diff options
| author | David Kalnischkies <david@kalnischkies.de> | 2014-01-16 23:00:27 +0100 |
|---|---|---|
| committer | David Kalnischkies <david@kalnischkies.de> | 2014-01-16 23:50:39 +0100 |
| commit | 5fd25d678f51cfa013643efe3429eb08b9504058 (patch) | |
| tree | de74953f037d3db86c6425b729fdb30e596a7de6 /cmdline | |
| parent | 9ce3cfc9309c55cc01018c88c1ca82779fd74431 (diff) | |
use gpg --homedir instead of explicit file placement
Avoids that gpg gets the idea it could use files from the user which
weren't overridden specifically like secret keyring and trustdb as
before.
Diffstat (limited to 'cmdline')
| -rw-r--r-- | cmdline/apt-key.in | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 463e4b4b4..0ced500db 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -5,22 +5,23 @@ unset GREP_OPTIONS GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" -# gpg needs a trustdb to function, but it can't be invalid (not even empty) -# so we create a temporary directory to store our fresh readable trustdb in -TRUSTDBDIR="$(mktemp -d)" -CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +# gpg needs (in different versions more or less) files to function correctly, +# so we give it its own homedir and generate some valid content for it +GPGHOMEDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';" trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -chmod 700 "$TRUSTDBDIR" -# We also don't use a secret keyring, of course, but gpg panics and +chmod 700 "$GPGHOMEDIR" +# We don't use a secret keyring, of course, but gpg panics and # implodes if there isn't one available - and writeable for imports -SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +SECRETKEYRING="${GPGHOMEDIR}/secring.gpg" touch $SECRETKEYRING -GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" -GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" - -# now create the trustdb with an (empty) dummy keyring -$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING -# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR" +# create the trustdb with an (empty) dummy keyring +# older gpgs required it, newer gpgs even warn that it isn't needed, +# but require it nontheless for some commands, so we just play safe +# here for the foreseeable future and create a dummy one +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1 +# tell gpg that it shouldn't try to maintain a trustdb file GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" |