[pacman-dev] [PATCH 1/2] pacman-key: added verbose to commandline options
Signed-off-by: Matthew Sexton <wsdmatty@gmail.com> --- scripts/pacman-key.sh.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 05aab0c2..a59dba52 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -51,6 +51,7 @@ REFRESH=0 UPDATEDB=0 USE_COLOR='y' VERIFY=0 +VERBOSE=0 usage() { printf "pacman-key (pacman) %s\n" ${myver} @@ -77,6 +78,7 @@ usage() { printf -- "$(gettext " --populate Reload the default keys from the (given) keyrings\n\ in '%s'")\n" "@pkgdatadir@/keyrings" printf -- "$(gettext " --refresh-keys Update specified or all keys from a keyserver")\n" + printf -- "$(gettext " --verbose Show extra information")\n" echo printf -- "$(gettext "Options:")\n" printf -- "$(gettext " --config <file> Use an alternate config file (instead of\n\ @@ -541,7 +543,7 @@ OPT_SHORT="adefhlruvV" OPT_LONG=('add' 'config:' 'delete' 'edit-key' 'export' 'finger' 'gpgdir:' 'help' 'import' 'import-trustdb' 'init' 'keyserver:' 'list-keys' 'list-sigs' 'lsign-key' 'nocolor' 'populate' 'recv-keys' 'refresh-keys' 'updatedb' - 'verify' 'version') + 'verify' 'version' 'verbose') if ! parseopts "$OPT_SHORT" "${OPT_LONG[@]}" -- "$@"; then exit 1 # E_INVALID_OPTION fi @@ -575,6 +577,7 @@ while (( $# )); do --refresh-keys) REFRESH=1 ;; -u|--updatedb) UPDATEDB=1 ;; -v|--verify) VERIFY=1 ;; + --verbose) VERBOSE=1 ;; -h|--help) usage; exit 0 ;; -V|--version) version; exit 0 ;; -- 2.23.0
To cut down on spam during --populate, both locally signing and revoking keys now hide the specific keys being signed or revoked, but can be shown with --verbose. A count was added, to show the number of keys signed/revoked during the process. This commit closes: FS#64142 - pacman-key: make populate less noisy Signed-off-by: Matthew Sexton <wsdmatty@gmail.com> --- scripts/pacman-key.sh.in | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index a59dba52..4eea248b 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -334,11 +334,16 @@ populate_keyring() { done if (( ${#revoked_ids[@]} > 0 )); then + local key_count=0 msg "$(gettext "Disabling revoked keys in keyring...")" for key_id in "${!revoked_ids[@]}"; do - msg2 "$(gettext "Disabling key %s...")" "${key_id}" + key_count=$((key_count+1)) + if (( VERBOSE )); then + msg2 "$(gettext "Disabling key %s...")" "${key_id}" + fi printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null done + msg2 "$(gettext "Disabled %s keys.")" "${key_count}" fi } @@ -447,19 +452,24 @@ lsign_keys() { check_keyids_exist local ret=0 + local key_count=0 for key_id in "$@"; do - msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + if (( VERBOSE )); then + msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + fi # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${key_id}" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "%s could not be locally signed.")" "${key_id}" ret=1 fi + key_count=$((key_count+1)) done if (( ret )); then exit 1 fi + msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" } receive_keys() { -- 2.23.0
On 4/11/19 3:14 am, Matthew Sexton wrote:
To cut down on spam during --populate, both locally signing and revoking keys now hide the specific keys being signed or revoked, but can be shown with --verbose. A count was added, to show the number of keys signed/revoked during the process.
Typo in commit subject - hid -> hide. Also change "spam" to output.
This commit closes: FS#64142 - pacman-key: make populate less noisy
There is an addition comment in the bug: "Additionally, we should consider only counting keys to be disabled that are not currently disabled. Same with lsign key." So, partially implements FS#64142. Minor comment below.
Signed-off-by: Matthew Sexton <wsdmatty@gmail.com> --- scripts/pacman-key.sh.in | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index a59dba52..4eea248b 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -334,11 +334,16 @@ populate_keyring() { done
if (( ${#revoked_ids[@]} > 0 )); then + local key_count=0 msg "$(gettext "Disabling revoked keys in keyring...")" for key_id in "${!revoked_ids[@]}"; do - msg2 "$(gettext "Disabling key %s...")" "${key_id}" + key_count=$((key_count+1))
Putting the key counting at the end would be useful if in the future we detect those keys already disabled and don't re-disable them.
+ if (( VERBOSE )); then + msg2 "$(gettext "Disabling key %s...")" "${key_id}" + fi printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null done + msg2 "$(gettext "Disabled %s keys.")" "${key_count}" fi }
@@ -447,19 +452,24 @@ lsign_keys() { check_keyids_exist
local ret=0 + local key_count=0 for key_id in "$@"; do - msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + if (( VERBOSE )); then + msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + fi # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${key_id}" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "%s could not be locally signed.")" "${key_id}" ret=1 fi + key_count=$((key_count+1)) done
if (( ret )); then exit 1 fi + msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" }
receive_keys() {
On 11/3/19 6:35 PM, Allan McRae wrote:
This commit closes: FS#64142 - pacman-key: make populate less noisy
There is an addition comment in the bug: "Additionally, we should consider only counting keys to be disabled that are not currently disabled. Same with lsign key."
So, partially implements FS#64142.
So I dug around in /usr/share/doc/gnupg/DETAILS and I think I basically know what we need to get the rest of the way there. gpg --with-colons will be our friend here. We'll need to: figure out the keyid of the local master key (secret key): $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --list-secret-key sec:u:2048:1:2150A73FE449203E:1539640294:::u:::scSC:::+:::23::0: fpr:::::::::708A83C140BD668A8D52DDFF2150A73FE449203E: grp:::::::::2595A2681C2DA4806EC088E4DF877DA80528FEB5: uid:u::::1539640294::79311EDEA01302E0DBBB2F33AE799F8BB677652F::Pacman Keyring Master Key <pacman@localhost>::::::::::0: Find the sec line, find field 5, my local secret key is 2150A73FE449203E. Now we need to find out whether a given keyring key is already lsigned: $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --check-signatures anthraxx@master-key tru::1:1572742808:1579736285:3:1:5 pub:f:4096:1:D6D055F927843F1C:1541685162:::m:::scESCA::::::23:1547746114:1 https\x3a//[2001\x3a4c48\x3a2\x3abf04\x3a20c\x3a29ff\x3afe84\x3ad087]\x3a443: fpr:::::::::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C: uid:f::::1541685162::B588C0444DCADD3F0BBBEEBA44F9F02E089294E7::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:::::::::1547746114:1: sig:!::1:39E4B877E62EB915:1546031667::::Sven-Hendrik Haase <svenstaro@gmail.com>:10x::8FC15A064950A99DD1BD14DD39E4B877E62EB915:::8: sig:!::1:FC1B547C8D8172C8:1542066833::::Levente Polyak (anthraxx) <levente@leventepolyak.net>:10x::E240B57E2C4630BA768E2F26FC1B547C8D8172C8:::10: sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:13x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key <pacman@localhost>:10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8: sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10: sub:f:4096:1:FEB12332C13054E7:1541685162::::::e::::::23: fpr:::::::::86CC2A69D4B742C15239AD22FEB12332C13054E7: sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10: sub:f:4096:1:DEDF3FE3104A16F6:1541685530::::::a::::::23: fpr:::::::::46A1EFF0753F9F10BB6B36DEDEDF3FE3104A16F6: sig:!::1:D6D055F927843F1C:1541685530::::Levente Polyak (Arch Linux Master Key) <anthraxx@master-key.archlinux.org>:18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: Here's the line we need, a 'sig' line: sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key <pacman@localhost>:10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8: Field 2 tells us whether the signature is good, either "!" for good or "-" for bad. Field 5 (again) tells us the id of the key, in this case the key which performed the signature. Does it match the previously detected secret key? If not, try to find another signature that is a secret key. .... Now on to the "is it disabled" mode. $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --list-key 81D7F8241DB38BC759C80FCE3A726C6170E80477 tru::1:1572742808:1579736285:3:1:5 pub:-:2048:1:3A726C6170E80477:1321703264:::-:::scESCD::::::23::0: fpr:::::::::81D7F8241DB38BC759C80FCE3A726C6170E80477: uid:-::::1321703264::E0406C59D6C6B91ED55428F0A785052113EF060B::Роман Кирилич (Roman Kyrylych) <roman@archlinux.org>::::::::::0: sub:-:2048:1:A9E18694A8AA192C:1321703264::::::e::::::23: fpr:::::::::BEC1D058200080E7938CC822A9E18694A8AA192C: This person is retired from Arch, and his key is disabled. Look at the 'pub' line, field 12 -- it contains a "D", so his key is disabled. Matthew -- you want to take this the rest of the way? -- Eli Schwartz Bug Wrangler and Trusted User
On 4/11/19 3:14 am, Matthew Sexton wrote:
Signed-off-by: Matthew Sexton <wsdmatty@gmail.com>
I'm OK with adding this option in a separate patch that does not use it. But note in the commit message that it currently does nothing. Couple of minor points below.
--- scripts/pacman-key.sh.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 05aab0c2..a59dba52 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -51,6 +51,7 @@ REFRESH=0 UPDATEDB=0 USE_COLOR='y' VERIFY=0 +VERBOSE=0
usage() { printf "pacman-key (pacman) %s\n" ${myver} @@ -77,6 +78,7 @@ usage() { printf -- "$(gettext " --populate Reload the default keys from the (given) keyrings\n\ in '%s'")\n" "@pkgdatadir@/keyrings" printf -- "$(gettext " --refresh-keys Update specified or all keys from a keyserver")\n" + printf -- "$(gettext " --verbose Show extra information")\n" echo printf -- "$(gettext "Options:")\n" printf -- "$(gettext " --config <file> Use an alternate config file (instead of\n\ @@ -541,7 +543,7 @@ OPT_SHORT="adefhlruvV" OPT_LONG=('add' 'config:' 'delete' 'edit-key' 'export' 'finger' 'gpgdir:' 'help' 'import' 'import-trustdb' 'init' 'keyserver:' 'list-keys' 'list-sigs' 'lsign-key' 'nocolor' 'populate' 'recv-keys' 'refresh-keys' 'updatedb' - 'verify' 'version') + 'verify' 'version' 'verbose')
These are in alphabetical order.
if ! parseopts "$OPT_SHORT" "${OPT_LONG[@]}" -- "$@"; then exit 1 # E_INVALID_OPTION fi @@ -575,6 +577,7 @@ while (( $# )); do --refresh-keys) REFRESH=1 ;; -u|--updatedb) UPDATEDB=1 ;; -v|--verify) VERIFY=1 ;; + --verbose) VERBOSE=1 ;;
Align with spaces.
-h|--help) usage; exit 0 ;; -V|--version) version; exit 0 ;;
participants (3)
-
Allan McRae
-
Eli Schwartz
-
Matthew Sexton