[pacman-dev] [PATCH 1/4] pacman-key: move --edit-key and --receive processing to functions
This moves the processing of the --edit-key and --receive options to functions, keeping the final option processing to be all single line statements. Also rework the --edit-key option to validate all input before processing. Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/pacman-key.sh.in | 47 +++++++++++++++++++++++++-------------------- 1 files changed, 26 insertions(+), 21 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index b2b5669..c8f5111 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -202,6 +202,30 @@ reload_keyring() { ${GPG_PACMAN} --batch --check-trustdb } +receive_keys() { + if [[ -z ${KEYIDS[@]} ]]; then + error "$(gettext "You need to specify the keyserver and at least one key identifier")" + exit 1 + fi + ${GPG_PACMAN} --keyserver "$KEYSERVER" --recv-keys "${KEYIDS[@]}" +} + +edit_keys() { + local errors=0; + for key in ${KEYIDS[@]}; do + # Verify if the key exists in pacman's keyring + if ! ${GPG_PACMAN} --list-keys "$key" &>/dev/null; then + error "$(gettext "The key identified by %s does not exist")" "$key" + errors=1; + fi + done + (( errors )) && exit 1; + + for key in ${KEYIDS[@]}; do + ${GPG_PACMAN} --edit-key "$key" + done +} + # PROGRAM START if ! type gettext &>/dev/null; then gettext() { @@ -279,31 +303,12 @@ GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning" (( ADD )) && ${GPG_PACMAN} --quiet --batch --import "${KEYFILES[@]}" (( DELETE )) && ${GPG_PACMAN} --quiet --batch --delete-key --yes "${KEYIDS[@]}" +(( EDITKEY )) && edit_keys (( EXPORT )) && ${GPG_PACMAN} --armor --export "${KEYIDS[@]}" (( FINGER )) && ${GPG_PACMAN} --batch --fingerprint "${KEYIDS[@]}" (( LIST )) && ${GPG_PACMAN} --batch --list-sigs "${KEYIDS[@]}" +(( RECEIVE )) && receive_keys (( RELOAD )) && reload_keyring (( UPDATEDB )) && ${GPG_PACMAN} --batch --check-trustdb -if (( RECEIVE )); then - if [[ -z ${KEYIDS[@]} ]]; then - error "$(gettext "You need to specify the keyserver and at least one key identifier")" - exit 1 - fi - ${GPG_PACMAN} --keyserver "$KEYSERVER" --recv-keys "${KEYIDS[@]}" -fi - -if (( EDITKEY )); then - for key in ${KEYIDS[@]}; do - # Verify if the key exists in pacman's keyring - if ${GPG_PACMAN} --list-keys "$key" &>/dev/null; then - ${GPG_PACMAN} --edit-key "$key" - else - error "$(gettext "The key identified by %s does not exist")" "$key" - exit 1 - fi - shift - done -fi - # vim: set ts=2 sw=2 noet: -- 1.7.6
Also check all files before bailing on errors. Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/pacman-key.sh.in | 48 ++++++++++++++++++++++++++------------------- 1 files changed, 28 insertions(+), 20 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index c8f5111..5be627f 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -87,30 +87,15 @@ get_from() { done < "$1" } -reload_keyring() { - local PACMAN_SHARE_DIR='@prefix@/share/pacman' - local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}" - - # Variable used for iterating on keyrings - local key - local key_id - - # Keyring with keys to be added to the keyring - local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg" - - # Keyring with keys that were deprecated and will eventually be deleted - local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg" - - # List of keys removed from the keyring. This file is not a keyring, unlike the others. - # It is a textual list of values that gpg recogniezes as identifiers for keys. - local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys" +verify_keyring_input() { + local ret=0; # Verify signatures of related files, if they exist if [[ -r "${ADDED_KEYS}" ]]; then msg "$(gettext "Verifying official keys file signature...")" if ! ${GPG_PACMAN} --verify "${ADDED_KEYS}.sig" &>/dev/null; then error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}" - exit 1 + ret=1 fi fi @@ -118,7 +103,7 @@ reload_keyring() { msg "$(gettext "Verifying deprecated keys file signature...")" if ! ${GPG_PACMAN} --verify "${DEPRECATED_KEYS}.sig" &>/dev/null; then error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}" - exit 1 + ret=1 fi fi @@ -126,10 +111,33 @@ reload_keyring() { msg "$(gettext "Verifying deleted keys file signature...")" if ! ${GPG_PACMAN} --verify "${REMOVED_KEYS}.sig" &>/dev/null; then error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}" - exit 1 + ret=1 fi fi + return errors +} + +reload_keyring() { + local PACMAN_SHARE_DIR='@prefix@/share/pacman' + local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}" + + # Variable used for iterating on keyrings + local key + local key_id + + # Keyring with keys to be added to the keyring + local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg" + + # Keyring with keys that were deprecated and will eventually be deleted + local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg" + + # List of keys removed from the keyring. This file is not a keyring, unlike the others. + # It is a textual list of values that gpg recogniezes as identifiers for keys. + local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys" + + verify_keyring_input || exit 1 + # Read the key ids to an array. The conversion from whatever is inside the file # to key ids is important, because key ids are the only guarantee of identification # for the keys. -- 1.7.6
Follow the example of gpg and only allow a single operation to be specified each time. Prevents having to deal with conflicting variable names and potential issues due to the order in which the operations are run. Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/pacman-key.sh.in | 16 ++++++++++++++++ 1 files changed, 16 insertions(+), 0 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 5be627f..55c2abe 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -308,6 +308,22 @@ PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-@sysconfdir@/pacman.d/gnupg} GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning" +# check only a single operation has been given +numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + LIST + RECEIVE + RELOAD + UPDATEBD )) + +if (( ! numopt )); then + error "$(gettext "No operations specified")" + echo + usage + exit 1 +fi + +if (( numopt != 1 )); then + error "$(gettext "Multiple operations specified")" + printf "$(gettext "Please run %s with each operation separately\n")" "pacman-key" + exit 1 +fi + (( ADD )) && ${GPG_PACMAN} --quiet --batch --import "${KEYFILES[@]}" (( DELETE )) && ${GPG_PACMAN} --quiet --batch --delete-key --yes "${KEYIDS[@]}" -- 1.7.6
participants (1)
-
Allan McRae