[pacman-dev] [PATCH] pacman-key: Add --import and --import-trustdb
Currently, pacman-key allows users to import their keys using the --add option but no similar functionality exists for importing ownertrust values. The --import-trustdb option takes in a list of directories and imports ownertrust values if the directories have a trustdb.gpg database. The --import is a combination of --add and --import-trustdb. It takes in a list of directories and imports keys from pubring.gpg, ownertrust values from trustdb.gpg if any of these files exist. Signed-off-by: Pang Yan Han <pangyanhan@gmail.com> --- NOTE: There is this very strange bug such that when new keys are added, previously imported keys will fail for signature verification. This happens with both --add and --import. Eg. Say you want to import trustdb.gpg and pubring.gpg from directories "first", "second" and "third", you'd have to: # pacman-key --import first second third # pacman-key --import first second third doc/pacman-key.8.txt | 7 +++++++ scripts/pacman-key.sh.in | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 0 deletions(-) diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 892f14d..6071474 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -59,6 +59,13 @@ Commands *-h, \--help*:: Output syntax and command line options. +*\--import* dir ...:: + Adds keys from pubring.gpg into pacman's keyring and imports ownertrust + values from trustdb.gpg in the specified directories. + +*\--import-trustdb* dir ...:: + Imports ownertrust values from trustdb.gpg in the specified directories. + *-l, \--list*:: Equivalent to --list-sigs from GnuPG. diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 20ec20f..425f010 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -70,6 +70,8 @@ usage() { echo "$(gettext " -u, --updatedb Update the trustdb of pacman")" echo "$(gettext " -V, --version Show program version")" echo "$(gettext " --adv <params> Use pacman's keyring with advanced gpg commands")" + echo "$(gettext " --import <dir(s)> Imports pubring.gpg and trustdb.gpg from dir(s)")" + echo "$(gettext " --import-trustdb <dir(s)> Imports ownertrust values from trustdb.gpg in dir(s)")" printf "$(gettext " --reload Reload the default keys")" echo } @@ -228,6 +230,27 @@ if [[ $1 != "--version" && $1 != "-V" && $1 != "--help" && $1 != "-h" && $1 != " fi fi +import() { + local importdir + for importdir in "$@"; do + if [[ -f "${importdir}/trustdb.gpg" ]]; then + import_trustdb "${importdir}" + fi + if [[ -f "${importdir}/pubring.gpg" ]]; then + ${GPG_PACMAN} --quiet --batch --import "${importdir}/pubring.gpg" + fi + done +} + +import_trustdb() { + local importdir + for importdir in "$@"; do + if [[ -f "${importdir}/trustdb.gpg" ]]; then + gpg --homedir "${importdir}" --export-ownertrust | ${GPG_PACMAN} --import-ownertrust + fi + done +} + # Parse global options CONFIG="@sysconfdir@/pacman.conf" PACMAN_KEYRING_DIR="@sysconfdir@/pacman.d/gnupg" @@ -322,6 +345,20 @@ case "${command}" in ;; -h|--help) usage; exit 0 ;; + --import-trustdb) + if (( $# == 0 )); then + error "$(gettext "You need to specify at least one trustdb")" + exit 1 + fi + import_trustdb "$@" + ;; + --import) + if (( $# == 0 )); then + error "$(gettext "You need to specify at least one gpg directory")" + exit 1 + fi + import "$@" + ;; -V|--version) version; exit 0 ;; *) -- 1.7.6.rc0
On 10/06/11 16:38, Pang Yan Han wrote:
Currently, pacman-key allows users to import their keys using the --add option but no similar functionality exists for importing ownertrust values.
The --import-trustdb option takes in a list of directories and imports ownertrust values if the directories have a trustdb.gpg database.
The --import is a combination of --add and --import-trustdb. It takes in a list of directories and imports keys from pubring.gpg, ownertrust values from trustdb.gpg if any of these files exist.
Signed-off-by: Pang Yan Han<pangyanhan@gmail.com> --- NOTE: There is this very strange bug such that when new keys are added, previously imported keys will fail for signature verification. This happens with both --add and --import.
Eg. Say you want to import trustdb.gpg and pubring.gpg from directories "first", "second" and "third", you'd have to:
# pacman-key --import first second third # pacman-key --import first second third
I have not gone through your patch in detail yet, but I do not see this issue you report when using the --add option: allan@mugen /home/arch/code/pacman (working)
./scripts/pacman-key --verify /home/allan/web/allanbrokeit/i686/allanbrokeit.db.sig gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD gpg: NOTE: trustdb not writable gpg: Good signature from "Allan McRae <me@allanmcrae.com>" gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"
allan@mugen /home/arch/code/pacman (working)
sudo ./scripts/pacman-key --add /home/allan/dan.gpg gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
allan@mugen /home/arch/code/pacman (working)
./scripts/pacman-key --verify /home/allan/web/allanbrokeit/i686/allanbrokeit.db.sig gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD gpg: NOTE: trustdb not writable gpg: Good signature from "Allan McRae <me@allanmcrae.com>" gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"
So the signature verification still works after adding a key with --add. There are two possibilities here... 1) this is fixed due to the large number of changes on my working branch, or 2) there is something wrong with the --import stuff... Can you give more details on this issue so I can follow it up and get this patch merged. Cheers, Allan
Hi Allan, I'll send 2 small patches to be applied on top of your working branch, and an edited version of the --import patch soon. The issue I mentioned is with regards to pacman -U and pacman-key --import. I edited the patch so that it'll work with the new pacman-key code, and the same thing happens. Basically, I tried installing 2 packages signed by 2 different keys. They are "ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz" Their respective .sig files (detached signatures) are in the same directories. So I did: [root@localhost ~] # pacman-key --init gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created gpg: no ultimately trusted keys found [root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP signature) [root@localhost ~] # pacman --import .gnupg/ gpg: inserting ownertrust of 6 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u [root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz Works now with pacman, but I didn't install anything. Then, I proceeded to import the trustdb with the key for the archlinux wallpaper package. [root@localhost ~] # pacman-key --import /home/yh/.gnupg/ gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/' gpg: inserting ownertrust of 6 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u [root@localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz Works now But then the one for ack fails: [root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature) And the previously successful pacman-key --verify for the ack package spurt out some warning messages this time: [root@localhost ~] # pacman-key --verify ack-1.94-2-any.pkg.tar.xz gpg: Signature made Fri 10 Jun 2011 11:44:28 AM SGT using RSA key ID CF7AE1C9 gpg: Good signature from "testing123 <test123@hotmail.com>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: <omitted> The verification for archlinux-wallpaper is ok: [root@localhos ~] # pacman-key --verify archlinux-wallpaper-1.3-2-any.pkg.tar.xz gpg: Signature made Sun 10 Jul 2011 11:41:18 AM SGT using RSA key ID 1582A729 gpg: Good signature from "Pang Yan Han <pangyanhan@gmail.com>" Then, I imported the 2 directories at one go: [root@localhost ~] # pacman-key --import /home/yh/.gnupg/ .gnupg/ gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/' gpg: setting ownertrust to 6 gpg: setting ownertrust to 6 gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/' Subsequently, the pacman -U and pacman-key --verify worked for both packages. I can only suspect that it has something to do with importing from a different user since there are warnings with regards to "unsafe ownership". It might be worth it to try the following: 1. As root, use "pacman-key --import" to import the trustdb 2. Create a new gpg key on another directory. 3. Use "pacman-key --import" to import the new trustdb 4. Sign 2 packages using the 2 different keys and try installing using pacman -U to see if the same problem exists. On Sat, Jul 9, 2011 at 8:37 PM, Allan McRae <allan@archlinux.org> wrote:
On 10/06/11 16:38, Pang Yan Han wrote:
Currently, pacman-key allows users to import their keys using the --add option but no similar functionality exists for importing ownertrust values.
The --import-trustdb option takes in a list of directories and imports ownertrust values if the directories have a trustdb.gpg database.
The --import is a combination of --add and --import-trustdb. It takes in a list of directories and imports keys from pubring.gpg, ownertrust values from trustdb.gpg if any of these files exist.
Signed-off-by: Pang Yan Han<pangyanhan@gmail.com> --- NOTE: There is this very strange bug such that when new keys are added, previously imported keys will fail for signature verification. This happens with both --add and --import.
Eg. Say you want to import trustdb.gpg and pubring.gpg from directories "first", "second" and "third", you'd have to:
# pacman-key --import first second third # pacman-key --import first second third
I have not gone through your patch in detail yet, but I do not see this issue you report when using the --add option:
allan@mugen /home/arch/code/pacman (working)
./scripts/pacman-key --verify /home/allan/web/allanbrokeit/** i686/allanbrokeit.db.sig gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD gpg: NOTE: trustdb not writable gpg: Good signature from "Allan McRae <me@allanmcrae.com>" gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"
allan@mugen /home/arch/code/pacman (working)
sudo ./scripts/pacman-key --add /home/allan/dan.gpg gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
allan@mugen /home/arch/code/pacman (working)
./scripts/pacman-key --verify /home/allan/web/allanbrokeit/** i686/allanbrokeit.db.sig gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD gpg: NOTE: trustdb not writable gpg: Good signature from "Allan McRae <me@allanmcrae.com>" gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"
So the signature verification still works after adding a key with --add. There are two possibilities here... 1) this is fixed due to the large number of changes on my working branch, or 2) there is something wrong with the --import stuff...
Can you give more details on this issue so I can follow it up and get this patch merged.
Cheers, Allan
On 10/07/11 14:10, Pang Yan Han wrote:
The issue I mentioned is with regards to pacman -U and pacman-key --import. I edited the patch so that it'll work with the new pacman-key code, and the same thing happens.
Basically, I tried installing 2 packages signed by 2 different keys. They are "ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz" Their respective .sig files (detached signatures) are in the same directories.
So I did:
[root@localhost ~] # pacman-key --init gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created gpg: no ultimately trusted keys found
[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP signature)
[root@localhost ~] # pacman --import .gnupg/ gpg: inserting ownertrust of 6 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz Works now with pacman, but I didn't install anything.
Then, I proceeded to import the trustdb with the key for the archlinux wallpaper package.
[root@localhost ~] # pacman-key --import /home/yh/.gnupg/ gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/' gpg: inserting ownertrust of 6 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
[root@localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz Works now
But then the one for ack fails: [root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP signature)
This is because of how --import-ownertrust works: --import-ownertrust Update the trustdb with the ownertrust values stored in files (or STDIN if not given); existing values will be overwritten. That last bit is the key to the issue! So we need to be smarter in this bit here.... +import_trustdb() { + local importdir + for importdir in "${IMPORT_DIRS[@]}"; do + if [[ -f "${importdir}/trustdb.gpg" ]]; then + gpg --homedir "${importdir}" --export-ownertrust | ${GPG_PACMAN} --import-ownertrust + fi + done +} Only that last trustdb will end up being imported. I think that doing something like this instead: ${GPG_PACMAN} --export-owner-trust > tmp.file for importdir in "${IMPORT_DIRS[@]}"; do if [[ -f "${importdir}/trustdb.gpg" ]]; then gpg --homedir "${importdir}" --export-ownertrust >> tmp.file fi done ${GPG_PACMAN} --import-ownertrust tmp.file should work... but I have not tested. If appending the trustdb's together does not work, then create a temporary folder instead and store them all in individual files and pass --import-ownertrust multiple files. Hopefully that fixes this and we cna merge this patch. Cheers, Allan
participants (2)
-
Allan McRae
-
Pang Yan Han