[pacman-dev] [PATCH 1/4] pacman-key: lsign keys in --populate without prompting
There is no gain in security when we ask the user to type in "y" on every single key. It also makes scripting harder. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 482b56d..32c70dc 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -275,7 +275,7 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do -- 1.7.9.4
We can just use --yes in batch mode. Also piping "y" two times was unnecessary. We also no longer need to use LANG=C for this call. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 32c70dc..46773ac 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -413,7 +413,7 @@ list_sigs() { lsign_keys() { check_keyids_exist - printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${KEYIDS[@]}" 2>/dev/null + "${GPG_PACMAN[@]}" --yes --quiet --batch --lsign-key "${KEYIDS[@]}" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "A specified key could not be locally signed.")" exit 1 -- 1.7.9.4
Do not bother the user with gpg's verbose output. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..4c02d7d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" 2>/dev/null done # Read the trusted key IDs to an array. Because this is an ownertrust @@ -275,12 +275,12 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" 2>/dev/null done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi -- 1.7.9.4
On 25/03/12 22:10, Pierre Schmitz wrote:
Do not bother the user with gpg's verbose output.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..4c02d7d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" 2>/dev/null
Is the output on stderr? I am reluctant to remove real error output.
done
# Read the trusted key IDs to an array. Because this is an ownertrust @@ -275,12 +275,12 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" 2>/dev/null done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi
Am 25.03.2012 15:25, schrieb Allan McRae:
On 25/03/12 22:10, Pierre Schmitz wrote:
Do not bother the user with gpg's verbose output.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..4c02d7d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" 2>/dev/null
Is the output on stderr? I am reluctant to remove real error output.
There shouldn't be much critical output here. But gpg also accepts the --quiet flag here which still outputs useless data but much less. -- Pierre Schmitz, https://pierre-schmitz.com
Do not bother the user with gpg's verbose output. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 46773ac..b4bad1d 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -250,7 +250,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --quiet --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" done # Read the trusted key IDs to an array. Because this is an ownertrust @@ -275,12 +275,12 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" + "${GPG_PACMAN[@]}" --quiet --batch --yes --lsign-key "${key_id}" 2>/dev/null done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi -- 1.7.9.5
We cannot rely on gpg's exit code. Instead we have to check the status-fd to figoure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 4c02d7d..c5ecca5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,16 @@ refresh_keys() { } verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + exec 4>"${fd}" + "${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE + exec 4>&- + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" } updatedb() { -- 1.7.9.4
On 25/03/12 22:10, Pierre Schmitz wrote:
We cannot rely on gpg's exit code. Instead we have to check the status-fd to figoure out whether a signature is valid or not.
typo ^
In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 4c02d7d..c5ecca5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,16 @@ refresh_keys() { }
verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + exec 4>"${fd}" + "${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE
I think it would be safer to use --status-file here. We do that when verifying signatures in makepkg.
+ exec 4>&- + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" }
updatedb() {
We cannot rely on gpg's exit code. Instead we have to check the status-fd to figure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index b4bad1d..081a10a 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,14 @@ refresh_keys() { } verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" } updatedb() { -- 1.7.9.5
participants (2)
-
Allan McRae
-
Pierre Schmitz