From cfacba5230f2e6bb88a1949505843ac22ed342d5 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Mon, 25 Nov 2013 08:36:57 +0100 Subject: add basic "edit-sources" command --- cmdline/apt-get.cc | 19 +------------------ cmdline/apt.cc | 24 ++++++++++++++++++++++++ 2 files changed, 25 insertions(+), 18 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 15373b050..912b2d609 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -59,6 +59,7 @@ #include #include #include +#include #include @@ -1378,24 +1379,6 @@ bool DownloadChangelog(CacheFile &CacheFile, pkgAcquire &Fetcher, return _error->Error("changelog download failed"); } /*}}}*/ -// DisplayFileInPager - Display File with pager /*{{{*/ -void DisplayFileInPager(string filename) -{ - pid_t Process = ExecFork(); - if (Process == 0) - { - const char *Args[3]; - Args[0] = "/usr/bin/sensible-pager"; - Args[1] = filename.c_str(); - Args[2] = 0; - execvp(Args[0],(char **)Args); - exit(100); - } - - // Wait for the subprocess - ExecWait(Process, "sensible-pager", false); -} - /*}}}*/ // DoChangelog - Get changelog from the command line /*{{{*/ // --------------------------------------------------------------------- bool DoChangelog(CommandLine &CmdL) diff --git a/cmdline/apt.cc b/cmdline/apt.cc index e30967ec2..ef31d0029 100644 --- a/cmdline/apt.cc +++ b/cmdline/apt.cc @@ -54,8 +54,28 @@ #include #include #include +#include /*}}}*/ +// EditSource - EditSourcesList /*{{{*/ +// --------------------------------------------------------------------- +bool EditSources(CommandLine &CmdL) +{ + // FIXME: suport CmdL.FileList to specify sources.list.d files + + std::string sourceslist = _config->FindFile("Dir::Etc::sourcelist"); + + // FIXME: take hash before, + // when changed display message to apt update + // do syntax check after save (like visudo) + + EditFileInSensibleEditor(sourceslist); + + return true; +} + /*}}}*/ + + bool ShowHelp(CommandLine &CmdL) { ioprintf(c1out,_("%s %s for %s compiled on %s %s\n"),PACKAGE,PACKAGE_VERSION, @@ -74,6 +94,8 @@ bool ShowHelp(CommandLine &CmdL) " update - update list of available packages\n" " install - install packages\n" " upgrade - upgrade the systems packages\n" + "\n" + " edit-sources - edit the source information file\n" ); return true; @@ -89,6 +111,8 @@ int main(int argc, const char *argv[]) /*{{{*/ {"remove", &DoInstall}, {"update",&DoUpdate}, {"upgrade",&DoUpgradeWithAllowNewPackages}, + // misc + {"edit-sources",&EditSources}, // helper {"moo",&DoMoo}, {"help",&ShowHelp}, -- cgit v1.2.3 From d2524a53bbd219ee6d069006fd243a5bcda0245b Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 26 Nov 2013 09:22:40 +0100 Subject: add syntax check for sources.list --- cmdline/apt.cc | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt.cc b/cmdline/apt.cc index ef31d0029..38610e731 100644 --- a/cmdline/apt.cc +++ b/cmdline/apt.cc @@ -67,9 +67,22 @@ bool EditSources(CommandLine &CmdL) // FIXME: take hash before, // when changed display message to apt update - // do syntax check after save (like visudo) - - EditFileInSensibleEditor(sourceslist); + bool res; + pkgSourceList sl; + + do { + EditFileInSensibleEditor(sourceslist); + _error->PushToStack(); + res = sl.Read(sourceslist); + if (!res) { + std::string outs; + strprintf(outs, _("Failed to parse %s. Edit again? "), + sourceslist.c_str()); + std::cout << outs; + res = !YnPrompt(true); + } + _error->RevertToStack(); + } while (res == false); return true; } -- cgit v1.2.3 From e6645b9fb9ba3a7ff7b6663af3f5e1bcb6f23d78 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 26 Nov 2013 10:32:21 +0100 Subject: add check when sources.list changed --- cmdline/apt.cc | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt.cc b/cmdline/apt.cc index 38610e731..47187fac2 100644 --- a/cmdline/apt.cc +++ b/cmdline/apt.cc @@ -41,6 +41,7 @@ #include #include #include +#include #include @@ -61,21 +62,21 @@ // --------------------------------------------------------------------- bool EditSources(CommandLine &CmdL) { - // FIXME: suport CmdL.FileList to specify sources.list.d files + bool res; + pkgSourceList sl; + std::string outs; + // FIXME: suport CmdL.FileList to specify sources.list.d files std::string sourceslist = _config->FindFile("Dir::Etc::sourcelist"); - // FIXME: take hash before, - // when changed display message to apt update - bool res; - pkgSourceList sl; + HashString before; + before.FromFile(sourceslist); do { EditFileInSensibleEditor(sourceslist); _error->PushToStack(); res = sl.Read(sourceslist); if (!res) { - std::string outs; strprintf(outs, _("Failed to parse %s. Edit again? "), sourceslist.c_str()); std::cout << outs; @@ -84,6 +85,13 @@ bool EditSources(CommandLine &CmdL) _error->RevertToStack(); } while (res == false); + if (!before.VerifyFile(sourceslist)) { + strprintf( + outs, _("Your '%s' file changed, please run 'apt-get update'."), + sourceslist.c_str()); + std::cout << outs << std::endl; + } + return true; } /*}}}*/ -- cgit v1.2.3 From 9e6b13f3751f8a1287ff79861980afb7792a5f9e Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 28 Nov 2013 12:15:47 +0100 Subject: move EditSources into its own file --- cmdline/apt.cc | 38 +------------------------------------- 1 file changed, 1 insertion(+), 37 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt.cc b/cmdline/apt.cc index 47187fac2..4bcae0aba 100644 --- a/cmdline/apt.cc +++ b/cmdline/apt.cc @@ -56,45 +56,9 @@ #include #include #include +#include /*}}}*/ -// EditSource - EditSourcesList /*{{{*/ -// --------------------------------------------------------------------- -bool EditSources(CommandLine &CmdL) -{ - bool res; - pkgSourceList sl; - std::string outs; - - // FIXME: suport CmdL.FileList to specify sources.list.d files - std::string sourceslist = _config->FindFile("Dir::Etc::sourcelist"); - - HashString before; - before.FromFile(sourceslist); - - do { - EditFileInSensibleEditor(sourceslist); - _error->PushToStack(); - res = sl.Read(sourceslist); - if (!res) { - strprintf(outs, _("Failed to parse %s. Edit again? "), - sourceslist.c_str()); - std::cout << outs; - res = !YnPrompt(true); - } - _error->RevertToStack(); - } while (res == false); - - if (!before.VerifyFile(sourceslist)) { - strprintf( - outs, _("Your '%s' file changed, please run 'apt-get update'."), - sourceslist.c_str()); - std::cout << outs << std::endl; - } - - return true; -} - /*}}}*/ bool ShowHelp(CommandLine &CmdL) -- cgit v1.2.3 From f87338d2da95ba7d55a1a67b4506717e94d49bca Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 23:07:20 +0100 Subject: cherry-pick ubuntus (disabled) net-update fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With the net-update command a special keyring can be downloaded and imported into apt, which must be signed by a master key. Its is currently disabled because of security problems with it – and the only known user before that was Ubuntu. --- cmdline/apt-key | 44 +++++++++++++++++++++++++++++++------------- 1 file changed, 31 insertions(+), 13 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key index 713a41c07..64cf5a6f4 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -25,17 +25,15 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" -MASTER_KEYRING="" -#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg +MASTER_KEYRING='' eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) -ARCHIVE_KEYRING_URI="" -#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg -eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) - -ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +ARCHIVE_KEYRING='/usr/share/keyrings/debian-archive-keyring.gpg' eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) -REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg +REMOVED_KEYS='/usr/share/keyrings/debian-archive-removed-keys.gpg' eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) +ARCHIVE_KEYRING_URI='' +eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -57,7 +55,7 @@ init_keyring() { add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 - + if [ ! -f "$ADD_KEYRING" ]; then echo "ERROR: '$ADD_KEYRING' not found" return @@ -72,12 +70,28 @@ add_keys_with_verify_against_master_keyring() { # all keys that are exported must have a valid signature # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do + for master_key in $master_keys; do + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" + return 1 + fi + done + done + for add_key in $add_keys; do - ADDED=0 + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key + # check if signed with the master key and only add in this case + ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING ADDED=1 fi done @@ -85,12 +99,16 @@ add_keys_with_verify_against_master_keyring() { echo >&2 "Key '$add_key' not added. It is not signed with a master key" fi done + rm -f $TMP_KEYRING } # update the current archive signing keyring from a network URI # the archive-keyring keys needs to be signed with the master key # (otherwise it does not make sense from a security POV) net_update() { + # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) + exit 1 + if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" exit 1 @@ -110,7 +128,7 @@ net_update() { if [ -e $keyring ]; then old_mtime=$(stat -c %Y $keyring) fi - (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) + (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) if [ ! -e $keyring ]; then return fi -- cgit v1.2.3 From 5b2c6ddcc0e45c92c544032ad2bb91bdf7222d7c Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 23:11:43 +0100 Subject: generate apt-key script with vendor info about keys MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The apt-key script uses quiet a few keyring files for operation which are specific to the distribution it is build on and is hence one of the most patched parts – even if it is not that often used anymore now that a fragment directory for trusted.gpg exists. --- cmdline/apt-key | 354 ----------------------------------------------------- cmdline/apt-key.in | 354 +++++++++++++++++++++++++++++++++++++++++++++++++++++ cmdline/makefile | 8 ++ 3 files changed, 362 insertions(+), 354 deletions(-) delete mode 100755 cmdline/apt-key create mode 100644 cmdline/apt-key.in (limited to 'cmdline') diff --git a/cmdline/apt-key b/cmdline/apt-key deleted file mode 100755 index 64cf5a6f4..000000000 --- a/cmdline/apt-key +++ /dev/null @@ -1,354 +0,0 @@ -#!/bin/sh - -set -e -unset GREP_OPTIONS - -GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" - -# gpg needs a trustdb to function, but it can't be invalid (not even empty) -# so we create a temporary directory to store our fresh readable trustdb in -TRUSTDBDIR="$(mktemp -d)" -CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" -trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -chmod 700 "$TRUSTDBDIR" -# We also don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available - and writeable for imports -SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" -touch $SECRETKEYRING -GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" -GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" - -# now create the trustdb with an (empty) dummy keyring -$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING -# and make sure that gpg isn't trying to update the file -GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" - -GPG="$GPG_CMD" - -MASTER_KEYRING='' -eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) -ARCHIVE_KEYRING='/usr/share/keyrings/debian-archive-keyring.gpg' -eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) -REMOVED_KEYS='/usr/share/keyrings/debian-archive-removed-keys.gpg' -eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) -ARCHIVE_KEYRING_URI='' -eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) -TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg - -requires_root() { - if [ "$(id -u)" -ne 0 ]; then - echo >&1 "ERROR: This command can only be used by root." - exit 1 - fi -} - -# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. -init_keyring() { - for path; do - if ! [ -e "$path" ]; then - touch -- "$path" - chmod 0644 -- "$path" - fi - done -} - -add_keys_with_verify_against_master_keyring() { - ADD_KEYRING=$1 - MASTER=$2 - - if [ ! -f "$ADD_KEYRING" ]; then - echo "ERROR: '$ADD_KEYRING' not found" - return - fi - if [ ! -f "$MASTER" ]; then - echo "ERROR: '$MASTER' not found" - return - fi - - # when adding new keys, make sure that the archive-master-keyring - # is honored. so: - # all keys that are exported must have a valid signature - # from a key in the $distro-master-keyring - add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` - all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` - master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` - - # ensure there are no colisions LP: #857472 - for all_add_key in $all_add_keys; do - for master_key in $master_keys; do - if [ "$all_add_key" = "$master_key" ]; then - echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" - return 1 - fi - done - done - - for add_key in $add_keys; do - # export the add keyring one-by-one - rm -f $TMP_KEYRING - $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key - # check if signed with the master key and only add in this case - ADDED=0 - for master_key in $master_keys; do - if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then - $GPG --import $TMP_KEYRING - ADDED=1 - fi - done - if [ $ADDED = 0 ]; then - echo >&2 "Key '$add_key' not added. It is not signed with a master key" - fi - done - rm -f $TMP_KEYRING -} - -# update the current archive signing keyring from a network URI -# the archive-keyring keys needs to be signed with the master key -# (otherwise it does not make sense from a security POV) -net_update() { - # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) - exit 1 - - if [ -z "$ARCHIVE_KEYRING_URI" ]; then - echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" - exit 1 - fi - requires_root - # in theory we would need to depend on wget for this, but this feature - # isn't useable in debian anyway as we have no keyring uri nor a master key - if ! which wget >/dev/null 2>&1; then - echo >&2 "ERROR: an installed wget is required for a network-based update" - exit 1 - fi - if [ ! -d /var/lib/apt/keyrings ]; then - mkdir -p /var/lib/apt/keyrings - fi - keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) - old_mtime=0 - if [ -e $keyring ]; then - old_mtime=$(stat -c %Y $keyring) - fi - (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) - if [ ! -e $keyring ]; then - return - fi - new_mtime=$(stat -c %Y $keyring) - if [ $new_mtime -ne $old_mtime ]; then - echo "Checking for new archive signing keys now" - add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING - fi -} - -update() { - if [ ! -f $ARCHIVE_KEYRING ]; then - echo >&2 "ERROR: Can't find the archive-keyring" - echo >&2 "Is the debian-archive-keyring package installed?" - exit 1 - fi - requires_root - - # add new keys from the package; - - # we do not use add_keys_with_verify_against_master_keyring here, - # because "update" is run on regular package updates. A - # attacker might as well replace the master-archive-keyring file - # in the package and add his own keys. so this check wouldn't - # add any security. we *need* this check on net-update though - $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import - - if [ -r "$REMOVED_KEYS" ]; then - # remove no-longer supported/used keys - keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` - for key in $keys; do - if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then - $GPG --quiet --batch --delete-key --yes ${key} - fi - done - else - echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 - fi -} - -remove_key_from_keyring() { - local GPG="$GPG_CMD --keyring $1" - # check if the key is in this keyring: the key id is in the 5 column at the end - if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then - return - fi - if [ ! -w "$1" ]; then - echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only." - return - fi - # check if it is the only key in the keyring and if so remove the keyring alltogether - if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then - mv -f "$1" "${1}~" # behave like gpg - return - fi - # we can't just modify pointed to files as these might be in /usr or something - local REALTARGET - if [ -L "$1" ]; then - REALTARGET="$(readlink -f "$1")" - mv -f "$1" "${1}.dpkg-tmp" - cp -a "$REALTARGET" "$1" - ls "$(dirname $1)" - fi - # delete the key from the keyring - $GPG --batch --delete-key --yes "$2" - if [ -n "$REALTARGET" ]; then - # the real backup is the old link, not the copy we made - mv -f "${1}.dpkg-tmp" "${1}~" - fi -} - -remove_key() { - requires_root - - # if a --keyring was given, just remove from there - if [ -n "$FORCED_KEYRING" ]; then - remove_key_from_keyring "$FORCED_KEYRING" "$1" - else - # otherwise all known keyrings are up for inspection - local TRUSTEDFILE="/etc/apt/trusted.gpg" - eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) - eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) - remove_key_from_keyring "$TRUSTEDFILE" "$1" - TRUSTEDPARTS="/etc/apt/trusted.gpg.d" - eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) - if [ -d "$TRUSTEDPARTS" ]; then - for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do - remove_key_from_keyring "$trusted" "$1" - done - fi - fi - echo "OK" -} - - -usage() { - echo "Usage: apt-key [--keyring file] [command] [arguments]" - echo - echo "Manage apt's list of trusted keys" - echo - echo " apt-key add - add the key contained in ('-' for stdin)" - echo " apt-key del - remove the key " - echo " apt-key export - output the key " - echo " apt-key exportall - output all trusted keys" - echo " apt-key update - update keys using the keyring package" - echo " apt-key net-update - update keys using the network" - echo " apt-key list - list keys" - echo " apt-key finger - list fingerprints" - echo " apt-key adv - pass advanced options to gpg (download key)" - echo - echo "If no specific keyring file is given the command applies to all keyring files." -} - -while [ -n "$1" ]; do - case "$1" in - --keyring) - shift - TRUSTEDFILE="$1" - FORCED_KEYRING="$1" - if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then - GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" - else - echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" - exit 1 - fi - shift - ;; - --fakeroot) - requires_root() { true; } - shift - ;; - --*) - echo >&2 "Unknown option: $1" - usage - exit 1;; - *) - break;; - esac -done - -if [ -z "$TRUSTEDFILE" ]; then - TRUSTEDFILE="/etc/apt/trusted.gpg" - eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) - eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) - if [ -r "$TRUSTEDFILE" ]; then - GPG="$GPG --keyring $TRUSTEDFILE" - fi - GPG="$GPG --primary-keyring $TRUSTEDFILE" - TRUSTEDPARTS="/etc/apt/trusted.gpg.d" - eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) - if [ -d "$TRUSTEDPARTS" ]; then - # strip / suffix as gpg will double-slash in that case (#665411) - STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" - if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then - TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" - fi - for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do - GPG="$GPG --keyring $trusted" - done - fi -fi - -command="$1" -if [ -z "$command" ]; then - usage - exit 1 -fi -shift - -if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then - echo >&2 "Warning: gnupg does not seem to be installed." - echo >&2 "Warning: apt-key requires gnupg for most operations." - echo >&2 -fi - -case "$command" in - add) - requires_root - init_keyring "$TRUSTEDFILE" - $GPG --quiet --batch --import "$1" - echo "OK" - ;; - del|rm|remove) - init_keyring "$TRUSTEDFILE" - remove_key "$1" - ;; - update) - init_keyring "$TRUSTEDFILE" - update - ;; - net-update) - init_keyring "$TRUSTEDFILE" - net_update - ;; - list) - init_keyring "$TRUSTEDFILE" - $GPG --batch --list-keys - ;; - finger*) - init_keyring "$TRUSTEDFILE" - $GPG --batch --fingerprint - ;; - export) - init_keyring "$TRUSTEDFILE" - $GPG --armor --export "$1" - ;; - exportall) - init_keyring "$TRUSTEDFILE" - $GPG --armor --export - ;; - adv*) - init_keyring "$TRUSTEDFILE" - echo "Executing: $GPG $*" - $GPG $* - ;; - help) - usage - ;; - *) - usage - exit 1 - ;; -esac diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in new file mode 100644 index 000000000..779872b4c --- /dev/null +++ b/cmdline/apt-key.in @@ -0,0 +1,354 @@ +#!/bin/sh + +set -e +unset GREP_OPTIONS + +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" + +# gpg needs a trustdb to function, but it can't be invalid (not even empty) +# so we create a temporary directory to store our fresh readable trustdb in +TRUSTDBDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +chmod 700 "$TRUSTDBDIR" +# We also don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available - and writeable for imports +SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +touch $SECRETKEYRING +GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" +GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" + +# now create the trustdb with an (empty) dummy keyring +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING +# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" + +GPG="$GPG_CMD" + +MASTER_KEYRING='&keyring-master-filename;' +eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) +ARCHIVE_KEYRING='&keyring-filename;' +eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) +REMOVED_KEYS='&keyring-removed-filename;' +eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) +ARCHIVE_KEYRING_URI='&keyring-uri;' +eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg + +requires_root() { + if [ "$(id -u)" -ne 0 ]; then + echo >&1 "ERROR: This command can only be used by root." + exit 1 + fi +} + +# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. +init_keyring() { + for path; do + if ! [ -e "$path" ]; then + touch -- "$path" + chmod 0644 -- "$path" + fi + done +} + +add_keys_with_verify_against_master_keyring() { + ADD_KEYRING=$1 + MASTER=$2 + + if [ ! -f "$ADD_KEYRING" ]; then + echo "ERROR: '$ADD_KEYRING' not found" + return + fi + if [ ! -f "$MASTER" ]; then + echo "ERROR: '$MASTER' not found" + return + fi + + # when adding new keys, make sure that the archive-master-keyring + # is honored. so: + # all keys that are exported must have a valid signature + # from a key in the $distro-master-keyring + add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` + master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do + for master_key in $master_keys; do + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" + return 1 + fi + done + done + + for add_key in $add_keys; do + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key + # check if signed with the master key and only add in this case + ADDED=0 + for master_key in $master_keys; do + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING + ADDED=1 + fi + done + if [ $ADDED = 0 ]; then + echo >&2 "Key '$add_key' not added. It is not signed with a master key" + fi + done + rm -f $TMP_KEYRING +} + +# update the current archive signing keyring from a network URI +# the archive-keyring keys needs to be signed with the master key +# (otherwise it does not make sense from a security POV) +net_update() { + # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) + exit 1 + + if [ -z "$ARCHIVE_KEYRING_URI" ]; then + echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" + exit 1 + fi + requires_root + # in theory we would need to depend on wget for this, but this feature + # isn't useable in debian anyway as we have no keyring uri nor a master key + if ! which wget >/dev/null 2>&1; then + echo >&2 "ERROR: an installed wget is required for a network-based update" + exit 1 + fi + if [ ! -d /var/lib/apt/keyrings ]; then + mkdir -p /var/lib/apt/keyrings + fi + keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + old_mtime=0 + if [ -e $keyring ]; then + old_mtime=$(stat -c %Y $keyring) + fi + (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) + if [ ! -e $keyring ]; then + return + fi + new_mtime=$(stat -c %Y $keyring) + if [ $new_mtime -ne $old_mtime ]; then + echo "Checking for new archive signing keys now" + add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING + fi +} + +update() { + if [ ! -f $ARCHIVE_KEYRING ]; then + echo >&2 "ERROR: Can't find the archive-keyring" + echo >&2 "Is the &keyring-package; package installed?" + exit 1 + fi + requires_root + + # add new keys from the package; + + # we do not use add_keys_with_verify_against_master_keyring here, + # because "update" is run on regular package updates. A + # attacker might as well replace the master-archive-keyring file + # in the package and add his own keys. so this check wouldn't + # add any security. we *need* this check on net-update though + $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import + + if [ -r "$REMOVED_KEYS" ]; then + # remove no-longer supported/used keys + keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5` + for key in $keys; do + if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then + $GPG --quiet --batch --delete-key --yes ${key} + fi + done + else + echo "Warning: removed keys keyring $REMOVED_KEYS missing or not readable" >&2 + fi +} + +remove_key_from_keyring() { + local GPG="$GPG_CMD --keyring $1" + # check if the key is in this keyring: the key id is in the 5 column at the end + if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then + return + fi + if [ ! -w "$1" ]; then + echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only." + return + fi + # check if it is the only key in the keyring and if so remove the keyring alltogether + if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then + mv -f "$1" "${1}~" # behave like gpg + return + fi + # we can't just modify pointed to files as these might be in /usr or something + local REALTARGET + if [ -L "$1" ]; then + REALTARGET="$(readlink -f "$1")" + mv -f "$1" "${1}.dpkg-tmp" + cp -a "$REALTARGET" "$1" + ls "$(dirname $1)" + fi + # delete the key from the keyring + $GPG --batch --delete-key --yes "$2" + if [ -n "$REALTARGET" ]; then + # the real backup is the old link, not the copy we made + mv -f "${1}.dpkg-tmp" "${1}~" + fi +} + +remove_key() { + requires_root + + # if a --keyring was given, just remove from there + if [ -n "$FORCED_KEYRING" ]; then + remove_key_from_keyring "$FORCED_KEYRING" "$1" + else + # otherwise all known keyrings are up for inspection + local TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + remove_key_from_keyring "$TRUSTEDFILE" "$1" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do + remove_key_from_keyring "$trusted" "$1" + done + fi + fi + echo "OK" +} + + +usage() { + echo "Usage: apt-key [--keyring file] [command] [arguments]" + echo + echo "Manage apt's list of trusted keys" + echo + echo " apt-key add - add the key contained in ('-' for stdin)" + echo " apt-key del - remove the key " + echo " apt-key export - output the key " + echo " apt-key exportall - output all trusted keys" + echo " apt-key update - update keys using the keyring package" + echo " apt-key net-update - update keys using the network" + echo " apt-key list - list keys" + echo " apt-key finger - list fingerprints" + echo " apt-key adv - pass advanced options to gpg (download key)" + echo + echo "If no specific keyring file is given the command applies to all keyring files." +} + +while [ -n "$1" ]; do + case "$1" in + --keyring) + shift + TRUSTEDFILE="$1" + FORCED_KEYRING="$1" + if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then + GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" + else + echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" + exit 1 + fi + shift + ;; + --fakeroot) + requires_root() { true; } + shift + ;; + --*) + echo >&2 "Unknown option: $1" + usage + exit 1;; + *) + break;; + esac +done + +if [ -z "$TRUSTEDFILE" ]; then + TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + if [ -r "$TRUSTEDFILE" ]; then + GPG="$GPG --keyring $TRUSTEDFILE" + fi + GPG="$GPG --primary-keyring $TRUSTEDFILE" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + # strip / suffix as gpg will double-slash in that case (#665411) + STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" + if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then + TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" + fi + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do + GPG="$GPG --keyring $trusted" + done + fi +fi + +command="$1" +if [ -z "$command" ]; then + usage + exit 1 +fi +shift + +if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then + echo >&2 "Warning: gnupg does not seem to be installed." + echo >&2 "Warning: apt-key requires gnupg for most operations." + echo >&2 +fi + +case "$command" in + add) + requires_root + init_keyring "$TRUSTEDFILE" + $GPG --quiet --batch --import "$1" + echo "OK" + ;; + del|rm|remove) + init_keyring "$TRUSTEDFILE" + remove_key "$1" + ;; + update) + init_keyring "$TRUSTEDFILE" + update + ;; + net-update) + init_keyring "$TRUSTEDFILE" + net_update + ;; + list) + init_keyring "$TRUSTEDFILE" + $GPG --batch --list-keys + ;; + finger*) + init_keyring "$TRUSTEDFILE" + $GPG --batch --fingerprint + ;; + export) + init_keyring "$TRUSTEDFILE" + $GPG --armor --export "$1" + ;; + exportall) + init_keyring "$TRUSTEDFILE" + $GPG --armor --export + ;; + adv*) + init_keyring "$TRUSTEDFILE" + echo "Executing: $GPG $*" + $GPG $* + ;; + help) + usage + ;; + *) + usage + exit 1 + ;; +esac diff --git a/cmdline/makefile b/cmdline/makefile index e77ad5669..06f170b6a 100644 --- a/cmdline/makefile +++ b/cmdline/makefile @@ -41,6 +41,14 @@ SOURCE = apt-cdrom.cc include $(PROGRAM_H) # The apt-key program +apt-key: apt-key.in + sed -e "s#&keyring-filename;#$(shell ../vendor/getinfo keyring-filename)#" \ + -e "s#&keyring-removed-filename;#$(shell ../vendor/getinfo keyring-removed-filename)#" \ + -e "s#&keyring-master-filename;#$(shell ../vendor/getinfo keyring-master-filename)#" \ + -e "s#&keyring-uri;#$(shell ../vendor/getinfo keyring-uri)#" \ + -e "s#&keyring-package;#$(shell ../vendor/getinfo keyring-package)#" $< > $@ + chmod 755 $@ + SOURCE=apt-key TO=$(BIN) TARGET=program -- cgit v1.2.3 From 7014e1482942d00b66eb30061b0cf5d2a7b3ebf3 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 5 Dec 2013 08:11:11 +0100 Subject: * enable release based selection for deb-src (closes: 731102) --- cmdline/apt-get.cc | 122 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 97 insertions(+), 25 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 912b2d609..7e59f3d67 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -50,6 +50,8 @@ #include #include #include +#include +#include #include #include @@ -61,6 +63,8 @@ #include #include +#include + #include #include @@ -130,22 +134,80 @@ bool TryToInstallBuildDep(pkgCache::PkgIterator Pkg,pkgCacheFile &Cache, return true; } /*}}}*/ + + +// helper that can go wit hthe next ABI break +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR < 13) +std::string MetaIndexFileNameOnDisk(metaIndex *metaindex) +{ + // FIXME: this cast is the horror, the horror + debReleaseIndex *r = (debReleaseIndex*)metaindex; + + // see if we have a InRelease file + std::string PathInRelease = r->MetaIndexFile("InRelease"); + if (FileExists(PathInRelease)) + return PathInRelease; + + // and if not return the normal one + if (FileExists(PathInRelease)) + return r->MetaIndexFile("Release"); + + return ""; +} +#endif + +// GetReleaseForSourceRecord - Return Suite for the given srcrecord /*{{{*/ +// --------------------------------------------------------------------- +/* */ +std::string GetReleaseForSourceRecord(pkgSourceList *SrcList, + pkgSrcRecords::Parser *Parse) +{ + // try to find release + const pkgIndexFile& CurrentIndexFile = Parse->Index(); + + for (pkgSourceList::const_iterator S = SrcList->begin(); + S != SrcList->end(); ++S) + { + vector *Indexes = (*S)->GetIndexFiles(); + for (vector::const_iterator IF = Indexes->begin(); + IF != Indexes->end(); ++IF) + { + if (&CurrentIndexFile == (*IF)) + { +#if (APT_PKG_MAJOR >= 4 && APT_PKG_MINOR < 13) + std::string path = MetaIndexFileNameOnDisk(*S); +#else + std::string path = (*S)->LocalFileName(); +#endif + if (path != "") + { + indexRecords records; + records.Load(path); + return records.GetSuite(); + } + } + } + } + return ""; +} + /*}}}*/ // FindSrc - Find a source record /*{{{*/ // --------------------------------------------------------------------- /* */ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, pkgSrcRecords &SrcRecs,string &Src, - pkgDepCache &Cache) + CacheFile &CacheFile) { string VerTag; - string DefRel = _config->Find("APT::Default-Release"); + string RelTag = _config->Find("APT::Default-Release"); string TmpSrc = Name; + pkgDepCache *Cache = CacheFile.GetDepCache(); // extract the version/release from the pkgname const size_t found = TmpSrc.find_last_of("/="); if (found != string::npos) { if (TmpSrc[found] == '/') - DefRel = TmpSrc.substr(found+1); + RelTag = TmpSrc.substr(found+1); else VerTag = TmpSrc.substr(found+1); TmpSrc = TmpSrc.substr(0,found); @@ -155,10 +217,10 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, install a version and determine the source package name, then look in the archive for a source package of the same name. */ bool MatchSrcOnly = _config->FindB("APT::Get::Only-Source"); - const pkgCache::PkgIterator Pkg = Cache.FindPkg(TmpSrc); + const pkgCache::PkgIterator Pkg = Cache->FindPkg(TmpSrc); if (MatchSrcOnly == false && Pkg.end() == false) { - if(VerTag.empty() == false || DefRel.empty() == false) + if(VerTag.empty() == false || RelTag.empty() == false) { bool fuzzy = false; // we have a default release, try to locate the pkg. we do it like @@ -180,7 +242,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, } // We match against a concrete version (or a part of this version) if (VerTag.empty() == false && - (fuzzy == true || Cache.VS().CmpVersion(VerTag, Ver.VerStr()) != 0) && // exact match + (fuzzy == true || Cache->VS().CmpVersion(VerTag, Ver.VerStr()) != 0) && // exact match (fuzzy == false || strncmp(VerTag.c_str(), Ver.VerStr(), VerTag.size()) != 0)) // fuzzy match continue; @@ -198,8 +260,8 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, // or we match against a release if(VerTag.empty() == false || - (VF.File().Archive() != 0 && VF.File().Archive() == DefRel) || - (VF.File().Codename() != 0 && VF.File().Codename() == DefRel)) + (VF.File().Archive() != 0 && VF.File().Archive() == RelTag) || + (VF.File().Codename() != 0 && VF.File().Codename() == RelTag)) { pkgRecords::Parser &Parse = Recs.Lookup(VF); Src = Parse.SourcePkg(); @@ -217,22 +279,14 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (Src.empty() == false) break; } - if (Src.empty() == true) - { - // Sources files have no codename information - if (VerTag.empty() == true && DefRel.empty() == false) - { - _error->Error(_("Ignore unavailable target release '%s' of package '%s'"), DefRel.c_str(), TmpSrc.c_str()); - return 0; - } - } } if (Src.empty() == true) { // if we don't have found a fitting package yet so we will // choose a good candidate and proceed with that. // Maybe we will find a source later on with the right VerTag - pkgCache::VerIterator Ver = Cache.GetCandidateVer(Pkg); + // or RelTag + pkgCache::VerIterator Ver = Cache->GetCandidateVer(Pkg); if (Ver.end() == false) { pkgRecords::Parser &Parse = Recs.Lookup(Ver.FileList()); @@ -244,7 +298,9 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, } if (Src.empty() == true) + { Src = TmpSrc; + } else { /* if we have a source pkg name, make sure to only search @@ -262,6 +318,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, pkgSrcRecords::Parser *Last = 0; unsigned long Offset = 0; string Version; + pkgSourceList *SrcList = CacheFile.GetSourceList(); /* Iterate over all of the hits, which includes the resulting binary packages in the search */ @@ -273,25 +330,40 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, { const string Ver = Parse->Version(); + // See if we need to look for a specific release tag + if (RelTag != "") + { + const string Rel = GetReleaseForSourceRecord(SrcList, Parse); + + if (Rel == RelTag) + { + ioprintf(c1out, "Selectied version '%s' (%s) for %s\n", + Ver.c_str(), RelTag.c_str(), Src.c_str()); + Last = Parse; + Offset = Parse->Offset(); + break; + } + } + // Ignore all versions which doesn't fit if (VerTag.empty() == false && - Cache.VS().CmpVersion(VerTag, Ver) != 0) // exact match + Cache->VS().CmpVersion(VerTag, Ver) != 0) // exact match continue; // Newer version or an exact match? Save the hit - if (Last == 0 || Cache.VS().CmpVersion(Version,Ver) < 0) { + if (Last == 0 || Cache->VS().CmpVersion(Version,Ver) < 0) { Last = Parse; Offset = Parse->Offset(); Version = Ver; } - // was the version check above an exact match? If so, we don't need to look further - if (VerTag.empty() == false && VerTag.size() == Ver.size()) + // was the version check above an exact match? + // If so, we don't need to look further + if (VerTag.empty() == false && (VerTag == Ver)) break; } if (Last != 0 || VerTag.empty() == true) break; - //if (VerTag.empty() == false && Last == 0) _error->Error(_("Ignore unavailable version '%s' of package '%s'"), VerTag.c_str(), TmpSrc.c_str()); return 0; } @@ -628,7 +700,7 @@ bool DoSource(CommandLine &CmdL) for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) { string Src; - pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,*Cache); + pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,Cache); if (Last == 0) { delete[] Dsc; @@ -925,7 +997,7 @@ bool DoBuildDep(CommandLine &CmdL) for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) { string Src; - pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,*Cache); + pkgSrcRecords::Parser *Last = FindSrc(*I,Recs,SrcRecs,Src,Cache); if (Last == 0) return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); -- cgit v1.2.3 From 651ae5ce5f376ae5274933c621a3b897ac5152a6 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 10 Dec 2013 16:35:44 +0100 Subject: if there is only deb-src pick higest version in deb-src release matching --- cmdline/apt-get.cc | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 7e59f3d67..3853f94c2 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -337,11 +337,9 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (Rel == RelTag) { - ioprintf(c1out, "Selectied version '%s' (%s) for %s\n", - Ver.c_str(), RelTag.c_str(), Src.c_str()); Last = Parse; Offset = Parse->Offset(); - break; + Version = Ver; } } @@ -362,6 +360,10 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (VerTag.empty() == false && (VerTag == Ver)) break; } + if (Version != "" && RelTag != "") + ioprintf(c1out, "Selectied version '%s' (%s) for %s\n", + Version.c_str(), RelTag.c_str(), Src.c_str()); + if (Last != 0 || VerTag.empty() == true) break; _error->Error(_("Ignore unavailable version '%s' of package '%s'"), VerTag.c_str(), TmpSrc.c_str()); -- cgit v1.2.3 From bfa7bfc8e426f662ee5a5d0fcba3daeea23fe2ae Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 10 Dec 2013 17:02:30 +0100 Subject: fix typo --- cmdline/apt-get.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 3853f94c2..da04561c0 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -361,7 +361,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, break; } if (Version != "" && RelTag != "") - ioprintf(c1out, "Selectied version '%s' (%s) for %s\n", + ioprintf(c1out, "Selected version '%s' (%s) for %s\n", Version.c_str(), RelTag.c_str(), Src.c_str()); if (Last != 0 || VerTag.empty() == true) -- cgit v1.2.3 From 65dcff55dc5c9b47230d340a70c5067921eec4bf Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 10 Dec 2013 17:09:56 +0100 Subject: user-requested version tag gets precedence in apt-get source -t dist pkg=version requests --- cmdline/apt-get.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index da04561c0..581466326 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -198,7 +198,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, pkgSrcRecords &SrcRecs,string &Src, CacheFile &CacheFile) { - string VerTag; + string VerTag, UserRequestedVerTag; string RelTag = _config->Find("APT::Default-Release"); string TmpSrc = Name; pkgDepCache *Cache = CacheFile.GetDepCache(); @@ -209,7 +209,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (TmpSrc[found] == '/') RelTag = TmpSrc.substr(found+1); else - VerTag = TmpSrc.substr(found+1); + VerTag = UserRequestedVerTag = TmpSrc.substr(found+1); TmpSrc = TmpSrc.substr(0,found); } @@ -331,7 +331,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, const string Ver = Parse->Version(); // See if we need to look for a specific release tag - if (RelTag != "") + if (RelTag != "" && UserRequestedVerTag == "") { const string Rel = GetReleaseForSourceRecord(SrcList, Parse); @@ -360,7 +360,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (VerTag.empty() == false && (VerTag == Ver)) break; } - if (Version != "" && RelTag != "") + if (UserRequestedVerTag == "" && Version != "" && RelTag != "") ioprintf(c1out, "Selected version '%s' (%s) for %s\n", Version.c_str(), RelTag.c_str(), Src.c_str()); -- cgit v1.2.3 From adf379e7ad1900db6d3942ac7dca5cec4737d9a1 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 11 Dec 2013 08:21:04 +0100 Subject: add support for "apt-get source pkg:arch" --- cmdline/apt-get.cc | 60 +++++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 10 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 581466326..9cc5b4031 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -198,18 +198,31 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, pkgSrcRecords &SrcRecs,string &Src, CacheFile &CacheFile) { - string VerTag, UserRequestedVerTag; + string VerTag, UserRequestedVerTag; + string ArchTag = ""; string RelTag = _config->Find("APT::Default-Release"); string TmpSrc = Name; pkgDepCache *Cache = CacheFile.GetDepCache(); - // extract the version/release from the pkgname - const size_t found = TmpSrc.find_last_of("/="); - if (found != string::npos) { - if (TmpSrc[found] == '/') - RelTag = TmpSrc.substr(found+1); - else - VerTag = UserRequestedVerTag = TmpSrc.substr(found+1); + // extract release + size_t found = TmpSrc.find_last_of("/"); + if (found != string::npos) + { + RelTag = TmpSrc.substr(found+1); + TmpSrc = TmpSrc.substr(0,found); + } + // extract the version + found = TmpSrc.find_last_of("="); + if (found != string::npos) + { + VerTag = UserRequestedVerTag = TmpSrc.substr(found+1); + TmpSrc = TmpSrc.substr(0,found); + } + // extract arch + found = TmpSrc.find_last_of(":"); + if (found != string::npos) + { + ArchTag = TmpSrc.substr(found+1); TmpSrc = TmpSrc.substr(0,found); } @@ -217,10 +230,25 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, install a version and determine the source package name, then look in the archive for a source package of the same name. */ bool MatchSrcOnly = _config->FindB("APT::Get::Only-Source"); - const pkgCache::PkgIterator Pkg = Cache->FindPkg(TmpSrc); + pkgCache::PkgIterator Pkg; + if (ArchTag != "") + Pkg = Cache->FindPkg(TmpSrc, ArchTag); + else + Pkg = Cache->FindPkg(TmpSrc); + + // if we can't find a package but the user qualified with a arch, + // error out here + if (Pkg.end() && ArchTag != "") + { + Src = Name; + _error->Error(_("Can not find a package for architecture '%s'"), + ArchTag.c_str()); + return 0; + } + if (MatchSrcOnly == false && Pkg.end() == false) { - if(VerTag.empty() == false || RelTag.empty() == false) + if(VerTag != "" || RelTag != "" || ArchTag != "") { bool fuzzy = false; // we have a default release, try to locate the pkg. we do it like @@ -240,6 +268,17 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (Ver.end() == true) break; } + + // pick highest version for the arch unless the user wants + // something else + if (ArchTag != "" && VerTag == "" && RelTag == "") + { + if(Ver.Arch() != ArchTag) + continue; + if(Cache->VS().CmpVersion(VerTag, Ver.VerStr()) < 0) + VerTag = Ver.VerStr(); + } + // We match against a concrete version (or a part of this version) if (VerTag.empty() == false && (fuzzy == true || Cache->VS().CmpVersion(VerTag, Ver.VerStr()) != 0) && // exact match @@ -280,6 +319,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, break; } } + if (Src.empty() == true) { // if we don't have found a fitting package yet so we will -- cgit v1.2.3 From 37f45a579d4344c3ef6a044b12b992353e238301 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 11 Dec 2013 09:21:26 +0100 Subject: improve error message for apt-get source pkg:arch{=ver,/release} --- cmdline/apt-get.cc | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 9cc5b4031..c2b59a83c 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -269,15 +269,15 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, break; } + // ignore arches that are not for us + if (ArchTag != "" && Ver.Arch() != ArchTag) + continue; + // pick highest version for the arch unless the user wants // something else if (ArchTag != "" && VerTag == "" && RelTag == "") - { - if(Ver.Arch() != ArchTag) - continue; if(Cache->VS().CmpVersion(VerTag, Ver.VerStr()) < 0) VerTag = Ver.VerStr(); - } // We match against a concrete version (or a part of this version) if (VerTag.empty() == false && @@ -320,6 +320,16 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, } } + if (Src == "" && ArchTag != "") + { + _error->Error(_("Can not find a package '%s' with version '%s' and " + "release '%s'"), Pkg.FullName().c_str(), + VerTag.c_str(), RelTag.c_str()); + Src = Name; + return 0; + } + + if (Src.empty() == true) { // if we don't have found a fitting package yet so we will -- cgit v1.2.3 From c9829e0744ca678e105aa0af26b87588023d7536 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Wed, 11 Dec 2013 14:03:53 +0100 Subject: improve error message --- cmdline/apt-get.cc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index c2b59a83c..0b980cdf4 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -322,9 +322,12 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (Src == "" && ArchTag != "") { - _error->Error(_("Can not find a package '%s' with version '%s' and " - "release '%s'"), Pkg.FullName().c_str(), - VerTag.c_str(), RelTag.c_str()); + if (VerTag != "") + _error->Error(_("Can not find a package '%s' with version '%s'"), + Pkg.FullName().c_str(), VerTag.c_str()); + if (RelTag != "") + _error->Error(_("Can not find a package '%s' with release '%s'"), + Pkg.FullName().c_str(), RelTag.c_str()); Src = Name; return 0; } -- cgit v1.2.3 From 017d3f3b4b0da976b1d2ecfcd26251369c5aec88 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 12 Dec 2013 07:41:17 +0100 Subject: clarify error message when apt-get source=ver fails, print a real error message instead of "ignoring" --- cmdline/apt-get.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index c2b59a83c..6973901dc 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -416,7 +416,7 @@ pkgSrcRecords::Parser *FindSrc(const char *Name,pkgRecords &Recs, if (Last != 0 || VerTag.empty() == true) break; - _error->Error(_("Ignore unavailable version '%s' of package '%s'"), VerTag.c_str(), TmpSrc.c_str()); + _error->Error(_("Can not find version '%s' of package '%s'"), VerTag.c_str(), TmpSrc.c_str()); return 0; } -- cgit v1.2.3 From 5acf154d810a0225cc7d14637d101205e43ceba8 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Fri, 13 Dec 2013 14:37:14 +0100 Subject: make apt-key net-update actually testable --- cmdline/apt-key.in | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 779872b4c..c7d3ce8b5 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -25,6 +25,9 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" +APT_DIR="/" +eval $(apt-config shell APT_DIR Dir) + MASTER_KEYRING='&keyring-master-filename;' eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) ARCHIVE_KEYRING='&keyring-filename;' @@ -33,7 +36,7 @@ REMOVED_KEYS='&keyring-removed-filename;' eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) ARCHIVE_KEYRING_URI='&keyring-uri;' eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) -TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg +TMP_KEYRING=${APT_DIR}/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -107,7 +110,11 @@ add_keys_with_verify_against_master_keyring() { # (otherwise it does not make sense from a security POV) net_update() { # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) - exit 1 + APT_KEY_NET_UPDATE_ENABLED="" + eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled) + if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then + exit 1 + fi if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" @@ -120,15 +127,15 @@ net_update() { echo >&2 "ERROR: an installed wget is required for a network-based update" exit 1 fi - if [ ! -d /var/lib/apt/keyrings ]; then - mkdir -p /var/lib/apt/keyrings + if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then + mkdir -p ${APT_DIR}/var/lib/apt/keyrings fi - keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) old_mtime=0 if [ -e $keyring ]; then old_mtime=$(stat -c %Y $keyring) fi - (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) + (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) if [ ! -e $keyring ]; then return fi -- cgit v1.2.3 From e5543ea5a236426dd33e74e427e8485a030a2540 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Thu, 19 Dec 2013 16:43:50 +0100 Subject: fix apt-key net-update test to use the buildin webserver --- cmdline/apt-key.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'cmdline') diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index c7d3ce8b5..463e4b4b4 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -130,7 +130,7 @@ net_update() { if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then mkdir -p ${APT_DIR}/var/lib/apt/keyrings fi - keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI) old_mtime=0 if [ -e $keyring ]; then old_mtime=$(stat -c %Y $keyring) -- cgit v1.2.3 From 68e0172140872d8044b3c768a6bea3ac58d426c4 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Sun, 22 Dec 2013 22:15:52 +0100 Subject: factor GetTempDir out --- cmdline/apt-extracttemplates.cc | 11 +++-------- cmdline/apt-get.cc | 10 ++++------ 2 files changed, 7 insertions(+), 14 deletions(-) (limited to 'cmdline') diff --git a/cmdline/apt-extracttemplates.cc b/cmdline/apt-extracttemplates.cc index 8fe15fdf9..8e1937113 100644 --- a/cmdline/apt-extracttemplates.cc +++ b/cmdline/apt-extracttemplates.cc @@ -47,8 +47,6 @@ using namespace std; -#define TMPDIR "/tmp" - pkgCache *DebFile::Cache = 0; // DebFile::DebFile - Construct the DebFile object /*{{{*/ @@ -253,14 +251,11 @@ string WriteFile(const char *package, const char *prefix, const char *data) { char fn[512]; static int i; - const char *tempdir = NULL; - - tempdir = getenv("TMPDIR"); - if (tempdir == NULL) - tempdir = TMPDIR; + std::string tempdir = GetTempDir(); snprintf(fn, sizeof(fn), "%s/%s.%s.%u%d", - _config->Find("APT::ExtractTemplates::TempDir", tempdir).c_str(), + _config->Find("APT::ExtractTemplates::TempDir", + tempdir.c_str()).c_str(), package, prefix, getpid(), i++); FileFd f; if (data == NULL) diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc index 730d3ea18..8a0772ce2 100644 --- a/cmdline/apt-get.cc +++ b/cmdline/apt-get.cc @@ -1536,14 +1536,12 @@ bool DoChangelog(CommandLine &CmdL) bool const downOnly = _config->FindB("APT::Get::Download-Only", false); char tmpname[100]; - char* tmpdir = NULL; + const char* tmpdir = NULL; if (downOnly == false) { - const char* const tmpDir = getenv("TMPDIR"); - if (tmpDir != NULL && *tmpDir != '\0') - snprintf(tmpname, sizeof(tmpname), "%s/apt-changelog-XXXXXX", tmpDir); - else - strncpy(tmpname, "/tmp/apt-changelog-XXXXXX", sizeof(tmpname)); + std::string systemTemp = GetTempDir(); + snprintf(tmpname, sizeof(tmpname), "%s/apt-changelog-XXXXXX", + systemTemp.c_str()); tmpdir = mkdtemp(tmpname); if (tmpdir == NULL) return _error->Errno("mkdtemp", "mkdtemp failed"); -- cgit v1.2.3