On 11/3/19 6:35 PM, Allan McRae wrote:
This commit closes: FS#64142 - pacman-key: make populate less noisy
There is an addition comment in the bug: "Additionally, we should consider only counting keys to be disabled that are not currently disabled. Same with lsign key."
So, partially implements FS#64142.
So I dug around in /usr/share/doc/gnupg/DETAILS and I think I basically know what we need to get the rest of the way there. gpg --with-colons will be our friend here. We'll need to: figure out the keyid of the local master key (secret key): $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --list-secret-key sec:u:2048:1:2150A73FE449203E:1539640294:::u:::scSC:::+:::23::0: fpr:::::::::708A83C140BD668A8D52DDFF2150A73FE449203E: grp:::::::::2595A2681C2DA4806EC088E4DF877DA80528FEB5: uid:u::::1539640294::79311EDEA01302E0DBBB2F33AE799F8BB677652F::Pacman Keyring Master Key <pacman@localhost>::::::::::0: Find the sec line, find field 5, my local secret key is 2150A73FE449203E. Now we need to find out whether a given keyring key is already lsigned: $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --check-signatures anthraxx@master-key tru::1:1572742808:1579736285:3:1:5 pub:f:4096:1:D6D055F927843F1C:1541685162:::m:::scESCA::::::23:1547746114:1 https\x3a//[2001\x3a4c48\x3a2\x3abf04\x3a20c\x3a29ff\x3afe84\x3ad087]\x3a443: fpr:::::::::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C: uid:f::::1541685162::B588C0444DCADD3F0BBBEEBA44F9F02E089294E7::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:::::::::1547746114:1: sig:!::1:39E4B877E62EB915:1546031667::::Sven-Hendrik Haase <svenstaro@gmail.com>:10x::8FC15A064950A99DD1BD14DD39E4B877E62EB915:::8: sig:!::1:FC1B547C8D8172C8:1542066833::::Levente Polyak (anthraxx) <levente@leventepolyak.net>:10x::E240B57E2C4630BA768E2F26FC1B547C8D8172C8:::10: sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:13x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key <pacman@localhost>:10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8: sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10: sub:f:4096:1:FEB12332C13054E7:1541685162::::::e::::::23: fpr:::::::::86CC2A69D4B742C15239AD22FEB12332C13054E7: sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10: sub:f:4096:1:DEDF3FE3104A16F6:1541685530::::::a::::::23: fpr:::::::::46A1EFF0753F9F10BB6B36DEDEDF3FE3104A16F6: sig:!::1:D6D055F927843F1C:1541685530::::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: Here's the line we need, a 'sig' line: sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key <pacman@localhost>:10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8: Field 2 tells us whether the signature is good, either "!" for good or "-" for bad. Field 5 (again) tells us the id of the key, in this case the key which performed the signature. Does it match the previously detected secret key? If not, try to find another signature that is a secret key. .... Now on to the "is it disabled" mode. $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --list-key 81D7F8241DB38BC759C80FCE3A726C6170E80477 tru::1:1572742808:1579736285:3:1:5 pub:-:2048:1:3A726C6170E80477:1321703264:::-:::scESCD::::::23::0: fpr:::::::::81D7F8241DB38BC759C80FCE3A726C6170E80477: uid:-::::1321703264::E0406C59D6C6B91ED55428F0A785052113EF060B::Роман Кирилич (Roman Kyrylych) <roman@archlinux.org>::::::::::0: sub:-:2048:1:A9E18694A8AA192C:1321703264::::::e::::::23: fpr:::::::::BEC1D058200080E7938CC822A9E18694A8AA192C: This person is retired from Arch, and his key is disabled. Look at the 'pub' line, field 12 -- it contains a "D", so his key is disabled. Matthew -- you want to take this the rest of the way? -- Eli Schwartz Bug Wrangler and Trusted User