[arch-projects] [dbscripts][PATCH] Prevent master keys signing packages

Signed-off-by: Allan McRae <allan@archlinux.org> --- config | 1 + db-functions | 14 ++++++++++++++ db-update | 2 +- 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/config b/config index 3df6c95..d1413cc 100644 --- a/config +++ b/config @@ -18,6 +18,7 @@ SOURCE_CLEANUP_DRYRUN=false SOURCE_CLEANUP_KEEP=14 REQUIRE_SIGNATURE=true +MASTER_KEYS=('6AC6A4C2' '824B18E8' '4C7EA887' 'FFF979E7' 'CDFD6BB0') LOCK_DELAY=10 LOCK_TIMEOUT=300 diff --git a/db-functions b/db-functions index bb49894..26e6825 100644 --- a/db-functions +++ b/db-functions @@ -381,6 +381,20 @@ check_pkgsvn() { return 0 } +check_signature() { + local pkgfile="${1}" + + if ! pacman-key -v "${pkgfile}.sig" >/dev/null 2>&1 + return 1 + fi + + for k in ${MASTER_KEYS}; do + if pacman-key -v "${pkgfile}.sig" 2>&1 | grep -q "key ID ${k}" + return 1 + fi + done +} + check_splitpkgs() { local repo="${1}" shift diff --git a/db-update b/db-update index 576fe2b..087a248 100755 --- a/db-update +++ b/db-update @@ -42,7 +42,7 @@ for repo in ${repos[@]}; do if ! check_pkgfile "${pkg}"; then die "Package ${repo}/${pkg##*/} is not consistent with its meta data" fi - if ${REQUIRE_SIGNATURE} && ! pacman-key -v "${pkg}.sig" >/dev/null 2>&1; then + if ${REQUIRE_SIGNATURE} && ! check_pkgsig ${pkg}; then die "Package ${repo}/${pkg##*/} does not have a valid signature" fi if ! check_pkgsvn "${pkg}" "${repo}"; then -- 1.8.4.2