[pacman-dev] [PATCH] pacman-key: ignores keys already lsigned during populate

4 Nov 2019

WORK IN PROGRESS. I'm only emailing this patch to get some
feedback. I added a function that checks whether a key
being imported has already been signed, and if it has been,
skip lsigning it.

I'm not 100% sure this line is entirely necessary:
	if (( LSIGNKEY || POPULATE )); then

I wanted to ensure that there -was- a signing key to check
against. It might be a superfluous check, but I couldn't
find where --populate implies having run --init. I may've
missed it.

Otherwise, just looking for feedback before I move on to
step 2 which is not disabling already disabled keys. Let
me know if there are any glaring errors you see, or if
there is a more elegant way of doing what I did.

Signed-off-by: Matthew Sexton <wsdmatty@gmail.com>
---
 scripts/pacman-key.sh.in | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 3627a805..796375a5 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -247,7 +247,7 @@ check_keyring() {
 		fi
 	fi
 
-	if (( LSIGNKEY )); then
+	if (( LSIGNKEY || POPULATE )); then
 		if [[ $(secret_keys_available) -lt 1 ]]; then
 			error "$(gettext "There is no secret key available to sign with.")"
 			msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init"
@@ -447,6 +447,25 @@ list_sigs() {
 		exit 1
 	fi
 }
+lsigned_already() {
+	# Determines whether a key has already been signed locally by getting the
+	# local pacman secret key and comparing it against signatures on the key
+	# returns 1 if key is not signed, 0 if signed
+	secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | head -n1 | awk -F : '{print $5}')
+	NEEDS_SIGNED=1
+	while read line; do
+        while IFS=: read -r _ valid _ _ signkey _; do
+                if [ "$valid" != "!" ]; then
+                    continue
+                fi
+                if [[ "$signkey" == "$secret_key" ]]; then
+                        NEEDS_SIGNED=0
+                        break
+                fi
+        done
+	done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1")
+
+}
 
 lsign_keys() {
 	check_keyids_exist
@@ -454,6 +473,10 @@ lsign_keys() {
 	local ret=0
 	local key_count=0
 	for key_id in "$@"; do
+		lsigned_already "$key_id"
+		if [[ "$NEEDS_SIGNED" == 0 ]]; then
+			continue
+		fi
 		if (( VERBOSE )); then
 			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
 		fi
@@ -469,7 +492,9 @@ lsign_keys() {
 	if (( ret )); then
 		exit 1
 	fi
+	if (( key_count )); then
 	msg2 "$(gettext "Locally signed %s keys.")" "${key_count}"
+	fi
 }
 
 receive_keys() {
-- 
2.23.0

    