subject:"apt\: replace \/etc\/apt\/trusted.gpg with \/etc\/apt\/trusted\-keys\/"

apt: replace /etc/apt/trusted.gpg with /etc/apt/trusted-keys/

2005-02-16 Thread Peter Palfrader

On Mon, 14 Feb 2005, Martin Schulze wrote:

 Quoting Andreas Barth from the release team:
 
 |   Actually, we discussed about apt 0.6 within the release team and
 |   with the maintainers. IIRC, the two blocking issues are:
 |
 |   1. All the concepts
 |  - default installation,
 |  - key management,

Currently, apt 0.6 uses a single binary file as its keyring in /etc/apt.
This has the disadvantage that modifying it requires special tools like
apt-key, and so key management is a pain.

The following patch makes apt use a directory in etc/apt named
trusted-keys/.  Keys are simply placed in that directory if the user
wants to trust them for signing the Release file.

[EMAIL PROTECTED]:~$ ls -l /etc/apt/trusted-keys 
total 12
-rw-rw-r--  1 root root  902 Feb 16 10:00 debian-amd-2004.asc
-rw-r--r--  1 root root  751 Feb 16 09:53 debian-archive-2004.asc
-rw-r--r--  1 root root 1430 Feb 16 09:53 debian-archive-2005.asc


On demand apt builds a keyring in /var/cache/apt/gpghome/trusted.gpg and
uses that when checking signatures.


The patch below does that.  The package doesn't migrate your current
/etc/apt/trusted.gpg to the new layout, tho that could be trivially
added should people feel the need.

As should be obvious, I'm not a C++ hacker, so let me know what needs
cleaning and fixing.  It works for me at least :)

I think this patch should be applied to apt before it goes into sarge,
as it makes some key issues easier to deal with.

Peter
diff -Nur apt-0.6.25/debian/changelog apt-0.6.25.1/debian/changelog
--- apt-0.6.25/debian/changelog 2004-06-09 14:33:17.0 +0200
+++ apt-0.6.25.1/debian/changelog   2005-02-16 13:25:50.663561131 +0100
@@ -1,3 +1,18 @@
+apt (0.6.25.1) experimental; urgency=low
+
+  * Do away with /etc/apt/trusted.gpg.  Instead we have a
+/etc/apt/trusted-keys/ directory which holds files with keys.
+The gpgv method updates /var/cache/apt/gpghome/trusted.gpg on
+demand from the keys in /etc/apt/trusted-keys/.
+  * Remove apt-key, as it is no longer needed.
+  * Install the default debian key in /etc/apt/trusted-keys,
+not in /usr/share/apt/debian-archive.gpg
+  * Remove debian/apt.postinst.  All it handled was copying
+the initial trusted.gpg to /etc.
+  * Add amd64 to the archtable.
+
+ -- Peter Palfrader [EMAIL PROTECTED]  Wed, 16 Feb 2005 13:25:44 +0100
+
 apt (0.6.25) experimental; urgency=low
 
   * Fix handling of two-part sources for sources.list deb-src entries in
diff -Nur apt-0.6.25/buildlib/archtable apt-0.6.25.1/buildlib/archtable
--- apt-0.6.25/buildlib/archtable   2002-11-09 20:59:10.0 +0100
+++ apt-0.6.25.1/buildlib/archtable 2005-02-16 08:53:08.274317000 +0100
@@ -24,3 +24,4 @@
 ia64   ia64
 s390   s390
 s390x  s390x
+x86_64 amd64
diff -Nur apt-0.6.25/cmdline/apt-key apt-0.6.25.1/cmdline/apt-key
--- apt-0.6.25/cmdline/apt-key  2004-01-15 21:19:18.0 +0100
+++ apt-0.6.25.1/cmdline/apt-key1970-01-01 01:00:00.0 +0100
@@ -1,60 +0,0 @@
-#!/bin/sh
-
-set -e
-
-usage() {
-echo Usage: apt-key [command] [arguments]
-echo
-echo Manage apt's list of trusted keys
-echo
-echo   apt-key add file  - add the key contained in file ('-' 
for stdin)
-echo   apt-key del keyid - remove the key keyid
-echo   apt-key list- list keys
-echo
-}
-
-command=$1
-if [ -z $command ]; then
-usage
-exit 1
-fi
-shift
-
-if [ $command != help ]  ! which gpg /dev/null 21; then
-echo 2 Warning: gnupg does not seem to be installed.
-echo 2 Warning: apt-key requires gnupg for most operations.
-echo 2
-fi
-
-# We don't use a secret keyring, of course, but gpg panics and
-# implodes if there isn't one available
-
-GPG=gpg --no-options --no-default-keyring --keyring /etc/apt/trusted.gpg 
--secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg
-
-case $command in
-add)
-$GPG --quiet --batch --import $1
-echo OK
-;;
-del|rm|remove)
-$GPG --quiet --batch --delete-key --yes $1
-echo OK
-;;
-list)
-$GPG --batch --list-keys
-;;
-finger*)
-$GPG --batch --fingerprint
-;;
-adv*)
-echo Executing: $GPG $*
-$GPG $*
-;;
-help)
-usage
-;;
-*)
-usage
-exit 1
-;;
-esac
diff -Nur apt-0.6.25/cmdline/makefile apt-0.6.25.1/cmdline/makefile
--- apt-0.6.25/cmdline/makefile 2003-12-25 00:09:17.0 +0100
+++ apt-0.6.25.1/cmdline/makefile   2005-02-16 09:49:30.201016123 +0100
@@ -46,9 +46,3 @@
 LIB_MAKES = apt-pkg/makefile
 SOURCE = apt-extracttemplates.cc 
 include $(PROGRAM_H)
-
-# The apt-key program
-SOURCE=apt-key
-TO=$(BIN)
-TARGET=program
-include $(COPY_H)
diff -Nur apt-0.6.25/configure apt-0.6.25.1/configure
--- apt-0.6.25/configure2004-06-09 14:34:09.0 +0200
+++ apt-0.6.25.1/configure  2005-02-16 08:49:55.950520272 +0100
@@ -1347,7 +1347,7 @@
 
 
 cat

Re: apt: replace /etc/apt/trusted.gpg with /etc/apt/trusted-keys/

2005-02-16 Thread martin f krafft

also sprach Peter Palfrader [EMAIL PROTECTED] [2005.02.16.1337 +0100]:
 The following patch makes apt use a directory in etc/apt named
 trusted-keys/.  Keys are simply placed in that directory if the
 user wants to trust them for signing the Release file.

This is a great idea. I have briefly reviewed the patch, and it
looks okay. Thanks!

Florian, what's the status now? How do we proceed?

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`. martin f. krafft [EMAIL PROTECTED]
: :'  :proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!


signature.asc
Description: Digital signature

apt: replace /etc/apt/trusted.gpg with /etc/apt/trusted-keys/

Re: apt: replace /etc/apt/trusted.gpg with /etc/apt/trusted-keys/

2 matches

Site Navigation

Mail list logo

Footer information