From 5de346684f6777eb9e2ac1a38d687c1bc50f35b0 Mon Sep 17 00:00:00 2001 From: Johan Kiviniemi Date: Wed, 22 May 2013 21:06:26 +0300 Subject: cmdline/apt-key: Create new keyrings with mode 0644 instead of 0600 --- cmdline/apt-key | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index c184e3e75..309c51b13 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -32,6 +32,16 @@ requires_root() { fi } +# gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead. +init_keyring() { + for path; do + if ! [ -e "$path" ]; then + touch -- "$path" + chmod 0644 -- "$path" + fi + done +} + add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 @@ -198,33 +208,42 @@ fi case "$command" in add) requires_root + init_keyring "$TRUSTEDFILE" $GPG --quiet --batch --import "$1" echo "OK" ;; del|rm|remove) requires_root + init_keyring "$TRUSTEDFILE" $GPG --quiet --batch --delete-key --yes "$1" echo "OK" ;; update) + init_keyring "$TRUSTEDFILE" update ;; net-update) + init_keyring "$TRUSTEDFILE" net_update ;; list) + init_keyring "$TRUSTEDFILE" $GPG --batch --list-keys ;; finger*) + init_keyring "$TRUSTEDFILE" $GPG --batch --fingerprint ;; export) + init_keyring "$TRUSTEDFILE" $GPG --armor --export "$1" ;; exportall) + init_keyring "$TRUSTEDFILE" $GPG --armor --export ;; adv*) + init_keyring "$TRUSTEDFILE" echo "Executing: $GPG $*" $GPG $* ;; -- cgit v1.2.3-70-g09d2 From ecc46c1c42bb1aa59a0c8f0fb3eb12a5938da6ca Mon Sep 17 00:00:00 2001 From: Johan Kiviniemi Date: Wed, 22 May 2013 21:14:33 +0300 Subject: cmdline/apt-key: Accept nonexistent --keyring file with adv as well --- cmdline/apt-key | 2 +- debian/changelog | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index 309c51b13..2c087acbc 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -163,7 +163,7 @@ if [ "$1" = "--keyring" ]; then #echo "keyfile given" shift TRUSTEDFILE="$1" - if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ]; then + if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" else echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" diff --git a/debian/changelog b/debian/changelog index 89da46ed1..b3800fc42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -11,7 +11,9 @@ apt (0.9.8.2) UNRELEASED; urgency=low - fix build failure when building without NLS (closes: #671587) [ Johan Kiviniemi ] - * cmdline/apt-key: Create new keyrings with mode 0644 instead of 0600. + * cmdline/apt-key: + - Create new keyrings with mode 0644 instead of 0600. + - Accept a nonexistent --keyring file with the adv subcommand as well. -- Christian Perrier Thu, 16 May 2013 22:28:22 +0200 -- cgit v1.2.3-70-g09d2 From 3dc55197095e0536aae4d5c0c91e28bfd4740ec6 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 11 Jul 2013 19:20:09 +0200 Subject: add a not documented apt-key --fakeroot option Usually, most apt-key commands require root, so the script is checking for being run as root, but in your tests we use a non-root location, so we don't need to be root and therefore need an option to skip the check. Git-Dch: Ignore --- cmdline/apt-key | 73 ++++++++++++++++++++++++++++++++------------------------- 1 file changed, 41 insertions(+), 32 deletions(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index 2c087acbc..89e224923 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -158,39 +158,48 @@ usage() { echo "If no specific keyring file is given the command applies to all keyring files." } -# Determine on which keyring we want to work -if [ "$1" = "--keyring" ]; then - #echo "keyfile given" - shift - TRUSTEDFILE="$1" - if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then - GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" - else - echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" - exit 1 - fi - shift -# otherwise use the default -else - #echo "generate list" - TRUSTEDFILE="/etc/apt/trusted.gpg" - eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) - eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) - if [ -r "$TRUSTEDFILE" ]; then - GPG="$GPG --keyring $TRUSTEDFILE" - fi - GPG="$GPG --primary-keyring $TRUSTEDFILE" - TRUSTEDPARTS="/etc/apt/trusted.gpg.d" - eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) - if [ -d "$TRUSTEDPARTS" ]; then - #echo "parts active" - for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do - #echo "part -> $trusted" - GPG="$GPG --keyring $trusted" - done - fi +while [ -n "$1" ]; do + case "$1" in + --keyring) + shift + TRUSTEDFILE="$1" + if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then + GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" + else + echo >&2 "Error: The specified keyring »$TRUSTEDFILE« is missing or not readable" + exit 1 + fi + shift + ;; + --fakeroot) + requires_root() { true; } + shift + ;; + --*) + echo >&2 "Unknown option: $1" + usage + exit 1;; + *) + break;; + esac +done + +if [ -z "$TRUSTEDFILE" ]; then + TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + if [ -r "$TRUSTEDFILE" ]; then + GPG="$GPG --keyring $TRUSTEDFILE" + fi + GPG="$GPG --primary-keyring $TRUSTEDFILE" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do + GPG="$GPG --keyring $trusted" + done + fi fi -#echo "COMMAND: $GPG" command="$1" if [ -z "$command" ]; then -- cgit v1.2.3-70-g09d2 From c0a013221d296e97d68b4e9a66fef5c886d2bbb0 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 11 Jul 2013 20:07:22 +0200 Subject: always use our own trustdb.gpg in apt-key APT doesn't care for the trustdb.gpg, but gnupg requires one even for the simplest commands, so we either use the one root has available in /etc or if we don't have access to it (as only root can read that file) we create a temporary directory to store a trustdb.gpg in it. We can't create just a temporary file as gpg requires the given trustdb.gpg file to be valid (if it exists), so we would have to remove the file before calling gnupg which would allow mktemp (and co) to hand exactly this filename out to another program (unlikely, but still). --- cmdline/apt-key | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index 89e224923..4596e4a47 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -6,15 +6,23 @@ unset GREP_OPTIONS # We don't use a secret keyring, of course, but gpg panics and # implodes if there isn't one available SECRETKEYRING="$(mktemp)" -trap "rm -f '${SECRETKEYRING}'" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +CURRENTTRAP="rm -f '${SECRETKEYRING}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" -if [ "$(id -u)" -eq 0 ]; then - # we could use a tmpfile here too, but creation of this tends to be time-consuming - eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) - GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" +eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) +if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then + # root can read/create the file as needed, so use the default + true +else + # gpg needs a trustdb to function, but it can't be invalid (not even empty) + # so we create a tempory directory to store our fresh readable trustdb in + TRUSTDBDIR="$(mktemp -d)" + CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" + trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM + chmod 700 "$TRUSTDBDIR" fi - +GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" GPG="$GPG_CMD" MASTER_KEYRING="" -- cgit v1.2.3-70-g09d2 From f9e64e7bb0c125b54f0699d9e08956a88b467a7f Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 12 Aug 2013 00:19:10 +0200 Subject: use a tmpfile for trustdb.gpg in apt-key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit for some "interesting" reason gpg decides that it needs to update its trustdb.gpg file in a --list-keys command even if right before gpg is asked to --check-trustdb. That wouldn't be as bad if it wouldn't modify the keyring being listed at that moment as well, which generates not only warnings which are not a problem for us, but as the keyring modified can be in /usr it modified files which aren't allowed to be modified. The suggested solution in the bugreport is running --check-trustdb unconditionally in an 'apt-key update' call, but this command will not be used in the future and this could still potentially bite us in net-update or adv calls. All of this just to keep a file around, which we do not need… The commit therefore switches to the use of a temporary created trusted.gpg file for everyone and asks gpg to not try to update the trustdb after its intial creation, which seems to avoid the problem altogether. It is using your also faked secring btw as calling the check-trustdb without a keyring is a lot slower … Closes: #687611 Thanks: Andreas Beckmann for the initial patch! --- cmdline/apt-key | 36 ++++++++++++++++++------------------ debian/apt.postinst | 13 +++++++++---- 2 files changed, 27 insertions(+), 22 deletions(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index 4596e4a47..e010e6e90 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -3,26 +3,26 @@ set -e unset GREP_OPTIONS -# We don't use a secret keyring, of course, but gpg panics and -# implodes if there isn't one available -SECRETKEYRING="$(mktemp)" -CURRENTTRAP="rm -f '${SECRETKEYRING}';" -trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM -GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring ${SECRETKEYRING}" +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" -eval $(apt-config shell TRUSTDBDIR Dir::Etc/d) -if [ "$(id -u)" -eq 0 ] || [ -r "${TRUSTDBDIR}/trustdb.gpg" ]; then - # root can read/create the file as needed, so use the default - true -else - # gpg needs a trustdb to function, but it can't be invalid (not even empty) - # so we create a tempory directory to store our fresh readable trustdb in - TRUSTDBDIR="$(mktemp -d)" - CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" - trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM - chmod 700 "$TRUSTDBDIR" -fi +# gpg needs a trustdb to function, but it can't be invalid (not even empty) +# so we create a temporary directory to store our fresh readable trustdb in +TRUSTDBDIR="$(mktemp -d)" +CURRENTTRAP="${CURRENTTRAP} rm -rf '${TRUSTDBDIR}';" +trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM +chmod 700 "$TRUSTDBDIR" +# We also don't use a secret keyring, of course, but gpg panics and +# implodes if there isn't one available - and writeable for imports +SECRETKEYRING="${TRUSTDBDIR}/secring.gpg" +touch $SECRETKEYRING +GPG_CMD="$GPG_CMD --secret-keyring $SECRETKEYRING" GPG_CMD="$GPG_CMD --trustdb-name ${TRUSTDBDIR}/trustdb.gpg" + +# now create the trustdb with an (empty) dummy keyring +$GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING +# and make sure that gpg isn't trying to update the file +GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" + GPG="$GPG_CMD" MASTER_KEYRING="" diff --git a/debian/apt.postinst b/debian/apt.postinst index 9ff1e031c..caa05ccdf 100644 --- a/debian/apt.postinst +++ b/debian/apt.postinst @@ -15,10 +15,15 @@ set -e case "$1" in configure) - SECRING='/etc/apt/secring.gpg' - # test if secring is an empty normal file - if test -f $SECRING -a ! -s $SECRING; then - rm -f $SECRING + if dpkg --compare-versions "$2" lt-nl 0.9.9.5; then + # we are using tmpfiles for both + rm -f /etc/apt/trustdb.gpg + # this removal was done unconditional since 0.8.15.3 + SECRING='/etc/apt/secring.gpg' + # test if secring is an empty normal file + if test -f $SECRING -a ! -s $SECRING; then + rm -f $SECRING + fi fi apt-key update -- cgit v1.2.3-70-g09d2 From 59f46f3ace16e769383a61ee336a76c6d03931ea Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 12 Aug 2013 00:33:37 +0200 Subject: do not double-slash paths in apt-key Closes: 665411 --- cmdline/apt-key | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index e010e6e90..7038be265 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -203,7 +203,12 @@ if [ -z "$TRUSTEDFILE" ]; then TRUSTEDPARTS="/etc/apt/trusted.gpg.d" eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) if [ -d "$TRUSTEDPARTS" ]; then - for trusted in $(run-parts --list $TRUSTEDPARTS --regex '^.*\.gpg$'); do + # strip / suffix as gpg will double-slash in that case (#665411) + STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}" + if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then + TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS" + fi + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do GPG="$GPG --keyring $trusted" done fi -- cgit v1.2.3-70-g09d2 From 80f3aeb04d043356bd98de7714fc164b3fff3861 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 12 Aug 2013 00:36:52 +0200 Subject: make the keyring locations in apt-key configurable Might come in handy for more than just a simple testcase. --- cmdline/apt-key | 6 +++++- test/integration/test-apt-key | 39 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100755 test/integration/test-apt-key (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index 7038be265..a9cbea55c 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -26,12 +26,16 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" MASTER_KEYRING="" -ARCHIVE_KEYRING_URI="" #MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg +eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) +ARCHIVE_KEYRING_URI="" #ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg +eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg +eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) requires_root() { if [ "$(id -u)" -ne 0 ]; then diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key new file mode 100755 index 000000000..5beb6f220 --- /dev/null +++ b/test/integration/test-apt-key @@ -0,0 +1,39 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture 'amd64' + +msgtest 'Check that paths in list output are not' 'double-slashed' +aptkey list 2>&1 | grep -q '//' && msgfail || msgpass + +msgtest 'Check that paths in finger output are not' 'double-slashed' +aptkey finger 2>&1 | grep -q '//' && msgfail || msgpass + +echo 'APT::Key::ArchiveKeyring "./keys/joesixpack.pub"; +APT::Key::RemovedKeys "./keys/rexexpired.pub";' > rootdir/etc/apt/apt.conf.d/aptkey.conf + +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/DBAC8DAE 2010-08-18' + +testequal 'gpg: key DBAC8DAE: "Joe Sixpack (APT Testcases Dummy) " not changed +gpg: Total number processed: 1 +gpg: unchanged: 1' aptkey --fakeroot update + +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/DBAC8DAE 2010-08-18' + +testsuccess aptkey --fakeroot add ./keys/rexexpired.pub + +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/27CE74F9 2013-07-12 [expired: 2013-07-13] +pub 2048R/DBAC8DAE 2010-08-18' + +msgtest 'Execute update again to trigger removal of' 'Rex Expired key' +testsuccess --nomsg aptkey --fakeroot update + +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/DBAC8DAE 2010-08-18' -- cgit v1.2.3-70-g09d2 From 04937adc655ceda0b3367f540e76df10296cfba1 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 12 Aug 2013 16:19:37 +0200 Subject: let apt-key del work better with softlink and single key keyrings Having fragement files means there is a good chance that there is one key per keyring, so deal with that as well as with setups in which keyrings are linked into trusted.gpg.d as we can't just modify those files (they might be in /usr for example). --- cmdline/apt-key | 59 +++++++++++++++++++++++++++++++++++-- test/integration/test-apt-key | 68 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+), 3 deletions(-) (limited to 'cmdline/apt-key') diff --git a/cmdline/apt-key b/cmdline/apt-key index a9cbea55c..713a41c07 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -151,6 +151,60 @@ update() { fi } +remove_key_from_keyring() { + local GPG="$GPG_CMD --keyring $1" + # check if the key is in this keyring: the key id is in the 5 column at the end + if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then + return + fi + if [ ! -w "$1" ]; then + echo >&2 "Key ${2} is in keyring ${1}, but can't be removed as it is read only." + return + fi + # check if it is the only key in the keyring and if so remove the keyring alltogether + if [ '1' = "$($GPG --with-colons --list-keys | grep "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+:" | wc -l)" ]; then + mv -f "$1" "${1}~" # behave like gpg + return + fi + # we can't just modify pointed to files as these might be in /usr or something + local REALTARGET + if [ -L "$1" ]; then + REALTARGET="$(readlink -f "$1")" + mv -f "$1" "${1}.dpkg-tmp" + cp -a "$REALTARGET" "$1" + ls "$(dirname $1)" + fi + # delete the key from the keyring + $GPG --batch --delete-key --yes "$2" + if [ -n "$REALTARGET" ]; then + # the real backup is the old link, not the copy we made + mv -f "${1}.dpkg-tmp" "${1}~" + fi +} + +remove_key() { + requires_root + + # if a --keyring was given, just remove from there + if [ -n "$FORCED_KEYRING" ]; then + remove_key_from_keyring "$FORCED_KEYRING" "$1" + else + # otherwise all known keyrings are up for inspection + local TRUSTEDFILE="/etc/apt/trusted.gpg" + eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring) + eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f) + remove_key_from_keyring "$TRUSTEDFILE" "$1" + TRUSTEDPARTS="/etc/apt/trusted.gpg.d" + eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d) + if [ -d "$TRUSTEDPARTS" ]; then + for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do + remove_key_from_keyring "$trusted" "$1" + done + fi + fi + echo "OK" +} + usage() { echo "Usage: apt-key [--keyring file] [command] [arguments]" @@ -175,6 +229,7 @@ while [ -n "$1" ]; do --keyring) shift TRUSTEDFILE="$1" + FORCED_KEYRING="$1" if [ -r "$TRUSTEDFILE" ] || [ "$2" = 'add' ] || [ "$2" = 'adv' ]; then GPG="$GPG --keyring $TRUSTEDFILE --primary-keyring $TRUSTEDFILE" else @@ -239,10 +294,8 @@ case "$command" in echo "OK" ;; del|rm|remove) - requires_root init_keyring "$TRUSTEDFILE" - $GPG --quiet --batch --delete-key --yes "$1" - echo "OK" + remove_key "$1" ;; update) init_keyring "$TRUSTEDFILE" diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index 5beb6f220..68b3f9710 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -37,3 +37,71 @@ testsuccess --nomsg aptkey --fakeroot update aptkey list | grep '^pub' > aptkey.list testfileequal ./aptkey.list 'pub 2048R/DBAC8DAE 2010-08-18' + +msgtest "Try to remove a key which exists, but isn't in the" 'forced keyring' +testsuccess --nomsg aptkey --fakeroot --keyring rootdir/etc/apt/trusted.gpg del DBAC8DAE + +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/DBAC8DAE 2010-08-18' + +testsuccess aptkey --fakeroot del DBAC8DAE +testempty aptkey list + +# start from a clean plate again +cleanplate() { + rm -rf rootdir/etc/apt/trusted.gpg.d/ rootdir/etc/apt/trusted.gpg + mkdir rootdir/etc/apt/trusted.gpg.d/ +} + +msgtest 'Test key removal with' 'single key in real file' +cleanplate +cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +testsuccess --nomsg aptkey --fakeroot del DBAC8DAE +testempty aptkey list +testsuccess test ! -e rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +testsuccess cmp keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg~ + +msgtest 'Test key removal with' 'single key in softlink' +cleanplate +ln -s $(readlink -f ./keys/joesixpack.pub) rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +testsuccess --nomsg aptkey --fakeroot del DBAC8DAE +testempty aptkey list +testsuccess test ! -e rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +testsuccess test -L rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg~ + +cleanplate +testsuccess aptkey --fakeroot add ./keys/joesixpack.pub +testsuccess aptkey --fakeroot add ./keys/marvinparanoid.pub +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/DBAC8DAE 2010-08-18 +pub 2048R/528144E2 2011-01-16' +cp -a rootdir/etc/apt/trusted.gpg keys/testcase-multikey.pub # store for reuse + +msgtest 'Test key removal with' 'multi key in real file' +cleanplate +cp -a keys/testcase-multikey.pub rootdir/etc/apt/trusted.gpg.d/multikey.gpg +testsuccess --nomsg aptkey --fakeroot del DBAC8DAE +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/528144E2 2011-01-16' +testsuccess cmp keys/testcase-multikey.pub rootdir/etc/apt/trusted.gpg.d/multikey.gpg~ + +msgtest 'Test key removal with' 'multi key in softlink' +cleanplate +ln -s $(readlink -f ./keys/testcase-multikey.pub) rootdir/etc/apt/trusted.gpg.d/multikey.gpg +testsuccess --nomsg aptkey --fakeroot del DBAC8DAE +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/528144E2 2011-01-16' +testsuccess cmp keys/testcase-multikey.pub rootdir/etc/apt/trusted.gpg.d/multikey.gpg~ +testsuccess test ! -L rootdir/etc/apt/trusted.gpg.d/multikey.gpg +testsuccess test -L rootdir/etc/apt/trusted.gpg.d/multikey.gpg~ + +msgtest 'Test key removal with' 'multiple files including key' +cleanplate +cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +cp -a keys/testcase-multikey.pub rootdir/etc/apt/trusted.gpg.d/multikey.gpg +testsuccess --nomsg aptkey --fakeroot del DBAC8DAE +aptkey list | grep '^pub' > aptkey.list +testfileequal ./aptkey.list 'pub 2048R/528144E2 2011-01-16' +testsuccess test ! -e rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg +testsuccess cmp keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg~ +testsuccess cmp keys/testcase-multikey.pub rootdir/etc/apt/trusted.gpg.d/multikey.gpg~ -- cgit v1.2.3-70-g09d2