diff options
-rw-r--r-- | cmdline/apt-key.in | 19 | ||||
-rwxr-xr-x | test/integration/test-apt-key-net-update | 14 |
2 files changed, 27 insertions, 6 deletions
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in index 779872b4c..c7d3ce8b5 100644 --- a/cmdline/apt-key.in +++ b/cmdline/apt-key.in @@ -25,6 +25,9 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" +APT_DIR="/" +eval $(apt-config shell APT_DIR Dir) + MASTER_KEYRING='&keyring-master-filename;' eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) ARCHIVE_KEYRING='&keyring-filename;' @@ -33,7 +36,7 @@ REMOVED_KEYS='&keyring-removed-filename;' eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) ARCHIVE_KEYRING_URI='&keyring-uri;' eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) -TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg +TMP_KEYRING=${APT_DIR}/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -107,7 +110,11 @@ add_keys_with_verify_against_master_keyring() { # (otherwise it does not make sense from a security POV) net_update() { # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) - exit 1 + APT_KEY_NET_UPDATE_ENABLED="" + eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled) + if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then + exit 1 + fi if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" @@ -120,15 +127,15 @@ net_update() { echo >&2 "ERROR: an installed wget is required for a network-based update" exit 1 fi - if [ ! -d /var/lib/apt/keyrings ]; then - mkdir -p /var/lib/apt/keyrings + if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then + mkdir -p ${APT_DIR}/var/lib/apt/keyrings fi - keyring=/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) + keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING) old_mtime=0 if [ -e $keyring ]; then old_mtime=$(stat -c %Y $keyring) fi - (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) + (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) if [ ! -e $keyring ]; then return fi diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update index 73545aff7..e0869402e 100755 --- a/test/integration/test-apt-key-net-update +++ b/test/integration/test-apt-key-net-update @@ -6,6 +6,20 @@ TESTDIR=$(readlink -f $(dirname $0)) setupenvironment configarchitecture "i386" +changetowebserver + +# setup env +mkdir -p aptarchive/ubuntu/project var/lib/apt/keyrings +echo 'APT::Key::ArchiveKeyringURI "http://localhost:8080/ubuntu/project/ubuntu-archive-keyring.gpg";' >> ./aptconfig.conf +echo 'APT::Key::Net-Update-Enabled "1";' >> ./aptconfig.conf + +# signed thing +echo "meep" > aptarchive/ubuntu/project/ubuntu-archive-keyring.gpg + +# test against the "real" webserver +aptkey --fakeroot net-update + +exit 1 # mock requires_root() { |