diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2014-01-16 23:00:27 +0100 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2014-01-16 23:50:39 +0100 |
| commit | 5fd25d678f51cfa013643efe3429eb08b9504058 (patch) | |
| tree | de74953f037d3db86c6425b729fdb30e596a7de6 | |
| parent | 9ce3cfc9309c55cc01018c88c1ca82779fd74431 (diff) | |
use gpg --homedir instead of explicit file placement
Avoids that gpg gets the idea it could use files from the user which
weren't overridden specifically like secret keyring and trustdb as
before.
| -rw-r--r-- | cmdline/apt-key.in | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 463e4b4b4..0ced500db 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -5,22 +5,23 @@ unset GREP_OPTIONS GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" -# gpg needs a trustdb to function, but it can't be invalid (not even empty) -# so we create a temporary directory to store our fresh readable trustdb in -TRUSTDBDIR="$(mktemp -d)" -CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +# gpg needs (in different versions more or less) files to function correctly, +# so we give it its own homedir and generate some valid content for it +GPGHOMEDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';" trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -chmod 700 "$TRUSTDBDIR" -# We also don't use a secret keyring, of course, but gpg panics and +chmod 700 "$GPGHOMEDIR" +# We don't use a secret keyring, of course, but gpg panics and # implodes if there isn't one available - and writeable for imports -SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +SECRETKEYRING="${GPGHOMEDIR}/secring.gpg" touch $SECRETKEYRING -GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" -GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" - -# now create the trustdb with an (empty) dummy keyring -$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING -# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR" +# create the trustdb with an (empty) dummy keyring +# older gpgs required it, newer gpgs even warn that it isn't needed, +# but require it nontheless for some commands, so we just play safe +# here for the foreseeable future and create a dummy one +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1 +# tell gpg that it shouldn't try to maintain a trustdb file GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" |