From 7fbe42c07e7dae58477819d25b1d6b2b53367aa7 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 16 Jan 2008 16:41:06 +0100 Subject: * cmdline/apt-key: - add support for a master-keyring that contains signing keys that can be used to sign the archive signing keys. This should make key-rollover easier. --- cmdline/apt-key | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index c7db9a25a..d716a088f 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -9,9 +9,27 @@ GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-k GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg" +MASTER_KEYRING="" +#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg +add_keys_with_verify_against_master_keyring() { + # when adding new keys, make sure that the archive-master-keyring + # is honored. so: + # all keys that are exported and have the name + # "Ubuntu Archive Automatic Signing Key" must have a valid signature + # from a key in the ubuntu-master-keyring + add_keys=`$GPG_CMD --keyring $ARCHIVE_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + master_keys=`$GPG_CMD --keyring $MASTER_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + for add_key in $add_keys; do + for master_key in $master_keys; do + if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import + fi + done + done +} update() { if [ ! -f $ARCHIVE_KEYRING ]; then @@ -20,10 +38,15 @@ update() { exit 1 fi - # add new keys - $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + # add new keys, if no MASTER_KEYRING is used, use the traditional + # way + if [ -z "$MASTER_KEYRING" ]; then + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + else + add_keys_with_verify_against_master_keyring + fi - # remove no-longer used keys + # remove no-longer supported/used keys keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` for key in $keys; do if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then @@ -32,6 +55,7 @@ update() { done } + usage() { echo "Usage: apt-key [command] [arguments]" echo -- cgit v1.2.3 From 8c56b1e0db5b29ccdc47b6f1664b1d0bd899a225 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 16 Jan 2008 16:48:13 +0100 Subject: cmdline/apt-key: refactor the master key checking into a function --- cmdline/apt-key | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index d716a088f..048105320 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -15,20 +15,32 @@ ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg add_keys_with_verify_against_master_keyring() { - # when adding new keys, make sure that the archive-master-keyring - # is honored. so: - # all keys that are exported and have the name - # "Ubuntu Archive Automatic Signing Key" must have a valid signature - # from a key in the ubuntu-master-keyring - add_keys=`$GPG_CMD --keyring $ARCHIVE_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` - master_keys=`$GPG_CMD --keyring $MASTER_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` - for add_key in $add_keys; do - for master_key in $master_keys; do - if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import - fi - done + ADD_KEYRING=$1 + MASTER=$2 + + if [ ! -f "$ADD_KEYRING" ]; then + echo "ERROR: '$ADD_KEYRING' not found" + return + fi + if [ ! -f "$MASTER" ]; then + echo "ERROR: '$MASTER' not found" + return + fi + + # when adding new keys, make sure that the archive-master-keyring + # is honored. so: + # all keys that are exported and have the name + # "Ubuntu Archive Automatic Signing Key" must have a valid signature + # from a key in the ubuntu-master-keyring + add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + for add_key in $add_keys; do + for master_key in $master_keys; do + if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import + fi done + done } update() { @@ -43,7 +55,7 @@ update() { if [ -z "$MASTER_KEYRING" ]; then $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import else - add_keys_with_verify_against_master_keyring + add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING fi # remove no-longer supported/used keys -- cgit v1.2.3 From c9bb37c725104e6108636d2e5d5b2a72dfe74998 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 8 Feb 2008 14:08:55 +0100 Subject: cmdline/apt-key: fix in the trusted key import script --- cmdline/apt-key | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 048105320..c1dbb0d05 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -35,11 +35,16 @@ add_keys_with_verify_against_master_keyring() { add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` for add_key in $add_keys; do + ADDED=0 for master_key in $master_keys; do - if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then + if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import + ADDED=1 fi done + if [ $ADDED = 0 ]; then + echo >&2 "Key '$add_key' not added. It is not signed with a master key" + fi done } -- cgit v1.2.3 From 848ecfa4e757ef635cdddcb86758847067441ce5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 12 Feb 2008 14:11:48 +0100 Subject: * cmdline/apt-key: - add support for net-update command that verifies all keys against the master key keyring --- cmdline/apt-key | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index c1dbb0d05..5791f33c0 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -10,7 +10,10 @@ GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg" MASTER_KEYRING="" +ARCHIVE_KEYRING_URI="" #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg +#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg + ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg @@ -48,6 +51,20 @@ add_keys_with_verify_against_master_keyring() { done } +# update the current archive signing keyring from a network URI +# the archive-keyring keys needs to be signed with the master key +# (otherwise it does not make sense from a security POV) +net_update() { + if [ -z "$ARCHIVE_KEYRING_URI" ]; then + echo "ERROR: no location for the archive-keyring given" + fi + if [ ! -d /var/lib/apt/keyrings ]; then + mkdir -p /var/lib/apt/keyrings + fi + (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) + add_keys_with_verify_against_master_keyring /var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) $MASTER_KEYRING +} + update() { if [ ! -f $ARCHIVE_KEYRING ]; then echo >&2 "ERROR: Can't find the archive-keyring" @@ -83,6 +100,7 @@ usage() { echo " apt-key export - output the key " echo " apt-key exportall - output all trusted keys" echo " apt-key update - update keys using the keyring package" + echo " apt-key net-update - update keys using the network" echo " apt-key list - list keys" echo } @@ -112,6 +130,9 @@ case "$command" in update) update ;; + net-update) + net_update + ;; list) $GPG --batch --list-keys ;; -- cgit v1.2.3 From 3916f941154e6b98f69730688efeb8df217ce44a Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 13 Feb 2008 11:15:54 +0100 Subject: cmdline/apt-key: import from the correct keyring (ADD_KEYRING) in add_keys_with_verify_against_master_keyring --- cmdline/apt-key | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 5791f33c0..bbf3a7697 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -41,7 +41,7 @@ add_keys_with_verify_against_master_keyring() { ADDED=0 for master_key in $master_keys; do if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import + $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import ADDED=1 fi done -- cgit v1.2.3 From 93886541b35bf232e2a03eca01e39ddea2137111 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 13 Feb 2008 15:22:30 +0100 Subject: cmdline/apt-key: make net-update more robust --- cmdline/apt-key | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index bbf3a7697..b65c01f71 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -61,8 +61,19 @@ net_update() { if [ ! -d /var/lib/apt/keyrings ]; then mkdir -p /var/lib/apt/keyrings fi + keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + old_mtime=0 + if [ -e $keyring ]; then + old_mtime=$(stat -c %Y $keyring) + fi (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) - add_keys_with_verify_against_master_keyring /var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) $MASTER_KEYRING + if [ ! -e $keyring ]; then + return + fi + new_mtime=$(stat -c %Y $keyring) + if [ $new_mtime -ne $old_mtime ]; then + add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING + fi } update() { -- cgit v1.2.3 From 8dd0686e564c5c321b2dd20f8ceaa7c0d72405b1 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 13 Feb 2008 19:50:57 +0100 Subject: cmdline/apt-key: add explaination when importing new keys --- cmdline/apt-key | 1 + 1 file changed, 1 insertion(+) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index b65c01f71..6dd9fd8aa 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -72,6 +72,7 @@ net_update() { fi new_mtime=$(stat -c %Y $keyring) if [ $new_mtime -ne $old_mtime ]; then + echo "Checking for new archive signing keys now" add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING fi } -- cgit v1.2.3 From bd668fbb93a536135f8a001f98a7485158a5075f Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 21 Feb 2008 15:01:42 +0100 Subject: cmdline/apt-get.cc: - fix task installing (thanks to Colin Watson) --- cmdline/apt-get.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 258133c19..11a8b2ef4 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -1506,7 +1506,7 @@ bool TryInstallTask(pkgDepCache &Cache, pkgProblemResolver &Fix, buf[end-start] = 0x0; if (regexec(&Pattern,buf,0,0,0) != 0) continue; - res &= TryToInstall(Pkg,Cache,Fix,Remove,true,ExpectedInst); + res &= TryToInstall(Pkg,Cache,Fix,Remove,false,ExpectedInst); found = true; } -- cgit v1.2.3