[pacman-dev] [PATCH 1/4] pacman-key: lsign keys in --populate without prompting

newer
[pacman-dev] Fwd: Re: Unable to...

Pierre Schmitz

25 Mar 2012 25 Mar '12

12:10 p.m.

There is no gain in security when we ask the user to type in "y" on every single key. It also makes scripting harder. Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 482b56d..32c70dc 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -275,7 +275,7 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do -- 1.7.9.4

Show replies by thread

Pierre Schmitz

25 Mar 25 Mar

12:10 p.m.

New subject: [pacman-dev] [PATCH 2/4] pacman-key: Use --yes to confirm lsign-key

We can just use --yes in batch mode. Also piping "y" two times was unnecessary. We also no longer need to use LANG=C for this call. Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 32c70dc..46773ac 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -413,7 +413,7 @@ list_sigs() { lsign_keys() { check_keyids_exist - printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${KEYIDS[@]}" 2>/dev/null + "${GPG_PACMAN[@]}" --yes --quiet --batch --lsign-key "${KEYIDS[@]}" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "A specified key could not be locally signed.")" exit 1 -- 1.7.9.4

Pierre Schmitz

12:10 p.m.

New subject: [pacman-dev] [PATCH 3/4] pacman-key: reduce verbosity of --populate

Do not bother the user with gpg's verbose output. Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..4c02d7d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" 2>/dev/null done # Read the trusted key IDs to an array. Because this is an ownertrust @@ -275,12 +275,12 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" 2>/dev/null done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi -- 1.7.9.4

Pierre Schmitz

12:10 p.m.

New subject: [pacman-dev] [PATCH 4/4] pacman-key: Actually verify signatures and exit with correct codes

We cannot rely on gpg's exit code. Instead we have to check the status-fd to figoure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 4c02d7d..c5ecca5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,16 @@ refresh_keys() { } verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + exec 4>"${fd}" + "${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE + exec 4>&- + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" } updatedb() { -- 1.7.9.4

Allan McRae

2:23 p.m.

New subject: [pacman-dev] [PATCH 4/4] pacman-key: Actually verify signatures and exit with correct codes

On 25/03/12 22:10, Pierre Schmitz wrote:

...

We cannot rely on gpg's exit code. Instead we have to check the status-fd to figoure out whether a signature is valid or not.

typo ^

...

In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid.

Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 4c02d7d..c5ecca5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,16 @@ refresh_keys() { }

verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + exec 4>"${fd}" + "${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE

I think it would be safer to use --status-file here. We do that when verifying signatures in makepkg.

...

+ exec 4>&- + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" }

updatedb() {

Allan McRae

2:25 p.m.

New subject: [pacman-dev] [PATCH 3/4] pacman-key: reduce verbosity of --populate

On 25/03/12 22:10, Pierre Schmitz wrote:

...

Do not bother the user with gpg's verbose output.

Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..4c02d7d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" 2>/dev/null

Is the output on stderr? I am reluctant to remove real error output.

...

done

# Read the trusted key IDs to an array. Because this is an ownertrust @@ -275,12 +275,12 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" 2>/dev/null done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi

Pierre Schmitz

3 p.m.

New subject: [pacman-dev] [PATCH 3/4] pacman-key: reduce verbosity of --populate

Am 25.03.2012 15:25, schrieb Allan McRae:

...

On 25/03/12 22:10, Pierre Schmitz wrote:

...
Do not bother the user with gpg's verbose output.

Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..4c02d7d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" 2>/dev/null

Is the output on stderr? I am reluctant to remove real error output.

There shouldn't be much critical output here. But gpg also accepts the --quiet flag here which still outputs useless data but much less. -- Pierre Schmitz, https://pierre-schmitz.com

Pierre Schmitz

31 Mar 31 Mar

1:54 p.m.

New subject: [pacman-dev] [PATCH 3/4] pacman-key: reduce verbosity of --populate

Do not bother the user with gpg's verbose output. Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..b4bad1d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --quiet --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" done # Read the trusted key IDs to an array. Because this is an ownertrust @@ -275,12 +275,12 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" 2>/dev/null done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi -- 1.7.9.5

Pierre Schmitz

1:55 p.m.

New subject: [pacman-dev] [PATCH 4/4] pacman-key: Actually verify signatures and exit with correct codes

We cannot rely on gpg's exit code. Instead we have to check the status-fd to figure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz --- scripts/pacman-key.sh.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index b4bad1d..081a10a 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,14 @@ refresh_keys() { } verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" } updatedb() { -- 1.7.9.5

4407

Age (days ago)

4413

Last active (days ago)

List overview

Download

8 comments

2 participants

participants (2)

Allan McRae
Pierre Schmitz

[pacman-dev] [PATCH 1/4] pacman-key: lsign keys in --populate without prompting

tags

participants (2)