On Mon, 14 Feb 2005, Martin Schulze wrote:
> Quoting Andreas Barth from the release team:
>
> | Actually, we discussed about apt 0.6 within the release team and
> | with the maintainers. IIRC, the two blocking issues are:
> |
> | 1. All the concepts
> | - default installation,
> | - key management,
Currently, apt 0.6 uses a single binary file as its keyring in /etc/apt.
This has the disadvantage that modifying it requires special tools like
apt-key, and so key management is a pain.
The following patch makes apt use a directory in etc/apt named
trusted-keys/. Keys are simply placed in that directory if the user
wants to trust them for signing the Release file.
[EMAIL PROTECTED]:~$ ls -l /etc/apt/trusted-keys
total 12
-rw-rw-r-- 1 root root 902 Feb 16 10:00 debian-amd-2004.asc
-rw-r--r-- 1 root root 751 Feb 16 09:53 debian-archive-2004.asc
-rw-r--r-- 1 root root 1430 Feb 16 09:53 debian-archive-2005.asc
On demand apt builds a keyring in /var/cache/apt/gpghome/trusted.gpg and
uses that when checking signatures.
The patch below does that. The package doesn't migrate your current
/etc/apt/trusted.gpg to the new layout, tho that could be trivially
added should people feel the need.
As should be obvious, I'm not a C++ hacker, so let me know what needs
cleaning and fixing. It works for me at least :)
I think this patch should be applied to apt before it goes into sarge,
as it makes some key issues easier to deal with.
Peter
diff -Nur apt-0.6.25/debian/changelog apt-0.6.25.1/debian/changelog
--- apt-0.6.25/debian/changelog 2004-06-09 14:33:17.0 +0200
+++ apt-0.6.25.1/debian/changelog 2005-02-16 13:25:50.663561131 +0100
@@ -1,3 +1,18 @@
+apt (0.6.25.1) experimental; urgency=low
+
+ * Do away with /etc/apt/trusted.gpg. Instead we have a
+/etc/apt/trusted-keys/ directory which holds files with keys.
+The gpgv method updates /var/cache/apt/gpghome/trusted.gpg on
+demand from the keys in /etc/apt/trusted-keys/.
+ * Remove apt-key, as it is no longer needed.
+ * Install the default debian key in /etc/apt/trusted-keys,
+not in /usr/share/apt/debian-archive.gpg
+ * Remove debian/apt.postinst. All it handled was copying
+the initial trusted.gpg to /etc.
+ * Add amd64 to the archtable.
+
+ -- Peter Palfrader <[EMAIL PROTECTED]> Wed, 16 Feb 2005 13:25:44 +0100
+
apt (0.6.25) experimental; urgency=low
* Fix handling of two-part sources for sources.list deb-src entries in
diff -Nur apt-0.6.25/buildlib/archtable apt-0.6.25.1/buildlib/archtable
--- apt-0.6.25/buildlib/archtable 2002-11-09 20:59:10.0 +0100
+++ apt-0.6.25.1/buildlib/archtable 2005-02-16 08:53:08.274317000 +0100
@@ -24,3 +24,4 @@
ia64 ia64
s390 s390
s390x s390x
+x86_64 amd64
diff -Nur apt-0.6.25/cmdline/apt-key apt-0.6.25.1/cmdline/apt-key
--- apt-0.6.25/cmdline/apt-key 2004-01-15 21:19:18.0 +0100
+++ apt-0.6.25.1/cmdline/apt-key1970-01-01 01:00:00.0 +0100
@@ -1,60 +0,0 @@
-#!/bin/sh
-
-set -e
-
-usage() {
-echo "Usage: apt-key [command] [arguments]"
-echo
-echo "Manage apt's list of trusted keys"
-echo
-echo " apt-key add - add the key contained in ('-'
for stdin)"
-echo " apt-key del - remove the key "
-echo " apt-key list- list keys"
-echo
-}
-
-command="$1"
-if [ -z "$command" ]; then
-usage
-exit 1
-fi
-shift
-
-if [ "$command" != "help" ] && ! which gpg >/dev/null 2>&1; then
-echo >&2 "Warning: gnupg does not seem to be installed."
-echo >&2 "Warning: apt-key requires gnupg for most operations."
-echo >&2
-fi
-
-# We don't use a secret keyring, of course, but gpg panics and
-# implodes if there isn't one available
-
-GPG="gpg --no-options --no-default-keyring --keyring /etc/apt/trusted.gpg
--secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg"
-
-case "$command" in
-add)
-$GPG --quiet --batch --import "$1"
-echo "OK"
-;;
-del|rm|remove)
-$GPG --quiet --batch --delete-key --yes "$1"
-echo "OK"
-;;
-list)
-$GPG --batch --list-keys
-;;
-finger*)
-$GPG --batch --fingerprint
-;;
-adv*)
-echo "Executing: $GPG $*"
-$GPG $*
-;;
-help)
-usage
-;;
-*)
-usage
-exit 1
-;;
-esac
diff -Nur apt-0.6.25/cmdline/makefile apt-0.6.25.1/cmdline/makefile
--- apt-0.6.25/cmdline/makefile 2003-12-25 00:09:17.0 +0100
+++ apt-0.6.25.1/cmdline/makefile 2005-02-16 09:49:30.201016123 +0100
@@ -46,9 +46,3 @@
LIB_MAKES = apt-pkg/makefile
SOURCE = apt-extracttemplates.cc
include $(PROGRAM_H)
-
-# The apt-key program
-SOURCE=apt-key
-TO=$(BIN)
-TARGET=program
-include $(COPY_H)
diff -Nur apt-0.6.25/configure apt-0.6.25.1/configure
--- apt-0.6.25/configure2004-06-09 14:34:09.0 +0200
+++ apt-0.6.25.1/configure 2005-02-16 08:49:55.950520272 +010