[pacman-dev] [PATCH 1/2] pacman-key: added verbose to commandline options

Matthew Sexton

3 Nov 2019 3 Nov '19

6:14 p.m.

Signed-off-by: Matthew Sexton --- scripts/pacman-key.sh.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 05aab0c2..a59dba52 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -51,6 +51,7 @@ REFRESH=0 UPDATEDB=0 USE_COLOR='y' VERIFY=0 +VERBOSE=0 usage() { printf "pacman-key (pacman) %s\n" ${myver} @@ -77,6 +78,7 @@ usage() { printf -- "$(gettext " --populate Reload the default keys from the (given) keyrings\n\ in '%s'")\n" "@pkgdatadir@/keyrings" printf -- "$(gettext " --refresh-keys Update specified or all keys from a keyserver")\n" + printf -- "$(gettext " --verbose Show extra information")\n" echo printf -- "$(gettext "Options:")\n" printf -- "$(gettext " --config <file> Use an alternate config file (instead of\n\ @@ -541,7 +543,7 @@ OPT_SHORT="adefhlruvV" OPT_LONG=('add' 'config:' 'delete' 'edit-key' 'export' 'finger' 'gpgdir:' 'help' 'import' 'import-trustdb' 'init' 'keyserver:' 'list-keys' 'list-sigs' 'lsign-key' 'nocolor' 'populate' 'recv-keys' 'refresh-keys' 'updatedb' - 'verify' 'version') + 'verify' 'version' 'verbose') if ! parseopts "$OPT_SHORT" "${OPT_LONG[@]}" -- "$@"; then exit 1 # E_INVALID_OPTION fi @@ -575,6 +577,7 @@ while (( $# )); do --refresh-keys) REFRESH=1 ;; -u|--updatedb) UPDATEDB=1 ;; -v|--verify) VERIFY=1 ;; + --verbose) VERBOSE=1 ;; -h|--help) usage; exit 0 ;; -V|--version) version; exit 0 ;; -- 2.23.0

Show replies by date

Matthew Sexton

3 Nov 3 Nov

6:14 p.m.

New subject: [pacman-dev] [PATCH 2/2] pacman-key: hid lsign and revoke spam behind --verbose

To cut down on spam during --populate, both locally signing and revoking keys now hide the specific keys being signed or revoked, but can be shown with --verbose. A count was added, to show the number of keys signed/revoked during the process. This commit closes: FS#64142 - pacman-key: make populate less noisy Signed-off-by: Matthew Sexton --- scripts/pacman-key.sh.in | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index a59dba52..4eea248b 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -334,11 +334,16 @@ populate_keyring() { done if (( ${#revoked_ids[@]} > 0 )); then + local key_count=0 msg "$(gettext "Disabling revoked keys in keyring...")" for key_id in "${!revoked_ids[@]}"; do - msg2 "$(gettext "Disabling key %s...")" "${key_id}" + key_count=$((key_count+1)) + if (( VERBOSE )); then + msg2 "$(gettext "Disabling key %s...")" "${key_id}" + fi printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null done + msg2 "$(gettext "Disabled %s keys.")" "${key_count}" fi } @@ -447,19 +452,24 @@ lsign_keys() { check_keyids_exist local ret=0 + local key_count=0 for key_id in "$@"; do - msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + if (( VERBOSE )); then + msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + fi # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${key_id}" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "%s could not be locally signed.")" "${key_id}" ret=1 fi + key_count=$((key_count+1)) done if (( ret )); then exit 1 fi + msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" } receive_keys() { -- 2.23.0

Allan McRae

4 Nov 4 Nov

12:35 a.m.

New subject: [pacman-dev] [PATCH 2/2] pacman-key: hid lsign and revoke spam behind --verbose

On 4/11/19 3:14 am, Matthew Sexton wrote:

...

To cut down on spam during --populate, both locally signing and revoking keys now hide the specific keys being signed or revoked, but can be shown with --verbose. A count was added, to show the number of keys signed/revoked during the process.

Typo in commit subject - hid -> hide. Also change "spam" to output.

...

This commit closes: FS#64142 - pacman-key: make populate less noisy

There is an addition comment in the bug: "Additionally, we should consider only counting keys to be disabled that are not currently disabled. Same with lsign key." So, partially implements FS#64142. Minor comment below.

...

Signed-off-by: Matthew Sexton --- scripts/pacman-key.sh.in | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index a59dba52..4eea248b 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -334,11 +334,16 @@ populate_keyring() { done

if (( ${#revoked_ids[@]} > 0 )); then + local key_count=0 msg "$(gettext "Disabling revoked keys in keyring...")" for key_id in "${!revoked_ids[@]}"; do - msg2 "$(gettext "Disabling key %s...")" "${key_id}" + key_count=$((key_count+1))

Putting the key counting at the end would be useful if in the future we detect those keys already disabled and don't re-disable them.

...

+ if (( VERBOSE )); then + msg2 "$(gettext "Disabling key %s...")" "${key_id}" + fi printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null done + msg2 "$(gettext "Disabled %s keys.")" "${key_count}" fi }

@@ -447,19 +452,24 @@ lsign_keys() { check_keyids_exist

local ret=0 + local key_count=0 for key_id in "$@"; do - msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + if (( VERBOSE )); then + msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + fi # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${key_id}" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "%s could not be locally signed.")" "${key_id}" ret=1 fi + key_count=$((key_count+1)) done

if (( ret )); then exit 1 fi + msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" }

receive_keys() {

Eli Schwartz

3:58 a.m.

New subject: [pacman-dev] [PATCH 2/2] pacman-key: hid lsign and revoke spam behind --verbose

On 11/3/19 6:35 PM, Allan McRae wrote:

...

...
This commit closes: FS#64142 - pacman-key: make populate less noisy

There is an addition comment in the bug: "Additionally, we should consider only counting keys to be disabled that are not currently disabled. Same with lsign key."

So, partially implements FS#64142.

So I dug around in /usr/share/doc/gnupg/DETAILS and I think I basically know what we need to get the rest of the way there. gpg --with-colons will be our friend here. We'll need to: figure out the keyid of the local master key (secret key): $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --list-secret-key sec:u:2048:1:2150A73FE449203E:1539640294:::u:::scSC:::+:::23::0: fpr:::::::::708A83C140BD668A8D52DDFF2150A73FE449203E: grp:::::::::2595A2681C2DA4806EC088E4DF877DA80528FEB5: uid:u::::1539640294::79311EDEA01302E0DBBB2F33AE799F8BB677652F::Pacman Keyring Master Key ::::::::::0: Find the sec line, find field 5, my local secret key is 2150A73FE449203E. Now we need to find out whether a given keyring key is already lsigned: $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --check-signatures anthraxx@master-key tru::1:1572742808:1579736285:3:1:5 pub:f:4096:1:D6D055F927843F1C:1541685162:::m:::scESCA::::::23:1547746114:1 https\x3a//[2001\x3a4c48\x3a2\x3abf04\x3a20c\x3a29ff\x3afe84\x3ad087]\x3a443: fpr:::::::::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C: uid:f::::1541685162::B588C0444DCADD3F0BBBEEBA44F9F02E089294E7::Levente Polyak (Arch Linux Master Key) :::::::::1547746114:1: sig:!::1:39E4B877E62EB915:1546031667::::Sven-Hendrik Haase :10x::8FC15A064950A99DD1BD14DD39E4B877E62EB915:::8: sig:!::1:FC1B547C8D8172C8:1542066833::::Levente Polyak (anthraxx) :10x::E240B57E2C4630BA768E2F26FC1B547C8D8172C8:::10: sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux Master Key) :13x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key :10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8: sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10: sub:f:4096:1:FEB12332C13054E7:1541685162::::::e::::::23: fpr:::::::::86CC2A69D4B742C15239AD22FEB12332C13054E7: sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux Master Key) :18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10: sub:f:4096:1:DEDF3FE3104A16F6:1541685530::::::a::::::23: fpr:::::::::46A1EFF0753F9F10BB6B36DEDEDF3FE3104A16F6: sig:!::1:D6D055F927843F1C:1541685530::::Levente Polyak (Arch Linux Master Key) :18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10: Here's the line we need, a 'sig' line: sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key :10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8: Field 2 tells us whether the signature is good, either "!" for good or "-" for bad. Field 5 (again) tells us the id of the key, in this case the key which performed the signature. Does it match the previously detected secret key? If not, try to find another signature that is a secret key. .... Now on to the "is it disabled" mode. $ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning --with-colons --list-key 81D7F8241DB38BC759C80FCE3A726C6170E80477 tru::1:1572742808:1579736285:3:1:5 pub:-:2048:1:3A726C6170E80477:1321703264:::-:::scESCD::::::23::0: fpr:::::::::81D7F8241DB38BC759C80FCE3A726C6170E80477: uid:-::::1321703264::E0406C59D6C6B91ED55428F0A785052113EF060B::Роман Кирилич (Roman Kyrylych) ::::::::::0: sub:-:2048:1:A9E18694A8AA192C:1321703264::::::e::::::23: fpr:::::::::BEC1D058200080E7938CC822A9E18694A8AA192C: This person is retired from Arch, and his key is disabled. Look at the 'pub' line, field 12 -- it contains a "D", so his key is disabled. Matthew -- you want to take this the rest of the way? -- Eli Schwartz Bug Wrangler and Trusted User

Allan McRae

12:31 a.m.

On 4/11/19 3:14 am, Matthew Sexton wrote:

...

Signed-off-by: Matthew Sexton

I'm OK with adding this option in a separate patch that does not use it. But note in the commit message that it currently does nothing. Couple of minor points below.

...

--- scripts/pacman-key.sh.in | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 05aab0c2..a59dba52 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -51,6 +51,7 @@ REFRESH=0 UPDATEDB=0 USE_COLOR='y' VERIFY=0 +VERBOSE=0

usage() { printf "pacman-key (pacman) %s\n" ${myver} @@ -77,6 +78,7 @@ usage() { printf -- "$(gettext " --populate Reload the default keys from the (given) keyrings\n\ in '%s'")\n" "@pkgdatadir@/keyrings" printf -- "$(gettext " --refresh-keys Update specified or all keys from a keyserver")\n" + printf -- "$(gettext " --verbose Show extra information")\n" echo printf -- "$(gettext "Options:")\n" printf -- "$(gettext " --config <file> Use an alternate config file (instead of\n\ @@ -541,7 +543,7 @@ OPT_SHORT="adefhlruvV" OPT_LONG=('add' 'config:' 'delete' 'edit-key' 'export' 'finger' 'gpgdir:' 'help' 'import' 'import-trustdb' 'init' 'keyserver:' 'list-keys' 'list-sigs' 'lsign-key' 'nocolor' 'populate' 'recv-keys' 'refresh-keys' 'updatedb' - 'verify' 'version') + 'verify' 'version' 'verbose')

These are in alphabetical order.

...

if ! parseopts "$OPT_SHORT" "${OPT_LONG[@]}" -- "$@"; then exit 1 # E_INVALID_OPTION fi @@ -575,6 +577,7 @@ while (( $# )); do --refresh-keys) REFRESH=1 ;; -u|--updatedb) UPDATEDB=1 ;; -v|--verify) VERIFY=1 ;; + --verbose) VERBOSE=1 ;;

Align with spaces.

...

-h|--help) usage; exit 0 ;; -V|--version) version; exit 0 ;;

1638

Age (days ago)

1639

Last active (days ago)

List overview

Download

4 comments

3 participants

participants (3)

Allan McRae
Eli Schwartz
Matthew Sexton