[pacman-dev] [PATCH] makepkg: allow less than the full fingerprint in validpgpkeys
I found this feature confusing, and the documentation wasn't any help. It was pointed out to me on IRC that validpgpkeys expects full fingerprints, and won't accept shorter forms. This makes the documentation insufficient, and the variable name itself misleading. This patch bolsters the documentation to explain more about what the contents should be, and implements suffix matching to allow matching on shorters fingerprint suffices. Now, when makepkg tells you that a key ID isn't valid, it's sufficient to manually check the key ID against the known good ID, and add it as is to validpgpkeys. --- doc/PKGBUILD.5.txt | 4 +++- scripts/makepkg.sh.in | 21 ++++++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index c653aac..eda3570 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -134,7 +134,9 @@ the integrity of the corresponding source file. trust values from the keyring. If the source file was signed with a subkey, makepkg will still use the primary key for comparison. + -Fingerprints must be uppercase and must not contain whitespace characters. +Fingerprints must be uppercase and must not contain whitespace characters. They +must be either the full fingerprint or match at least 16 characters of the full +fingerprint, starting from the end of the fingerprint. *noextract (array)*:: An array of file names corresponding to those from the source array. Files diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 49f5e59..25c0977 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1289,6 +1289,25 @@ parse_gpg_statusfile() { done < "$1" } +is_known_valid_pgp_key() { + local fprint subject=$1 validfprints=("${@:2}") + + for fprint in "${validfprints[@]}"; do + # we always honor full fingerprint matches + if [[ "$subject" = "$fprint" ]]; then + return 0 + fi + + # we'll also honor a suffix match, assuming that the fprint is long enough + # to be worthy. + if (( ${#fprint} >= 16 )) && [[ $subject = *"$fprint" ]]; then + return 0 + fi + done + + return 1 +} + check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 @@ -1366,7 +1385,7 @@ check_pgpsigs() { if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2 errors=1 - elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then + elif ! is_known_valid_pgp_key "$fingerprint" "${validpgpkeys[@]}"; then printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")" errors=1 else -- 2.1.0
participants (1)
-
Dave Reisner