Bug#951296: apt: please "apt-key is-trusted" command
Package: apt
Version: 1.8.4
Severity: wishlist
Hi,
this bug is a follow up of
[🔎] 20200207000348.neeqjzu3qx6zwnul@crossbow">https://lists.debian.org/[🔎] 20200207000348.neeqjzu3qx6zwnul@crossbow
mmdebstrap wants to have an answer to the question "does apt trust this
key" and it would be nice if the answer would come from apt directly
because what I'm currently doing, is to manually invoke gpg on whatever
I find in /etc/apt/trusted.gpg and /etc/apt/trusted.gpg.d/, list the
fingerprints and check whether the fingerprint I am looking for is in
the result or not.
DonKult proposed the following patch:
diff --git a/cmdline/apt-key.in b/cmdline/apt-key.in
@@ -781,6 +781,16 @@ case "$command" in
warn_on_script_usage
foreach_keyring_do 'list_keys_in_keyring' --fingerprint "$@"
;;
+ is-trusted)
+ merge_all_trusted_keyrings_into_pubring
+ if [ "$#" = '0' -o "$(aptkey_execute "$GPG_SH" --keyring "${GPGHOMEDIR}/pubring.gpg" --with-colons --list-keys "$@"
2>/dev/null | grep -c '^pub:')" != "$#" ]; then
+ exit 1
+ fi
+ ;;
+ list-fingerprints)
+ setup_merged_keyring
+ aptkey_execute "$GPG" --with-colons --list-keys 2>/dev/null | grep '^fpr:' | cut -d':' -f 10
+ ;;
export|exportall)
warn_on_script_usage
merge_all_trusted_keyrings_into_pubring
For my purposes I basically don't care whether apt gives me the key
material itself or just a list of fingerprints as proposed above. The
only improvement would be, if I could also pass a keyring filename
because with the above I would still have to run gpg to extract the
fingerprint from the filename I have.
Something like this would be ideal:
$ apt-key is-trusted /usr/share/keyrings/debian-archive-keyring.gpg
$ echo $?
0
Thanks!
cheers, josch
Reply to: