From 33e4d8b32a0baef91342527cce16cd47bcb1ee60 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 14 Jun 2012 16:18:20 +0200 Subject: add extra paranoia against subkey attacks (and a regression test), LP: #1013128, thanks to jdstrand and mdeslaur and Geori Guinski --- cmdline/apt-key | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index dda3c1b43..6e85b7353 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -50,18 +50,20 @@ add_keys_with_verify_against_master_keyring() { # all keys that are exported must have a valid signature # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - - for add_key in $add_keys; do - # ensure there are no colisions LP: #857472 + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do for master_key in $master_keys; do - if [ "$add_key" = "$master_key" ]; then - echo >&2 "Keyid collision for '$add_key' detected, operation aborted" + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" return 1 fi done - + done + + for add_key in $add_keys; do # export the add keyring one-by-one rm -f $TMP_KEYRING $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key -- cgit v1.2.3