blob: c1dbb0d055b1b45ac1ba94663f0993665bb09596 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#!/bin/sh
set -e
# We don't use a secret keyring, of course, but gpg panics and
# implodes if there isn't one available
GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
GPG="$GPG_CMD --keyring /etc/apt/trusted.gpg"
MASTER_KEYRING=""
#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg
ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg
REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg
add_keys_with_verify_against_master_keyring() {
ADD_KEYRING=$1
MASTER=$2
if [ ! -f "$ADD_KEYRING" ]; then
echo "ERROR: '$ADD_KEYRING' not found"
return
fi
if [ ! -f "$MASTER" ]; then
echo "ERROR: '$MASTER' not found"
return
fi
# when adding new keys, make sure that the archive-master-keyring
# is honored. so:
# all keys that are exported and have the name
# "Ubuntu Archive Automatic Signing Key" must have a valid signature
# from a key in the ubuntu-master-keyring
add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5`
master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
for add_key in $add_keys; do
ADDED=0
for master_key in $master_keys; do
if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then
$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export $add_key | $GPG --import
ADDED=1
fi
done
if [ $ADDED = 0 ]; then
echo >&2 "Key '$add_key' not added. It is not signed with a master key"
fi
done
}
update() {
if [ ! -f $ARCHIVE_KEYRING ]; then
echo >&2 "ERROR: Can't find the archive-keyring"
echo >&2 "Is the debian-archive-keyring package installed?"
exit 1
fi
# add new keys, if no MASTER_KEYRING is used, use the traditional
# way
if [ -z "$MASTER_KEYRING" ]; then
$GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
else
add_keys_with_verify_against_master_keyring $ARCHIVE_KEYRING $MASTER_KEYRING
fi
# remove no-longer supported/used keys
keys=`$GPG_CMD --keyring $REMOVED_KEYS --with-colons --list-keys | grep ^pub | cut -d: -f5`
for key in $keys; do
if $GPG --list-keys --with-colons | grep ^pub | cut -d: -f5 | grep -q $key; then
$GPG --quiet --batch --delete-key --yes ${key}
fi
done
}
usage() {
echo "Usage: apt-key [command] [arguments]"
echo
echo "Manage apt's list of trusted keys"
echo
echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
echo " apt-key del <keyid> - remove the key <keyid>"
echo " apt-key export <keyid> - output the key <keyid>"
echo " apt-key exportall - output all trusted keys"
echo " apt-key update - update keys using the keyring package"
echo " apt-key list - list keys"
echo
}
command="$1"
if [ -z "$command" ]; then
usage
exit 1
fi
shift
if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
echo >&2 "Warning: gnupg does not seem to be installed."
echo >&2 "Warning: apt-key requires gnupg for most operations."
echo >&2
fi
case "$command" in
add)
$GPG --quiet --batch --import "$1"
echo "OK"
;;
del|rm|remove)
$GPG --quiet --batch --delete-key --yes "$1"
echo "OK"
;;
update)
update
;;
list)
$GPG --batch --list-keys
;;
finger*)
$GPG --batch --fingerprint
;;
export)
$GPG --armor --export "$1"
;;
exportall)
$GPG --armor --export
;;
adv*)
echo "Executing: $GPG $*"
$GPG $*
;;
help)
usage
;;
*)
usage
exit 1
;;
esac
|
