blob: d716a088f81fd317a75fd6fb4fe27594e2d348f0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
#!/bin/sh
set -e
# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available
GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
MASTER_KEYRING=""
#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
add_keys_with_verify_against_master_keyring() {
# when adding new keys, make sure that the archive-master-keyring
# is honored. so:
# all keys that are exported and have the name
# "Ubuntu Archive Automatic Signing Key" must have a valid signature
# from a key in the ubuntu-master-keyring
add_keys=`$GPG_CMD --keyring $ARCHIVE_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
master_keys=`$GPG_CMD --keyring $MASTER_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
for add_key in $add_keys; do
for master_key in $master_keys; do
if $GPG --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import
fi
done
done
}
update() {
if [ ! -f $ARCHIVE_KEYRING ]; then
echo >&2 "ERROR: Can't find the archive-keyring"
echo >&2 "Is the debian-archive-keyring package installed?"
exit 1
fi
# add new keys, if no MASTER_KEYRING is used, use the traditional
# way
if [ -z "$MASTER_KEYRING" ]; then
$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
else
add_keys_with_verify_against_master_keyring
fi
# remove no-longer supported/used keys
keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
for key in $keys; do
if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
$GPG --quiet --batch --delete-key --yes ${key}
fi
done
}
usage() {
echo "Usage: apt-key [command] [arguments]"
echo
echo "Manage apt's list of trusted keys"
echo
echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
echo " apt-key del <keyid> - remove the key <keyid>"
echo " apt-key export <keyid> - output the key <keyid>"
echo " apt-key exportall - output all trusted keys"
echo " apt-key update - update keys using the keyring package"
echo " apt-key list - list keys"
echo
}
command="$1"
if [ -z "$command" ]; then
usage
exit 1
fi
shift
if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
echo >&2 "Warning: gnupg does not seem to be installed."
echo >&2 "Warning: apt-key requires gnupg for most operations."
echo >&2
fi
case "$command" in
add)
$GPG --quiet --batch --import "$1"
echo "OK"
;;
del|rm|remove)
$GPG --quiet --batch --delete-key --yes "$1"
echo "OK"
;;
update)
update
;;
list)
$GPG --batch --list-keys
;;
finger*)
$GPG --batch --fingerprint
;;
export)
$GPG --armor --export "$1"
;;
exportall)
$GPG --armor --export
;;
adv*)
echo "Executing: $GPG $*"
$GPG $*
;;
help)
usage
;;
*)
usage
exit 1
;;
esac
|
