summaryrefslogtreecommitdiff
path: root/cmdline/apt-key.in
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2015-12-18 12:35:43 +0100
committerDavid Kalnischkies <david@kalnischkies.de>2015-12-19 23:04:34 +0100
commit803491dc568d2994745c3c4359f68053f7261658 (patch)
tree11e3ad26d6a199228b7fb2ecb65f15cc0ba6f2de /cmdline/apt-key.in
parentbc8f83a5afd858206efe518c31bbb1ac948a39a3 (diff)
avoid triggering gpg2 migration in apt-key
The presents (even of an empty) secring.gpg is indication enough for gpg2 to tigger the migration code which not only produces a bunch of output on each apt-key call, but also takes a while to complete as an agent needs to be started and all that. We workaround the first part by forcing the migration to happen always in a call we forced into silence, but that leaves us with an agent to start all the time – with a bit of reordering we can make it so that we do not explicitly create the secring, but let gpg create it if needed, which prevents the migration from being triggered and we have at least a bit less of a need for an agent. Changes - even to public only keyrings - still require one, but such actions are infrequent in comparison to verification calls, so that should be a net improvement.
Diffstat (limited to 'cmdline/apt-key.in')
-rw-r--r--cmdline/apt-key.in30
1 files changed, 15 insertions, 15 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 4d1079a4b..80eee6265 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -506,38 +506,38 @@ prepare_gpg_home() {
create_gpg_home
- # We don't use a secret keyring, of course, but gpg panics and
- # implodes if there isn't one available - and writeable for imports
- SECRETKEYRING="${GPGHOMEDIR}/secring.gpg"
- touch "$SECRETKEYRING"
-
# create the trustdb with an (empty) dummy keyring
# older gpgs required it, newer gpgs even warn that it isn't needed,
# but require it nonetheless for some commands, so we just play safe
# here for the foreseeable future and create a dummy one
+ touch "${GPGHOMEDIR}/empty.gpg"
if ! "$GPG_EXE" --ignore-time-conflict --no-options --no-default-keyring \
- --homedir "$GPGHOMEDIR" --quiet --check-trustdb --keyring "$SECRETKEYRING" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
+ --homedir "$GPGHOMEDIR" --quiet --check-trustdb --keyring "${GPGHOMEDIR}/empty.gpg" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
false
fi
- # tell gpg that it shouldn't try to maintain a trustdb file
+
+ # now tell gpg that it shouldn't try to maintain this trustdb file
echo "#!/bin/sh
exec '$(escape_shell "${GPG_EXE}")' --ignore-time-conflict --no-options --no-default-keyring \\
--homedir '$(escape_shell "${GPGHOMEDIR}")' --no-auto-check-trustdb --trust-model always \"\$@\"" > "${GPGHOMEDIR}/gpg.0.sh"
GPG_SH="${GPGHOMEDIR}/gpg.0.sh"
GPG="$GPG_SH"
+ # We don't usually need a secret keyring, of course, but
# for advanced operations, we might really need a secret keyring after all
if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then
- rm -f "$SECRETKEYRING"
- cp -a "$FORCED_SECRET_KEYRING" "$SECRETKEYRING"
+ if ! aptkey_execute "$GPG" -v --batch --import "$FORCED_SECRET_KEYRING" >"${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
+ cat >&2 "${GPGHOMEDIR}/gpgoutput.log"
+ false
+ fi
+ else
+ # and then, there are older versions of gpg which panic and implode
+ # if there isn't one available - and writeable for imports
+ # and even if not output is littered with the creation of a secring,
+ # so lets call import once to have it create what it wants in silence
+ echo -n | aptkey_execute "$GPG" --batch --import >/dev/null 2>&1 || true
fi
-
- # older gpg versions need a secring file, but newer versions take it as
- # a hint to start a migration from earlier versions. The file is empty
- # anyhow, so nothing actually happens, but its three lines of output
- # nobody expects to see in apt-key context, so trigger it in silence
- echo -n | aptkey_execute "$GPG" --batch --import >/dev/null 2>&1 || true
}
if [ "$command" != 'help' ] && [ "$command" != 'verify' ]; then