U &c*@sdZddlmZzddlmZWnek r4YnXddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddl mZe jjdkreZz$ddlmZmZmZeeeWnek rYnXGdd d eZGd d d eZGd d d eZddZddZddZddZddZ ddZ!ddZ"ddZ#ddZ$d d!Z%e&d"krd#d$d%d$e 'e%D]Z(e)e(qtdS)&z4Handle GnuPG keys used to trust signed repositories.)print_function)OptionalN)gettext)ListTupleUnionc@s eZdZdS) AptKeyErrorN)__name__ __module__ __qualname__r r */usr/lib/python3/dist-packages/apt/auth.pyr :sr c@seZdZdZdS)AptKeyIDTooShortErrorz!Internal class do not rely on it.N)r r r __doc__r r r rr>src@s eZdZdZddZddZdS) TrustedKeyzRepresents a trusted key.cCs ||_t||_||_||_dS)N)Zraw_name_namekeyiddate)selfrrrr r r__init__Fs zTrustedKey.__init__cCsd|j|j|jfS)Nz%s %s %s)rrr)rr r r__str__NszTrustedKey.__str__N)r r r rrrr r r rrBsrc Os0d}tjddg}||tj}d|d<d|d<ztjdd krt j d d d }| tj d ||j|d<tj||dtjtjtjd}|dd}tjjdkrt|tr| d}||\}}|jrtd|jd|||fn|r tj ||WS|dk r*|XdS)z0Run the apt-key script with the given arguments.NzDir::Bin::Apt-Keyz/usr/bin/apt-keyCZLANG1Z$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGEZDir/zapt-keyz.conf)prefixsuffixzUTF-8Z APT_CONFIGT)envuniversal_newlinesstdinstdoutstderrr zutf-8zGThe apt-key script failed with return code %s: %s stdout: %s stderr: %s )apt_pkgZconfigZ find_fileextendosenvironcopycloseZfind_dirtempfileZNamedTemporaryFilewritedumpencodeflushr subprocessPopenPIPEgetsys version_infomajor isinstanceunicode communicate returncoder joinr"strip) argskwargsconfcmdrprocr outputr"r r r_call_apt_key_scriptSsN         rCcCs@tj|std|t|tjs2td|td|dS)zImport a GnuPG key file to trust repositores signed by it. Keyword arguments: filename -- the absolute path to the public GnuPG key file z An absolute path is required: %szKey file cannot be accessed: %saddN)r'pathabspathr accessR_OKrC)filenamer r radd_key_from_files    rJc CsRt}z,zt|||Wntk r0YnXW5dd}tj||dXdS)zImport a GnuPG key file to trust repositores signed by it. Keyword arguments: keyid -- the long keyid (fingerprint) of the key, e.g. A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 keyserver -- the URL or hostname of the key server cSs(t|dtr"|djtjkr"dSdS)N)r7OSErrorerrnoZENOENT)funcrEexc_infor r ronerrors z'add_key_from_keyserver..onerror)rPN)r+ZmkdtempshutilZrmtree_add_key_from_keyserver Exception)r keyservertmp_keyring_dirrPr r radd_key_from_keyservers  rVc CsNt|dddddkr$tdtj|d}tj|d}dd d d |g}t|d |d |d|d|g}|dkrtd||ftj|d}t|d |d|d|g}|dkrtd|tj |d |ddddgtj dd d}d} | D]"} | dr| dd} qq|dd} | | krBtd|| ft|dS)Nr$Z0xgD@z,Only fingerprints (v4, 160bit) are supportedz secring.gpgz pubring.gpgZgpgz--no-default-keyringz --no-optionsz --homedirz--secret-keyringz --keyringz --keyserverz--recvrzrecv from '%s' failed for '%s'zexport-keyring.gpgz--outputz--exportzexport of '%s' failedz --fingerprint--batch--fixed-list-mode --with-colonsT)r!rzfpr:: )lenreplacerr'rEr;r0callr r1r2r9 splitlines startswithsplitupperrJ) rrTrUZtmp_secret_keyringZ tmp_keyringZgpg_default_optionsresZtmp_export_keyringrBZgot_fingerprintlineZsigning_key_fingerprintr r rrRs       rRcCstddddd|ddS)zImport a GnuPG key to trust repositores signed by it. Keyword arguments: content -- the content of the GnuPG public key advz--quietrXz--import-)r NrC)Zcontentr r radd_keys ricCstd|dS)zRemove a GnuPG key to no longer trust repositores signed by it. Keyword arguments: fingerprint -- the fingerprint identifying the key ZrmNrhZ fingerprintr r r remove_keysrkcCs td|S)zxReturn the GnuPG key in text format. Keyword arguments: fingerprint -- the fingerprint identifying the key Zexportrhrjr r r export_key srlcCstdS)aUpdate the local keyring with the archive keyring and remove from the local keyring the archive keys which are no longer valid. The archive keyring is shipped in the archive-keyring package of your distribution, e.g. the debian-archive-keyring package in Debian. updaterhr r r rrmsrmcCstdS)ayWork similar to the update command above, but get the archive keyring from an URI instead and validate it against a master key. This requires an installed wget(1) and an APT build configured to have a server to fetch from and a master keyring to validate. APT in Debian does not support this command and relies on update instead, but Ubuntu's APT does. z net-updaterhr r r r net_updates rncCsxtddddd}g}|dD]T}|d}|dd kr@|d }|dd kr|d }|d }t|||}||q|S)zaReturns a list of TrustedKey instances for each key which is used to trust repositories. rfrZrXrYz --list-keys r[rZpubuidr\)rCrbrappend)rBrdreZfieldsrrqZ creation_datekeyr r r list_keys)s     ru__main__cCstdS)Nz;Ubuntu Archive Automatic Signing Key rr r r rBrxcCstdS)Nz:Ubuntu CD Image Automatic Signing Key rwr r r rrxCry)*rZ __future__rtypingr ImportErrorrMr'os.pathrQr0r4r+r%rrr5r6strr8rrrrSr robjectrrCrJrVrRrirkrlrmrnrur ZinitZ trusted_keyprintr r r rsT   0H