[pacman-dev] [PATCH 1/2] pacman-key: split keyserver to a separate option
This also renames '--receive' to '-recv-keys' to match the wrapped gpg option name, rather than invent a new one, now that the calling convention is the same. Signed-off-by: Dan McGee <dan@archlinux.org> --- doc/pacman-key.8.txt | 10 ++++++++-- scripts/pacman-key.sh.in | 29 +++++++++++++++-------------- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 7481ce5..824f0b3 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -71,6 +71,12 @@ Options Ensure the keyring is properly initialized and has the required access permissions. +*\--keyserver* <keyserver>:: + Use the specified keyserver if the operation requires one. This will take + precedence over any keyserver option specified in a `gpg.conf` + configuration file. Running '\--init' with this option will set the default + keyserver if one was not already configured. + *-l, \--list-keys* [keyid(s)]:: Lists all or specified keys from the public keyring. @@ -81,8 +87,8 @@ Options Locally sign the given key. This is primarily used to root the web of trust in the local private key generated by '\--init'. -*-r, \--receive* <keyserver> <keyid(s)>:: - Fetch the specified keyid(s) from the specified key server URL. +*-r, \--recv-keys* <keyid(s)>:: + Equivalent to '\--recv-keys' in GnuPG. *\--populate* [keyring(s)]:: Reload the default keys from the (optionally provided) keyrings in diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 9bb8182..ce95f5d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -35,6 +35,7 @@ FINGER=0 IMPORT=0 IMPORT_TRUSTDB=0 INIT=0 +KEYSERVER='' LISTKEYS=0 LISTSIGS=0 LSIGNKEY=0 @@ -43,6 +44,8 @@ RECEIVE=0 UPDATEDB=0 VERIFY=0 +DEFAULT_KEYSERVER='hkp://keys.gnupg.net' + m4_include(library/output_format.sh) m4_include(library/parse_options.sh) @@ -61,7 +64,7 @@ usage() { echo "$(gettext " -f, --finger [keyid(s)] List fingerprint for specified or all keyids")" echo "$(gettext " -h, --help Show this help message and exit")" echo "$(gettext " -l, --list-keys [keyid(s)] List the specified or all keys")" - echo "$(gettext " -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")" + echo "$(gettext " -r, --recv-keys <keyid(s)> Fetch the specified keyids")" echo "$(gettext " -u, --updatedb Update the trustdb of pacman")" echo "$(gettext " -v, --verify <signature> Verify the file specified by the signature")" echo "$(gettext " -V, --version Show program version")" @@ -73,6 +76,7 @@ usage() { echo "$(gettext " --import <dir(s)> Imports pubring.gpg and trustdb.gpg from dir(s)")" echo "$(gettext " --import-trustdb <dir(s)> Imports ownertrust values from trustdb.gpg in dir(s)")" echo "$(gettext " --init Ensure the keyring is properly initialized")" + echo "$(gettext " --keyserver Specify a keyserver to use if necessary")" echo "$(gettext " --list-sigs [keyid(s)] List keys and their signatures")" echo "$(gettext " --lsign-key <keyid> Locally sign the specified keyid")" printf "$(gettext " --populate [keyring(s)] Reload the default keys from the (given) keyrings\n\ @@ -136,7 +140,7 @@ add_gpg_conf_option() { } initialize() { - local conffile + local conffile keyserv # Check for simple existence rather than for a directory as someone # may want to use a symlink here [[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}" @@ -155,7 +159,8 @@ initialize() { add_gpg_conf_option "$conffile" 'no-greeting' add_gpg_conf_option "$conffile" 'no-permission-warning' add_gpg_conf_option "$conffile" 'lock-never' - add_gpg_conf_option "$conffile" 'keyserver' 'hkp://keys.gnupg.net' + keyserv=${KEYSERVER:-$DEFAULT_KEYSERVER} + add_gpg_conf_option "$conffile" 'keyserver' "$keyserv" # set up a private signing key (if none available) if [[ $(secret_keys_available) -lt 1 ]]; then @@ -304,14 +309,6 @@ populate_keyring() { fi } -receive_keys() { - if [[ -z ${KEYIDS[@]} ]]; then - error "$(gettext "You need to specify the keyserver and at least one key identifier")" - exit 1 - fi - "${GPG_PACMAN[@]}" --keyserver "$KEYSERVER" --recv-keys "${KEYIDS[@]}" -} - edit_keys() { local errors=0; for key in ${KEYIDS[@]}; do @@ -366,7 +363,7 @@ fi OPT_SHORT="a::d:e:f::hl::r:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::" -OPT_LONG+=",lsign-key:,populate::,receive:,updatedb,verify:,version" +OPT_LONG+=",lsign-key:,populate::,recv-keys:,updatedb,verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi @@ -390,11 +387,12 @@ while true; do --import) IMPORT=1; shift; IMPORT_DIRS=($1); UPDATEDB=1 ;; --import-trustdb) IMPORT_TRUSTDB=1; shift; IMPORT_DIRS=($1); UPDATEDB=1 ;; --init) INIT=1 ;; + --keyserver) shift; KEYSERVER=$1 ;; -l|--list-keys) LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; --list-sigs) LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; --lsign-key) LSIGNKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;; --populate) POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;; - -r|--receive) RECEIVE=1; shift; TMP=($1); KEYSERVER=${TMP[0]}; KEYIDS=(${TMP[@]:1}); unset TMP; UPDATEDB=1 ;; + -r|--recv-keys) RECEIVE=1; shift; KEYIDS=($1); UPDATEDB=1 ;; -u|--updatedb) UPDATEDB=1 ;; -v|--verify) VERIFY=1; shift; SIGNATURE=$1 ;; @@ -429,6 +427,9 @@ fi PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" || echo "@sysconfdir@/pacman.d/gnupg")} GPG_PACMAN=(gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning) +if [[ -n ${KEYSERVER} ]]; then + GPG_PACMAN+=(--keyserver ${KEYSERVER}) +fi # check only a single operation has been given # don't include UPDATEDB in here as other opts can induce it @@ -464,7 +465,7 @@ esac # TODO: we can't do --batch on lsign until we figure out --command-fd (( LSIGNKEY )) && "${GPG_PACMAN[@]}" --lsign-key "${KEYIDS[@]}" (( POPULATE )) && populate_keyring -(( RECEIVE )) && receive_keys +(( RECEIVE )) && "${GPG_PACMAN[@]}" --recv-keys "${KEYIDS[@]}" (( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE if (( UPDATEDB )); then -- 1.7.6
This allows new signatures to be pulled, revocations to be found, etc. Signed-off-by: Dan McGee <dan@archlinux.org> --- doc/pacman-key.8.txt | 3 +++ scripts/pacman-key.sh.in | 11 ++++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 824f0b3..5f94728 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -90,6 +90,9 @@ Options *-r, \--recv-keys* <keyid(s)>:: Equivalent to '\--recv-keys' in GnuPG. +*\--refresh-keys* [keyid(s)]:: + Equivalent to '\--refresh-keys' in GnuPG. + *\--populate* [keyring(s)]:: Reload the default keys from the (optionally provided) keyrings in +{pkgdatadir}/keyrings+. For more information, see diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index ce95f5d..91a2559 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -41,6 +41,7 @@ LISTSIGS=0 LSIGNKEY=0 POPULATE=0 RECEIVE=0 +REFRESH=0 UPDATEDB=0 VERIFY=0 @@ -81,6 +82,7 @@ usage() { echo "$(gettext " --lsign-key <keyid> Locally sign the specified keyid")" printf "$(gettext " --populate [keyring(s)] Reload the default keys from the (given) keyrings\n\ in '%s'")\n" "@pkgdatadir@/keyrings" + echo "$(gettext " --refresh-keys [keyid(s)] Update specified or all keys from a keyserver")" } version() { @@ -363,7 +365,8 @@ fi OPT_SHORT="a::d:e:f::hl::r:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::" -OPT_LONG+=",lsign-key:,populate::,recv-keys:,updatedb,verify:,version" +OPT_LONG+=",lsign-key:,populate::,recv-keys:,refresh-keys::,updatedb" +OPT_LONG+=",verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi @@ -393,6 +396,7 @@ while true; do --lsign-key) LSIGNKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;; --populate) POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;; -r|--recv-keys) RECEIVE=1; shift; KEYIDS=($1); UPDATEDB=1 ;; + --refresh-keys) REFRESH=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; -u|--updatedb) UPDATEDB=1 ;; -v|--verify) VERIFY=1; shift; SIGNATURE=$1 ;; @@ -411,7 +415,7 @@ if ! type -p gpg >/dev/null; then exit 1 fi -if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || LSIGNKEY || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then +if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || LSIGNKEY || POPULATE || RECEIVE || REFRESH || UPDATEDB) && EUID != 0 )); then error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key" exit 1 fi @@ -434,7 +438,7 @@ fi # check only a single operation has been given # don't include UPDATEDB in here as other opts can induce it numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB + - INIT + LISTKEYS + LISTSIGS + LSIGNKEY + POPULATE + RECEIVE + VERIFY )) + INIT + LISTKEYS + LISTSIGS + LSIGNKEY + POPULATE + RECEIVE + REFRESH + VERIFY )) case $numopt in 0) @@ -466,6 +470,7 @@ esac (( LSIGNKEY )) && "${GPG_PACMAN[@]}" --lsign-key "${KEYIDS[@]}" (( POPULATE )) && populate_keyring (( RECEIVE )) && "${GPG_PACMAN[@]}" --recv-keys "${KEYIDS[@]}" +(( REFRESH )) && "${GPG_PACMAN[@]}" --refresh-keys "${KEYIDS[@]}" (( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE if (( UPDATEDB )); then -- 1.7.6
On 02/09/11 06:36, Dan McGee wrote:
This also renames '--receive' to '-recv-keys' to match the wrapped gpg option name, rather than invent a new one, now that the calling convention is the same.
Signed-off-by: Dan McGee<dan@archlinux.org> --- doc/pacman-key.8.txt | 10 ++++++++-- scripts/pacman-key.sh.in | 29 +++++++++++++++-------------- 2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 7481ce5..824f0b3 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -71,6 +71,12 @@ Options Ensure the keyring is properly initialized and has the required access permissions.
+*\--keyserver*<keyserver>:: + Use the specified keyserver if the operation requires one. This will take + precedence over any keyserver option specified in a `gpg.conf` + configuration file. Running '\--init' with this option will set the default + keyserver if one was not already configured. + *-l, \--list-keys* [keyid(s)]:: Lists all or specified keys from the public keyring.
@@ -81,8 +87,8 @@ Options Locally sign the given key. This is primarily used to root the web of trust in the local private key generated by '\--init'.
-*-r, \--receive*<keyserver> <keyid(s)>:: - Fetch the specified keyid(s) from the specified key server URL. +*-r, \--recv-keys*<keyid(s)>:: + Equivalent to '\--recv-keys' in GnuPG.
*\--populate* [keyring(s)]:: Reload the default keys from the (optionally provided) keyrings in diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 9bb8182..ce95f5d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -35,6 +35,7 @@ FINGER=0 IMPORT=0 IMPORT_TRUSTDB=0 INIT=0 +KEYSERVER='' LISTKEYS=0 LISTSIGS=0 LSIGNKEY=0 @@ -43,6 +44,8 @@ RECEIVE=0 UPDATEDB=0 VERIFY=0
+DEFAULT_KEYSERVER='hkp://keys.gnupg.net' +
So the keyserver we have in our gpg.conf file has no effect... Either we should just not pass the --keyserver flag to gpg if none has been specified on the command line, or we should check no keyserver has been defined in gpg.conf before using the default. Allan
On 02/09/11 08:55, Allan McRae wrote:
On 02/09/11 06:36, Dan McGee wrote:
This also renames '--receive' to '-recv-keys' to match the wrapped gpg option name, rather than invent a new one, now that the calling convention is the same.
Signed-off-by: Dan McGee<dan@archlinux.org> --- doc/pacman-key.8.txt | 10 ++++++++-- scripts/pacman-key.sh.in | 29 +++++++++++++++-------------- 2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 7481ce5..824f0b3 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -71,6 +71,12 @@ Options Ensure the keyring is properly initialized and has the required access permissions.
+*\--keyserver*<keyserver>:: + Use the specified keyserver if the operation requires one. This will take + precedence over any keyserver option specified in a `gpg.conf` + configuration file. Running '\--init' with this option will set the default + keyserver if one was not already configured. + *-l, \--list-keys* [keyid(s)]:: Lists all or specified keys from the public keyring.
@@ -81,8 +87,8 @@ Options Locally sign the given key. This is primarily used to root the web of trust in the local private key generated by '\--init'.
-*-r, \--receive*<keyserver> <keyid(s)>:: - Fetch the specified keyid(s) from the specified key server URL. +*-r, \--recv-keys*<keyid(s)>:: + Equivalent to '\--recv-keys' in GnuPG.
*\--populate* [keyring(s)]:: Reload the default keys from the (optionally provided) keyrings in diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 9bb8182..ce95f5d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -35,6 +35,7 @@ FINGER=0 IMPORT=0 IMPORT_TRUSTDB=0 INIT=0 +KEYSERVER='' LISTKEYS=0 LISTSIGS=0 LSIGNKEY=0 @@ -43,6 +44,8 @@ RECEIVE=0 UPDATEDB=0 VERIFY=0
+DEFAULT_KEYSERVER='hkp://keys.gnupg.net' +
So the keyserver we have in our gpg.conf file has no effect... Either we should just not pass the --keyserver flag to gpg if none has been specified on the command line, or we should check no keyserver has been defined in gpg.conf before using the default.
Argh... my bad... I read the patch too fast. It does exactly as I suggested! But I did find something:
@@ -366,7 +363,7 @@ fi OPT_SHORT="a::d:e:f::hl::r:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::" -OPT_LONG+=",lsign-key:,populate::,receive:,updatedb,verify:,version" +OPT_LONG+=",lsign-key:,populate::,recv-keys:,updatedb,verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi
Need to add "keyserver:" there. Allan
On Thu, Sep 1, 2011 at 6:04 PM, Allan McRae <allan@archlinux.org> wrote:
On 02/09/11 08:55, Allan McRae wrote:
On 02/09/11 06:36, Dan McGee wrote:
This also renames '--receive' to '-recv-keys' to match the wrapped gpg option name, rather than invent a new one, now that the calling convention is the same.
Signed-off-by: Dan McGee<dan@archlinux.org> --- doc/pacman-key.8.txt | 10 ++++++++-- scripts/pacman-key.sh.in | 29 +++++++++++++++-------------- 2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 7481ce5..824f0b3 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -71,6 +71,12 @@ Options Ensure the keyring is properly initialized and has the required access permissions.
+*\--keyserver*<keyserver>:: + Use the specified keyserver if the operation requires one. This will take + precedence over any keyserver option specified in a `gpg.conf` + configuration file. Running '\--init' with this option will set the default + keyserver if one was not already configured. + *-l, \--list-keys* [keyid(s)]:: Lists all or specified keys from the public keyring.
@@ -81,8 +87,8 @@ Options Locally sign the given key. This is primarily used to root the web of trust in the local private key generated by '\--init'.
-*-r, \--receive*<keyserver> <keyid(s)>:: - Fetch the specified keyid(s) from the specified key server URL. +*-r, \--recv-keys*<keyid(s)>:: + Equivalent to '\--recv-keys' in GnuPG.
*\--populate* [keyring(s)]:: Reload the default keys from the (optionally provided) keyrings in diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 9bb8182..ce95f5d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -35,6 +35,7 @@ FINGER=0 IMPORT=0 IMPORT_TRUSTDB=0 INIT=0 +KEYSERVER='' LISTKEYS=0 LISTSIGS=0 LSIGNKEY=0 @@ -43,6 +44,8 @@ RECEIVE=0 UPDATEDB=0 VERIFY=0
+DEFAULT_KEYSERVER='hkp://keys.gnupg.net' +
So the keyserver we have in our gpg.conf file has no effect... Either we should just not pass the --keyserver flag to gpg if none has been specified on the command line, or we should check no keyserver has been defined in gpg.conf before using the default.
Argh... my bad... I read the patch too fast. It does exactly as I suggested!
But I did find something:
@@ -366,7 +363,7 @@ fi OPT_SHORT="a::d:e:f::hl::r:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::" -OPT_LONG+=",lsign-key:,populate::,receive:,updatedb,verify:,version" +OPT_LONG+=",lsign-key:,populate::,recv-keys:,updatedb,verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi
Need to add "keyserver:" there.
Yeah that might help. Good to test these things, right? :) -Dan
participants (3)
-
Allan McRae
-
Dan McGee
-
Dan McGee