmdline/apt-key b/cmdline/apt-key
index 89e224923..4596e4a47 100755
--- a/cmdline/apt-key
+++ b/cmdline/apt-key
@@ -6,15 +6,23 @@ unset GREP_OPTIONS
 # We don't use a secret keyring, of course, but gpg panics and
 # implodes if there isn't one available
 SECRETKEYRING="$(mktemp)"
-trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+CURRENTTRAP="rm -f '${SECRETKEYRING}';"
+trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
 GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}"
 
-if [ "$(id -u)" -eq 0 ]; then
-	# we could use a tmpfile here too, but creation of this tends to be time-consuming
-	eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
-	GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
+eval $(apt-config shell TRUSTDBDIR Dir::Etc/d)
+if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then
+   # root can read/create the file as needed, so use the default
+   true
+else
+   # gpg needs a trustdb to function, but it can't be invalid (not even empty)
+   # so we create a tempory directory to store our fresh readable trustdb in
+   TRUSTDBDIR="$(mktemp -d)"
+   CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';"
+   trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
+   chmod 700 "$TRUSTDBDIR"
 fi
-
+GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg"
 GPG="$GPG_CMD"
 
 MASTER_KEYRING=""
-- 
cgit v1.2.3