apt-key.in 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476
  1. #!/bin/sh
  2. set -e
  3. unset GREP_OPTIONS
  4. APT_DIR="/"
  5. eval $(apt-config shell APT_DIR Dir)
  6. MASTER_KEYRING='&keyring-master-filename;'
  7. eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring)
  8. ARCHIVE_KEYRING='&keyring-filename;'
  9. eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring)
  10. REMOVED_KEYS='&keyring-removed-filename;'
  11. eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys)
  12. ARCHIVE_KEYRING_URI='&keyring-uri;'
  13. eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI)
  14. aptkey_echo() { echo "$@"; }
  15. requires_root() {
  16. if [ "$(id -u)" -ne 0 ]; then
  17. echo >&2 "ERROR: This command can only be used by root."
  18. exit 1
  19. fi
  20. }
  21. get_fingerprints_of_keyring() {
  22. $GPG_CMD --keyring "$1" --with-colons --fingerprint | while read publine; do
  23. # search for a public key
  24. if [ "${publine%%:*}" != 'pub' ]; then continue; fi
  25. # search for the associated fingerprint (should be the very next line)
  26. while read fprline; do
  27. if [ "${fprline%%:*}" = 'sub' ]; then break; # should never happen
  28. elif [ "${fprline%%:*}" != 'fpr' ]; then continue; fi
  29. echo "$fprline" | cut -d':' -f 10
  30. done
  31. done
  32. }
  33. add_keys_with_verify_against_master_keyring() {
  34. ADD_KEYRING=$1
  35. MASTER=$2
  36. if [ ! -f "$ADD_KEYRING" ]; then
  37. echo >&2 "ERROR: '$ADD_KEYRING' not found"
  38. return
  39. fi
  40. if [ ! -f "$MASTER" ]; then
  41. echo >&2 "ERROR: '$MASTER' not found"
  42. return
  43. fi
  44. # when adding new keys, make sure that the archive-master-keyring
  45. # is honored. so:
  46. # all keys that are exported must have a valid signature
  47. # from a key in the $distro-master-keyring
  48. add_keys="$(get_fingerprints_of_keyring "$ADD_KEYRING")"
  49. all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5`
  50. master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5`
  51. # ensure there are no colisions LP: #857472
  52. for all_add_key in $all_add_keys; do
  53. for master_key in $master_keys; do
  54. if [ "$all_add_key" = "$master_key" ]; then
  55. echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted"
  56. return 1
  57. fi
  58. done
  59. done
  60. for add_key in $add_keys; do
  61. # export the add keyring one-by-one
  62. local TMP_KEYRING="${GPGHOMEDIR}/tmp-keyring.gpg"
  63. $GPG_CMD --batch --yes --keyring "$ADD_KEYRING" --output "$TMP_KEYRING" --export "$add_key"
  64. if ! $GPG_CMD --batch --yes --keyring "$TMP_KEYRING" --import "$MASTER" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
  65. cat "${GPGHOMEDIR}/gpgoutput.log"
  66. false
  67. fi
  68. # check if signed with the master key and only add in this case
  69. ADDED=0
  70. for master_key in $master_keys; do
  71. if $GPG_CMD --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then
  72. $GPG_CMD --batch --yes --keyring "$ADD_KEYRING" --export "$add_key" | $GPG --batch --yes --import
  73. ADDED=1
  74. fi
  75. done
  76. if [ $ADDED = 0 ]; then
  77. echo >&2 "Key '$add_key' not added. It is not signed with a master key"
  78. fi
  79. rm -f "${TMP_KEYRING}"
  80. done
  81. }
  82. # update the current archive signing keyring from a network URI
  83. # the archive-keyring keys needs to be signed with the master key
  84. # (otherwise it does not make sense from a security POV)
  85. net_update() {
  86. # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128))
  87. APT_KEY_NET_UPDATE_ENABLED=""
  88. eval $(apt-config shell APT_KEY_NET_UPDATE_ENABLED APT::Key::Net-Update-Enabled)
  89. if [ -z "$APT_KEY_NET_UPDATE_ENABLED" ]; then
  90. exit 1
  91. fi
  92. if [ -z "$ARCHIVE_KEYRING_URI" ]; then
  93. echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set"
  94. exit 1
  95. fi
  96. # in theory we would need to depend on wget for this, but this feature
  97. # isn't useable in debian anyway as we have no keyring uri nor a master key
  98. if ! which wget >/dev/null 2>&1; then
  99. echo >&2 "ERROR: an installed wget is required for a network-based update"
  100. exit 1
  101. fi
  102. if [ ! -d ${APT_DIR}/var/lib/apt/keyrings ]; then
  103. mkdir -p ${APT_DIR}/var/lib/apt/keyrings
  104. fi
  105. keyring=${APT_DIR}/var/lib/apt/keyrings/$(basename $ARCHIVE_KEYRING_URI)
  106. old_mtime=0
  107. if [ -e $keyring ]; then
  108. old_mtime=$(stat -c %Y $keyring)
  109. fi
  110. (cd ${APT_DIR}/var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI)
  111. if [ ! -e $keyring ]; then
  112. return
  113. fi
  114. new_mtime=$(stat -c %Y $keyring)
  115. if [ $new_mtime -ne $old_mtime ]; then
  116. aptkey_echo "Checking for new archive signing keys now"
  117. add_keys_with_verify_against_master_keyring $keyring $MASTER_KEYRING
  118. fi
  119. }
  120. update() {
  121. if [ ! -f $ARCHIVE_KEYRING ]; then
  122. echo >&2 "ERROR: Can't find the archive-keyring"
  123. echo >&2 "Is the &keyring-package; package installed?"
  124. exit 1
  125. fi
  126. # add new keys from the package;
  127. # we do not use add_keys_with_verify_against_master_keyring here,
  128. # because "update" is run on regular package updates. A
  129. # attacker might as well replace the master-archive-keyring file
  130. # in the package and add his own keys. so this check wouldn't
  131. # add any security. we *need* this check on net-update though
  132. $GPG_CMD --quiet --batch --keyring $ARCHIVE_KEYRING --export | $GPG --import
  133. if [ -r "$REMOVED_KEYS" ]; then
  134. # remove no-longer supported/used keys
  135. get_fingerprints_of_keyring "$REMOVED_KEYS" | while read key; do
  136. foreach_keyring_do 'remove_key_from_keyring' "$key"
  137. done
  138. else
  139. echo >&2 "Warning: removed keys keyring $REMOVED_KEYS missing or not readable"
  140. fi
  141. }
  142. remove_key_from_keyring() {
  143. local KEYRINGFILE="$1"
  144. shift
  145. # non-existent keyrings have by definition no keys
  146. if [ ! -e "$KEYRINGFILE" ]; then
  147. return
  148. fi
  149. local GPG="$GPG_CMD --keyring $KEYRINGFILE"
  150. for KEY in "$@"; do
  151. # check if the key is in this keyring: the key id is in the 5 column at the end
  152. if ! get_fingerprints_of_keyring "$KEYRINGFILE" | grep -iq "^[0-9A-F]*${KEY}$"; then
  153. continue
  154. fi
  155. if [ ! -w "$KEYRINGFILE" ]; then
  156. echo >&2 "Key ${KEY} is in keyring ${KEYRINGFILE}, but can't be removed as it is read only."
  157. continue
  158. fi
  159. # check if it is the only key in the keyring and if so remove the keyring altogether
  160. if [ '1' = "$(get_fingerprints_of_keyring "$KEYRINGFILE" | wc -l)" ]; then
  161. mv -f "$KEYRINGFILE" "${KEYRINGFILE}~" # behave like gpg
  162. return
  163. fi
  164. # we can't just modify pointed to files as these might be in /usr or something
  165. local REALTARGET
  166. if [ -L "$KEYRINGFILE" ]; then
  167. REALTARGET="$(readlink -f "$KEYRINGFILE")"
  168. mv -f "$KEYRINGFILE" "${KEYRINGFILE}.dpkg-tmp"
  169. cp -a "$REALTARGET" "$KEYRINGFILE"
  170. fi
  171. # delete the key from the keyring
  172. $GPG --batch --delete-key --yes "$KEY"
  173. if [ -n "$REALTARGET" ]; then
  174. # the real backup is the old link, not the copy we made
  175. mv -f "${KEYRINGFILE}.dpkg-tmp" "${KEYRINGFILE}~"
  176. fi
  177. done
  178. }
  179. foreach_keyring_do() {
  180. local ACTION="$1"
  181. shift
  182. # if a --keyring was given, just remove from there
  183. if [ -n "$FORCED_KEYRING" ]; then
  184. $ACTION "$FORCED_KEYRING" "$@"
  185. else
  186. # otherwise all known keyrings are up for inspection
  187. if [ -s "$TRUSTEDFILE" ]; then
  188. $ACTION "$TRUSTEDFILE" "$@"
  189. fi
  190. local TRUSTEDPARTS="/etc/apt/trusted.gpg.d"
  191. eval $(apt-config shell TRUSTEDPARTS Dir::Etc::TrustedParts/d)
  192. if [ -d "$TRUSTEDPARTS" ]; then
  193. # strip / suffix as gpg will double-slash in that case (#665411)
  194. local STRIPPED_TRUSTEDPARTS="${TRUSTEDPARTS%/}"
  195. if [ "${STRIPPED_TRUSTEDPARTS}/" = "$TRUSTEDPARTS" ]; then
  196. TRUSTEDPARTS="$STRIPPED_TRUSTEDPARTS"
  197. fi
  198. for trusted in $(run-parts --list "$TRUSTEDPARTS" --regex '^.*\.gpg$'); do
  199. if [ -s "$trusted" ]; then
  200. $ACTION "$trusted" "$@"
  201. fi
  202. done
  203. fi
  204. fi
  205. }
  206. run_cmd_on_keyring() {
  207. local KEYRINGFILE="$1"
  208. shift
  209. # fingerprint and co will fail if key isn't in this keyring
  210. $GPG_CMD --keyring "$KEYRINGFILE" --batch "$@" 2>/dev/null || true
  211. }
  212. import_keys_from_keyring() {
  213. local IMPORT="$1"
  214. local KEYRINGFILE="$2"
  215. if ! $GPG_CMD --keyring "$KEYRINGFILE" --batch --import "$IMPORT" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
  216. cat "${GPGHOMEDIR}/gpgoutput.log"
  217. false
  218. fi
  219. }
  220. merge_keys_into_keyrings() {
  221. local KEYRINGFILE="$1"
  222. local IMPORT="$2"
  223. if ! $GPG_CMD --keyring "$KEYRINGFILE" --batch --import --import-options 'merge-only' "$IMPORT" > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
  224. cat "${GPGHOMEDIR}/gpgoutput.log"
  225. false
  226. fi
  227. }
  228. merge_back_changes() {
  229. if [ -n "$FORCED_KEYRING" ]; then
  230. # if the keyring was forced merge is already done
  231. return
  232. fi
  233. if [ -s "${GPGHOMEDIR}/pubring.gpg" ]; then
  234. # merge all updated keys
  235. foreach_keyring_do 'merge_keys_into_keyrings' "${GPGHOMEDIR}/pubring.gpg"
  236. fi
  237. # look for keys which were added or removed
  238. get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.orig.gpg" > "${GPGHOMEDIR}/pubring.orig.keylst"
  239. get_fingerprints_of_keyring "${GPGHOMEDIR}/pubring.gpg" > "${GPGHOMEDIR}/pubring.keylst"
  240. sort "${GPGHOMEDIR}/pubring.keylst" "${GPGHOMEDIR}/pubring.orig.keylst" | uniq --unique | while read key; do
  241. if grep -q "^${key}$" "${GPGHOMEDIR}/pubring.orig.keylst"; then
  242. # key isn't part of new keyring, so remove
  243. foreach_keyring_do 'remove_key_from_keyring' "$key"
  244. elif grep -q "^${key}$" "${GPGHOMEDIR}/pubring.keylst"; then
  245. # key is part of new keyring, so we need to import it
  246. create_new_keyring "$TRUSTEDFILE"
  247. if ! $GPG --batch --yes --export "$key" | $GPG_CMD --keyring "$TRUSTEDFILE" --batch --yes --import > "${GPGHOMEDIR}/gpgoutput.log" 2>&1; then
  248. cat "${GPGHOMEDIR}/gpgoutput.log"
  249. false
  250. fi
  251. else
  252. echo >&2 "Errror: Key ${key} (dis)appeared out of nowhere"
  253. fi
  254. done
  255. }
  256. setup_merged_keyring() {
  257. if [ -z "$FORCED_KEYRING" ]; then
  258. foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg"
  259. if [ -r "${GPGHOMEDIR}/pubring.gpg" ]; then
  260. cp -a "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg"
  261. else
  262. touch "${GPGHOMEDIR}/pubring.gpg" "${GPGHOMEDIR}/pubring.orig.gpg"
  263. fi
  264. GPG="$GPG --keyring ${GPGHOMEDIR}/pubring.gpg"
  265. else
  266. GPG="$GPG --keyring $TRUSTEDFILE"
  267. create_new_keyring "$TRUSTEDFILE"
  268. fi
  269. }
  270. create_new_keyring() {
  271. # gpg defaults to mode 0600 for new keyrings. Create one with 0644 instead.
  272. if ! [ -e "$TRUSTEDFILE" ]; then
  273. if [ -w "$(dirname "$TRUSTEDFILE")" ]; then
  274. touch -- "$TRUSTEDFILE"
  275. chmod 0644 -- "$TRUSTEDFILE"
  276. fi
  277. fi
  278. }
  279. usage() {
  280. echo "Usage: apt-key [--keyring file] [command] [arguments]"
  281. echo
  282. echo "Manage apt's list of trusted keys"
  283. echo
  284. echo " apt-key add <file> - add the key contained in <file> ('-' for stdin)"
  285. echo " apt-key del <keyid> - remove the key <keyid>"
  286. echo " apt-key export <keyid> - output the key <keyid>"
  287. echo " apt-key exportall - output all trusted keys"
  288. echo " apt-key update - update keys using the keyring package"
  289. echo " apt-key net-update - update keys using the network"
  290. echo " apt-key list - list keys"
  291. echo " apt-key finger - list fingerprints"
  292. echo " apt-key adv - pass advanced options to gpg (download key)"
  293. echo
  294. echo "If no specific keyring file is given the command applies to all keyring files."
  295. }
  296. while [ -n "$1" ]; do
  297. case "$1" in
  298. --keyring)
  299. shift
  300. TRUSTEDFILE="$1"
  301. FORCED_KEYRING="$1"
  302. ;;
  303. --secret-keyring)
  304. shift
  305. FORCED_SECRET_KEYRING="$1"
  306. ;;
  307. --readonly)
  308. merge_back_changes() { true; }
  309. ;;
  310. --fakeroot)
  311. requires_root() { true; }
  312. ;;
  313. --quiet)
  314. aptkey_echo() { true; }
  315. ;;
  316. --*)
  317. echo >&2 "Unknown option: $1"
  318. usage
  319. exit 1;;
  320. *)
  321. break;;
  322. esac
  323. shift
  324. done
  325. if [ -z "$TRUSTEDFILE" ]; then
  326. TRUSTEDFILE="/etc/apt/trusted.gpg"
  327. eval $(apt-config shell TRUSTEDFILE Apt::GPGV::TrustedKeyring)
  328. eval $(apt-config shell TRUSTEDFILE Dir::Etc::Trusted/f)
  329. fi
  330. command="$1"
  331. if [ -z "$command" ]; then
  332. usage
  333. exit 1
  334. fi
  335. shift
  336. if [ "$command" != "help" ]; then
  337. eval $(apt-config shell GPG_EXE Apt::Key::gpgcommand)
  338. if [ -n "$GPG_EXE" ] && which "$GPG_EXE" >/dev/null 2>&1; then
  339. true
  340. elif which gpg >/dev/null 2>&1; then
  341. GPG_EXE="gpg"
  342. elif which gpg2 >/dev/null 2>&1; then
  343. GPG_EXE="gpg2"
  344. else
  345. echo >&2 "Error: gnupg or gnupg2 do not seem to be installed,"
  346. echo >&2 "Error: but apt-key requires gnupg or gnupg2 for operation."
  347. echo >&2
  348. exit 255
  349. fi
  350. GPG_CMD="$GPG_EXE --ignore-time-conflict --no-options --no-default-keyring"
  351. # gpg needs (in different versions more or less) files to function correctly,
  352. # so we give it its own homedir and generate some valid content for it
  353. if [ -n "$TMPDIR" ]; then
  354. # tmpdir is a directory and current user has rwx access to it
  355. # same tests as in apt-pkg/contrib/fileutl.cc GetTempDir()
  356. if [ ! -d "$TMPDIR" ] || [ ! -r "$TMPDIR" ] || [ ! -w "$TMPDIR" ] || [ ! -x "$TMPDIR" ]; then
  357. unset TMPDIR
  358. fi
  359. fi
  360. GPGHOMEDIR="$(mktemp -d)"
  361. CURRENTTRAP="${CURRENTTRAP} rm -rf '${GPGHOMEDIR}';"
  362. trap "${CURRENTTRAP}" 0 HUP INT QUIT ILL ABRT FPE SEGV PIPE TERM
  363. chmod 700 "$GPGHOMEDIR"
  364. # We don't use a secret keyring, of course, but gpg panics and
  365. # implodes if there isn't one available - and writeable for imports
  366. SECRETKEYRING="${GPGHOMEDIR}/secring.gpg"
  367. touch $SECRETKEYRING
  368. GPG_CMD="$GPG_CMD --homedir $GPGHOMEDIR"
  369. # create the trustdb with an (empty) dummy keyring
  370. # older gpgs required it, newer gpgs even warn that it isn't needed,
  371. # but require it nonetheless for some commands, so we just play safe
  372. # here for the foreseeable future and create a dummy one
  373. $GPG_CMD --quiet --check-trustdb --keyring $SECRETKEYRING >/dev/null 2>&1
  374. # tell gpg that it shouldn't try to maintain a trustdb file
  375. GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always"
  376. GPG="$GPG_CMD"
  377. # for advanced operations, we might really need a secret keyring after all
  378. if [ -n "$FORCED_SECRET_KEYRING" ] && [ -r "$FORCED_SECRET_KEYRING" ]; then
  379. rm -f "$SECRETKEYRING"
  380. cp -a "$FORCED_SECRET_KEYRING" "$SECRETKEYRING"
  381. fi
  382. fi
  383. case "$command" in
  384. add)
  385. requires_root
  386. setup_merged_keyring
  387. $GPG --quiet --batch --import "$@"
  388. merge_back_changes
  389. aptkey_echo "OK"
  390. ;;
  391. del|rm|remove)
  392. requires_root
  393. foreach_keyring_do 'remove_key_from_keyring' "$@"
  394. aptkey_echo "OK"
  395. ;;
  396. update)
  397. requires_root
  398. setup_merged_keyring
  399. update
  400. merge_back_changes
  401. ;;
  402. net-update)
  403. requires_root
  404. setup_merged_keyring
  405. net_update
  406. merge_back_changes
  407. ;;
  408. list)
  409. foreach_keyring_do 'run_cmd_on_keyring' --list-keys "$@"
  410. ;;
  411. finger*)
  412. foreach_keyring_do 'run_cmd_on_keyring' --fingerprint "$@"
  413. ;;
  414. export|exportall)
  415. foreach_keyring_do 'import_keys_from_keyring' "${GPGHOMEDIR}/pubring.gpg"
  416. $GPG_CMD --keyring "${GPGHOMEDIR}/pubring.gpg" --armor --export "$@"
  417. ;;
  418. adv*)
  419. setup_merged_keyring
  420. aptkey_echo "Executing: $GPG $*"
  421. $GPG "$@"
  422. merge_back_changes
  423. ;;
  424. verify)
  425. setup_merged_keyring
  426. if which gpgv >/dev/null 2>&1; then
  427. gpgv --homedir "${GPGHOMEDIR}" --keyring "${GPGHOMEDIR}/pubring.gpg" --ignore-time-conflict "$@"
  428. else
  429. $GPG --verify "$@"
  430. fi
  431. ;;
  432. help)
  433. usage
  434. ;;
  435. *)
  436. usage
  437. exit 1
  438. ;;
  439. esac