[pacman-dev] [PATCH 1/2] pacman-key: verify TRUST_ULTIMATE keys as good
Extend our grep pattern to match TRUST_ULTIMATE, not just TRUST_FULLY, as these keys are to be trusted as well. Signed-off-by: Dave Reisner <dreisner@archlinux.org> --- pacman-key would exit with an error here, but still show the success message from gpg itself, e.g. if my key is TRUST_ULTIMATE: $ pacman-key --verify curl-7.25.0-1-x86_64.pkg.tar.xz.sig gpg: Signature made Thu 22 Mar 2012 07:51:44 PM EDT using RSA key ID F56C0C53 gpg: NOTE: trustdb not writable gpg: Good signature from "Dave Reisner <d@falconindy.com>" gpg: aka "Dave Reisner <dreisner@archlinux.org>" ==> ERROR: The signature identified by curl-7.25.0-1-x86_64.pkg.tar.xz.sig could not be verified. scripts/pacman-key.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 9a77a19..1a2bac3 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -441,7 +441,7 @@ refresh_keys() { verify_sig() { local fd="$(mktemp)" "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE - if ! grep -q TRUST_FULLY "${fd}"; then + if ! grep -qE 'TRUST_(FULLY|ULTIMATE)' "${fd}"; then rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 -- 1.7.10
Use --status-fd rather than --status-file to keep this contained in a pipeline. Signed-off-by: Dave Reisner <dreisner@archlinux.org> --- scripts/pacman-key.sh.in | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 1a2bac3..87d7658 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -439,14 +439,10 @@ refresh_keys() { } verify_sig() { - local fd="$(mktemp)" - "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE - if ! grep -qE 'TRUST_(FULLY|ULTIMATE)' "${fd}"; then - rm -f "${fd}" + if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify $SIGNATURE | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi - rm -f "${fd}" } updatedb() { -- 1.7.10
On 09/04/12 04:13, Dave Reisner wrote:
Use --status-fd rather than --status-file to keep this contained in a pipeline.
Signed-off-by: Dave Reisner <dreisner@archlinux.org> --- scripts/pacman-key.sh.in | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 1a2bac3..87d7658 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -439,14 +439,10 @@ refresh_keys() { }
verify_sig() { - local fd="$(mktemp)" - "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE - if ! grep -qE 'TRUST_(FULLY|ULTIMATE)' "${fd}"; then - rm -f "${fd}" + if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify $SIGNATURE | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
I remember during adding signature verification to pacman that we had to use the status file to avoid some issue... But what exactly that issue was I can not remember.
exit 1 fi - rm -f "${fd}" }
updatedb() {
participants (2)
-
Allan McRae
-
Dave Reisner