/usr/share/aptdaemon/aptd-import-from-keyserver is in aptdaemon 0.43+bzr805-0ubuntu10.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 | #!/usr/bin/python
import os
import shutil
import subprocess
import sys
import tempfile
class AptKeyError(Exception):
pass
def add_key_from_keyserver(keyid, keyserver):
"""Import a GnuPG key file to trust repositores signed by it.
Keyword arguments:
keyid -- the long keyid (fingerprint) of the key, e.g.
A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553
keyserver -- the URL or hostname of the key server
"""
tmp_keyring_dir = tempfile.mkdtemp()
try:
_add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir)
except:
raise
finally:
shutil.rmtree(tmp_keyring_dir)
def _add_key_from_keyserver(keyid, keyserver, tmp_keyring_dir):
if len(keyid) < 160/8:
raise AptKeyError("Only long keyids (v4, 160bit) are supported")
# create a temp keyring dir
tmp_secret_keyring = os.path.join(tmp_keyring_dir, "secring.gpg")
tmp_keyring = os.path.join(tmp_keyring_dir, "pubring.gpg")
# default options for gpg
gpg_default_options = [
"gpg",
"--no-default-keyring", "--no-options",
"--homedir", tmp_keyring_dir,
]
# download the key to a temp keyring first
res = subprocess.call(gpg_default_options + [
"--secret-keyring", tmp_secret_keyring,
"--keyring", tmp_keyring,
"--keyserver", keyserver,
"--recv", keyid,
])
if res != 0:
raise AptKeyError("recv from '%s' failed for '%s'" % (
keyserver, keyid))
# now export again using the long key id (to ensure that there is
# really only this one key in our keyring) and not someone MITM us
tmp_export_keyring = os.path.join(tmp_keyring_dir, "export-keyring.gpg")
res = subprocess.call(gpg_default_options + [
"--keyring", tmp_keyring,
"--output", tmp_export_keyring,
"--export", keyid,
])
if res != 0:
raise AptKeyError("export of '%s' failed", keyid)
# now verify the fingerprint, this is probably redundant as we
# exported by the fingerprint in the previous command but its
# still good paranoia
output = subprocess.Popen(
gpg_default_options + [
"--keyring", tmp_export_keyring,
"--fingerprint",
"--batch",
"--with-colons",
],
stdout=subprocess.PIPE,
universal_newlines=True).communicate()[0]
got_fingerprint=None
for line in output.splitlines():
if line.startswith("fpr:"):
got_fingerprint = line.split(":")[9]
# stop after the first to ensure no subkey trickery
break
# strip the leading "0x" is there is one and uppercase (as this is
# what gnupg is using)
signing_key_fingerprint = keyid.replace("0x", "").upper()
if got_fingerprint != signing_key_fingerprint:
raise AptKeyError(
"Fingerprints do not match, not importing: '%s' != '%s'" % (
signing_key_fingerprint, got_fingerprint))
# finally add it
res = subprocess.call(["apt-key", "add", tmp_keyring])
if res != 0:
raise AptKeyError(
"Failed to import keyfile from '%s'" % tmp_keyring)
return True
if __name__ == "__main__":
keyid = sys.argv[1]
keyserver = sys.argv[2]
add_key_from_keyserver(keyid, keyserver)
|