Added two new functions, lsigned_already() and revoked_already() that check whether a key has been locally signed or revoked respectively during --populate. If the key is already signed or revoked, it is quietly ignored. Signed-off-by: Matthew Sexton <wsdmatty@gmail.com> --- Final version of patch. This patch depends on my previous patch: v2-0001-pacman-key-hide-lsign-and-revoke-output-behind-ve.patch This finishes the implementation of: FS#64142 - pacman-key: make populate less noisy Most of the credit for this goes to Eli, who did the hard part of figuring out gpg wizardry. All I did was bash some stuff. v2. Fixed some inconsistencies in [ vs [[ and removed unnecessary parantheses. scripts/pacman-key.sh.in | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 3627a805..ba56a3ac 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -247,7 +247,7 @@ check_keyring() { fi fi - if (( LSIGNKEY )); then + if (( LSIGNKEY || POPULATE )); then if [[ $(secret_keys_available) -lt 1 ]]; then error "$(gettext "There is no secret key available to sign with.")" msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init" @@ -337,13 +337,16 @@ populate_keyring() { local key_count=0 msg "$(gettext "Disabling revoked keys in keyring...")" for key_id in "${!revoked_ids[@]}"; do + if ( revoked_already "$key_id" ) ; then continue; fi if (( VERBOSE )); then msg2 "$(gettext "Disabling key %s...")" "${key_id}" fi printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null key_count=$((key_count+1)) done - msg2 "$(gettext "Disabled %s keys.")" "${key_count}" + if (( key_count )); then + msg2 "$(gettext "Disabled %s keys.")" "${key_count}" + fi fi } @@ -447,6 +450,18 @@ list_sigs() { exit 1 fi } +lsigned_already() { + # Determines whether a key has already been signed locally by getting the + # local pacman secret key and comparing it against signatures on the key + # returns 0 if key is signed, 1 if it is unsigned + secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | head -n1 | awk -F : '{print $5}') + while IFS=: read -r _ valid _ _ signkey _; do + if [ "$valid" != "!" ]; then continue; fi + if [[ "$signkey" == "$secret_key" ]]; then return 0; fi + done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1") + return 1 + +} lsign_keys() { check_keyids_exist @@ -454,6 +469,7 @@ lsign_keys() { local ret=0 local key_count=0 for key_id in "$@"; do + if ( lsigned_already "$key_id" ) ; then continue; fi if (( VERBOSE )); then msg2 "$(gettext "Locally signing key %s...")" "${key_id}" fi @@ -469,7 +485,9 @@ lsign_keys() { if (( ret )); then exit 1 fi + if (( key_count )); then msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" + fi } receive_keys() { @@ -511,6 +529,15 @@ refresh_keys() { fi } +revoked_already() { + + while IFS=: read -r type _ _ _ _ _ _ _ _ _ _ flags _; do + if [ "$type" != "pub" ]; then continue; fi + if [[ "$flags" == *"D"* ]]; then return 0; fi + done < <("${GPG_PACMAN[@]}" --with-colons --list-key "$1") + return 1 +} + verify_sig() { local ret=0 sig=$1 file=$2 if [[ -z $file && -f ${sig%.*} ]]; then -- 2.23.0