U &c*@sdZddlmZzddlmZWnek r4YnXddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddl mZe jjdkreZz$ddlmZmZmZeeeWnek rYnXGdd d eZGd d d eZGd d d eZddZddZddZddZddZ ddZ!ddZ"ddZ#ddZ$d d!Z%e&d"krd#d$d%d$e 'e%D]Z(e)e(qtdS)&z4Handle GnuPG keys used to trust signed repositories.)print_function)OptionalN)gettext)ListTupleUnionc@s eZdZdS) AptKeyErrorN)__name__ __module__ __qualname__r r */usr/lib/python3/dist-packages/apt/auth.pyr :sr c@seZdZdZdS)AptKeyIDTooShortErrorz!Internal class do not rely on it.N)r r r __doc__r r r rr>src@s eZdZdZddZddZdS) TrustedKeyzRepresents a trusted key.cCs ||_t||_||_||_dS)N)Zraw_name_namekeyiddate)selfrrrr r r__init__Fs zTrustedKey.__init__cCsd|j|j|jfS)Nz%s %s %s)rrr)rr r r__str__NszTrustedKey.__str__N)r r r rrrr r r rrBsrc Os0d}tjddg}||tj}d|d<d|d<ztjdd krt j d d d }| tj d ||j|d<tj||dtjtjtjd}|dd}tjjdkrt|tr| d}||\}}|jrtd|jd|||fn|r tj ||WS|dk r*|XdS)z0Run the apt-key script with the given arguments.NzDir::Bin::Apt-Keyz/usr/bin/apt-keyCZLANG1Z$APT_KEY_DONT_WARN_ON_DANGEROUS_USAGEZDir/zapt-keyz.conf)prefixsuffixzUTF-8Z APT_CONFIGT)envuniversal_newlinesstdinstdoutstderrr zutf-8zGThe apt-key script failed with return code %s: %s stdout: %s stderr: %s )apt_pkgZconfigZ find_fileextendosenvironcopycloseZfind_dirtempfileZNamedTemporaryFilewritedumpencodeflushr subprocessPopenPIPEgetsys version_infomajor isinstanceunicode communicate returncoder joinr"strip) argskwargsZconfcmdrprocr outputr"r r r_call_apt_key_scriptSsN         rBcCs@tj|std|t|tjs2td|td|dS)zImport a GnuPG key file to trust repositores signed by it. Keyword arguments: filename -- the absolute path to the public GnuPG key file z An absolute path is required: %szKey file cannot be accessed: %saddN)r'pathabspathr accessR_OKrB)filenamer r radd_key_from_files    rIc CsRt}z,zt|||Wntk r0YnXW5dd}tj||dXdS)zImport a GnuPG key file to trust repositores signed by it. Keyword arguments: keyid -- the long keyid (fingerprint) of the key, e.g. A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 keyserver -- the URL or hostname of the key server cSs(t|dtr"|djtjkr"dSdS)N)r7OSErrorerrnoZENOENT)funcrDexc_infor r ronerrors z'add_key_from_keyserver..onerror)rON)r+ZmkdtempshutilZrmtree_add_key_from_keyserver Exception)r keyservertmp_keyring_dirrOr r radd_key_from_keyservers  rUc CsNt|dddddkr$tdtj|d}tj|d}dd d d |g}t|d |d |d|d|g}|dkrtd||ftj|d}t|d |d|d|g}|dkrtd|tj |d |ddddgtj dd d}d} | D]"} | dr| dd} qq|dd} | | krBtd|| ft|dS)Nr$Z0xgD@z,Only fingerprints (v4, 160bit) are supportedz secring.gpgz pubring.gpgZgpgz--no-default-keyringz --no-optionsz --homedirz--secret-keyringz --keyringz --keyserverz--recvrzrecv from '%s' failed for '%s'zexport-keyring.gpgz--outputz--exportzexport of '%s' failedz --fingerprint--batch--fixed-list-mode --with-colonsT)r!rzfpr:: )lenreplacerr'rDr;r0Zcallr r1r2r9 splitlines startswithsplitupperrI) rrSrTZtmp_secret_keyringZ tmp_keyringZgpg_default_optionsresZtmp_export_keyringrAZgot_fingerprintlineZsigning_key_fingerprintr r rrQs       rQcCstddddd|ddS)zImport a GnuPG key to trust repositores signed by it. Keyword arguments: content -- the content of the GnuPG public key advz--quietrWz--import-)r NrB)Zcontentr r radd_keys rgcCstd|dS)zRemove a GnuPG key to no longer trust repositores signed by it. Keyword arguments: fingerprint -- the fingerprint identifying the key ZrmNrfZ fingerprintr r r remove_keysricCs td|S)zxReturn the GnuPG key in text format. Keyword arguments: fingerprint -- the fingerprint identifying the key Zexportrfrhr r r export_key srjcCstdS)aUpdate the local keyring with the archive keyring and remove from the local keyring the archive keys which are no longer valid. The archive keyring is shipped in the archive-keyring package of your distribution, e.g. the debian-archive-keyring package in Debian. updaterfr r r rrksrkcCstdS)ayWork similar to the update command above, but get the archive keyring from an URI instead and validate it against a master key. This requires an installed wget(1) and an APT build configured to have a server to fetch from and a master keyring to validate. APT in Debian does not support this command and relies on update instead, but Ubuntu's APT does. z net-updaterfr r r r net_updates rlcCsxtddddd}g}|dD]T}|d}|dd kr@|d }|dd kr|d }|d }t|||}||q|S)zaReturns a list of TrustedKey instances for each key which is used to trust repositories. rdrYrWrXz --list-keys rZrZpubuidr[)rBr`rappend)rArbrcZfieldsrroZ creation_datekeyr r r list_keys)s     rs__main__cCstdS)Nz;Ubuntu Archive Automatic Signing Key rr r r rBrvcCstdS)Nz:Ubuntu CD Image Automatic Signing Key rur r r rrvCrw)*rZ __future__rtypingr ImportErrorrLr'os.pathrPr0r4r+r%rrr5r6strr8rrrrRr robjectrrBrIrUrQrgrirjrkrlrsr ZinitZ trusted_keyprintr r r rsT   0H