Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=master 2013-12-01T14:51:33Z 2013-12-01T14:51:33Z David Kalnischkies kalnischkies@gmail.com 2013-11-30T22:11:43Z urn:sha1:5b2c6ddcc0e45c92c544032ad2bb91bdf7222d7c The apt-key script uses quiet a few keyring files for operation which are specific to the distribution it is build on and is hence one of the most patched parts – even if it is not that often used anymore now that a fragment directory for trusted.gpg exists. 2013-12-01T14:51:33Z David Kalnischkies kalnischkies@gmail.com 2013-11-30T22:07:20Z urn:sha1:f87338d2da95ba7d55a1a67b4506717e94d49bca With the net-update command a special keyring can be downloaded and imported into apt, which must be signed by a master key. Its is currently disabled because of security problems with it – and the only known user before that was Ubuntu. 2013-08-12T16:01:38Z David Kalnischkies kalnischkies@gmail.com 2013-08-12T14:19:37Z urn:sha1:04937adc655ceda0b3367f540e76df10296cfba1 Having fragement files means there is a good chance that there is one key per keyring, so deal with that as well as with setups in which keyrings are linked into trusted.gpg.d as we can't just modify those files (they might be in /usr for example). 2013-08-12T16:01:37Z David Kalnischkies kalnischkies@gmail.com 2013-08-11T22:36:52Z urn:sha1:80f3aeb04d043356bd98de7714fc164b3fff3861 Might come in handy for more than just a simple testcase. 2013-08-12T16:01:37Z David Kalnischkies kalnischkies@gmail.com 2013-08-11T22:33:37Z urn:sha1:59f46f3ace16e769383a61ee336a76c6d03931ea Closes: 665411 2013-08-12T16:01:37Z David Kalnischkies kalnischkies@gmail.com 2013-08-11T22:19:10Z urn:sha1:f9e64e7bb0c125b54f0699d9e08956a88b467a7f for some "interesting" reason gpg decides that it needs to update its trustdb.gpg file in a --list-keys command even if right before gpg is asked to --check-trustdb. That wouldn't be as bad if it wouldn't modify the keyring being listed at that moment as well, which generates not only warnings which are not a problem for us, but as the keyring modified can be in /usr it modified files which aren't allowed to be modified. The suggested solution in the bugreport is running --check-trustdb unconditionally in an 'apt-key update' call, but this command will not be used in the future and this could still potentially bite us in net-update or adv calls. All of this just to keep a file around, which we do not need… The commit therefore switches to the use of a temporary created trusted.gpg file for everyone and asks gpg to not try to update the trustdb after its intial creation, which seems to avoid the problem altogether. It is using your also faked secring btw as calling the check-trustdb without a keyring is a lot slower … Closes: #687611 Thanks: Andreas Beckmann for the initial patch! 2013-08-12T16:01:37Z David Kalnischkies kalnischkies@gmail.com 2013-07-11T18:07:22Z urn:sha1:c0a013221d296e97d68b4e9a66fef5c886d2bbb0 APT doesn't care for the trustdb.gpg, but gnupg requires one even for the simplest commands, so we either use the one root has available in /etc or if we don't have access to it (as only root can read that file) we create a temporary directory to store a trustdb.gpg in it. We can't create just a temporary file as gpg requires the given trustdb.gpg file to be valid (if it exists), so we would have to remove the file before calling gnupg which would allow mktemp (and co) to hand exactly this filename out to another program (unlikely, but still). 2013-08-12T16:01:37Z David Kalnischkies kalnischkies@gmail.com 2013-07-11T17:20:09Z urn:sha1:3dc55197095e0536aae4d5c0c91e28bfd4740ec6 Usually, most apt-key commands require root, so the script is checking for being run as root, but in your tests we use a non-root location, so we don't need to be root and therefore need an option to skip the check. Git-Dch: Ignore 2013-05-22T18:14:33Z Johan Kiviniemi devel@johan.kiviniemi.name 2013-05-22T18:14:33Z urn:sha1:ecc46c1c42bb1aa59a0c8f0fb3eb12a5938da6ca 2013-05-22T18:06:38Z Johan Kiviniemi devel@johan.kiviniemi.name 2013-05-22T18:06:26Z urn:sha1:5de346684f6777eb9e2ac1a38d687c1bc50f35b0