[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#754436: apt: "apt-key del" doesn't support longer key IDs, but indicates no error if they're used

Control: tag -1 patch

On Fri, Jul 11, 2014 at 02:34:33AM +0200, Axel Beckert wrote:
> If I try to delete a key and reference it by an 8 byte keyid instead of
> the short and deprecated 4 byte key ID, apt-key says "OK",

The "OK" is because apt doesn't think they key is in the keyring, so
there's nothing to do.

The attached patch (against debian/sid) fixes that and adds a test.

> Fixing this issue would also fix https://bugs.debian.org/746574 filed
> against gui-apt-key. (I suspect that regression came in when gpg
> switched to printing long key IDs by default as the above command is
> what gui-apt-key uses to parse the content of the trusted.gpg keyring.)

Actually, it came in when apt-key started doing more than simply handing
the key to gpg for the del command (04937adc).

> Interestingly "apt-key export 2FF9CD59612616B5" works as expected.

Yeah, export just hands the key the user provides directly to gpg.

Cheers,
-- 
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan@debian.org>

From c9f37d961a9cc102ea0f1cd066cbf454b714a71e Mon Sep 17 00:00:00 2001
From: James McCoy <jamessan@debian.org>
Date: Fri, 11 Jul 2014 01:21:28 -0400
Subject: [PATCH] Handle 16-byte key ids in apt-key del

If a 16-byte key ID is given, the input will match the entire 5th field
of the --with-colons output, so the grep to check if the ID is in the
keyring cannot require characters before the given ID.

Closes: 754436
Signed-off-by: James McCoy <jamessan@debian.org>
---
 cmdline/apt-key.in            | 2 +-
 test/integration/test-apt-key | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
index 0774cf4..b4e0710 100644
--- a/cmdline/apt-key.in
+++ b/cmdline/apt-key.in
@@ -180,7 +180,7 @@ update() {
 remove_key_from_keyring() {
     local GPG="$GPG_CMD --keyring $1"
     # check if the key is in this keyring: the key id is in the 5 column at the end
-    if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]\+$2:"; then
+    if ! $GPG --with-colons --list-keys 2>&1 | grep -q "^pub:[^:]*:[^:]*:[^:]*:[0-9A-F]*$2:"; then
 	return
     fi
     if [ ! -w "$1" ]; then
diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key
index 68b3f97..47230cb 100755
--- a/test/integration/test-apt-key
+++ b/test/integration/test-apt-key
@@ -105,3 +105,9 @@ testfileequal ./aptkey.list 'pub   2048R/528144E2 2011-01-16'
 testsuccess test ! -e rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg
 testsuccess cmp keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg~
 testsuccess cmp keys/testcase-multikey.pub rootdir/etc/apt/trusted.gpg.d/multikey.gpg~
+
+msgtest 'Test key removal with' '8 byte key ID'
+cleanplate
+cp -a keys/joesixpack.pub rootdir/etc/apt/trusted.gpg.d/joesixpack.gpg
+testsuccess --nomsg aptkey --fakeroot del 5A90D141DBAC8DAE
+testempty aptkey list
-- 
2.0.1

Attachment: signature.asc
Description: Digital signature

Reply to: