[pacman-dev] [PATCH 1/2] pacman-key: Use lsign_keys function in --populate
This reduces code duplication and also makes --populate a non-interactive function. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 3 ++- 1 Datei geändert, 2 Zeilen hinzugefügt(+), 1 Zeile entfernt(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index ae491d2..e5b6021 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -302,7 +302,7 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}" + lsign_keys "${key_id}" done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do @@ -440,6 +440,7 @@ list_sigs() { lsign_keys() { check_keyids_exist + # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "$@" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "A specified key could not be locally signed.")" -- 1.7.10.4
Do not bother the user with gpg's verbose output. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 4 ++-- 1 Datei geändert, 2 Zeilen hinzugefügt(+), 2 Zeilen entfernt(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index e5b6021..df1ff9e 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -277,7 +277,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --quiet --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" done # Read the trusted key IDs to an array. Because this is an ownertrust @@ -307,7 +307,7 @@ populate_keyring() { msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null fi done fi -- 1.7.10.4
On 19/06/12 00:46, Pierre Schmitz wrote:
Do not bother the user with gpg's verbose output.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 4 ++-- 1 Datei geändert, 2 Zeilen hinzugefügt(+), 2 Zeilen entfernt(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index e5b6021..df1ff9e 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -277,7 +277,7 @@ populate_keyring() { # Add keys from requested keyrings for keyring in "${KEYRINGIDS[@]}"; do msg "$(gettext "Appending keys from %s.gpg...")" "$keyring" - "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" + "${GPG_PACMAN[@]}" --quiet --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg"
Ack.
done
# Read the trusted key IDs to an array. Because this is an ownertrust @@ -307,7 +307,7 @@ populate_keyring() { msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then - "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null
Ugh... I hate how mundane stuff is printed to stderr here. Is there anything that can possible go wrong during this step that would actually require us to see output on stderr?
Am 19.06.2012 06:42, schrieb Allan McRae:
On 19/06/12 00:46, Pierre Schmitz wrote:
- "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null
Ugh... I hate how mundane stuff is printed to stderr here. Is there anything that can possible go wrong during this step that would actually require us to see output on stderr?
The problem here is that gpg outputs just everything to stderr here not just errors. And this output is not even that helpful. It would print something like "gpg: changing ownertrust from 2 to 4" five times. I would say it's safe enough to suppress any output here. The only errors I can think of is that either your gnupg homedir is corrupt (which we would detect much earlier in the script or the ownertrust file includes garbage. Wrong data wont matter here; gpg does not complain if your set the trust level of a non-existent key here. -- Pierre Schmitz, https://pierre-schmitz.com
On 19/06/12 22:38, Pierre Schmitz wrote:
Am 19.06.2012 06:42, schrieb Allan McRae:
On 19/06/12 00:46, Pierre Schmitz wrote:
- "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted" 2>/dev/null
Ugh... I hate how mundane stuff is printed to stderr here. Is there anything that can possible go wrong during this step that would actually require us to see output on stderr?
The problem here is that gpg outputs just everything to stderr here not just errors. And this output is not even that helpful. It would print something like "gpg: changing ownertrust from 2 to 4" five times.
I would say it's safe enough to suppress any output here. The only errors I can think of is that either your gnupg homedir is corrupt (which we would detect much earlier in the script or the ownertrust file includes garbage. Wrong data wont matter here; gpg does not complain if your set the trust level of a non-existent key here.
I'm going to give this patch an tentative ack... I do not like the idea of hiding stderr at all, but it seems that the scope for an actual error to be output here is very small and too much output is almost as bad as no output. Pulled to my working branch, Allan
Am 18.06.2012 16:46, schrieb Pierre Schmitz:
lsign_keys() { check_keyids_exist + # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "$@" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "A specified key could not be locally signed.")"
Just a note: This function looks like it would accept more than one keyid, but it seems gpg wont handle that. -- Pierre Schmitz, https://pierre-schmitz.com
On 19/06/12 00:46, Pierre Schmitz wrote:
This reduces code duplication and also makes --populate a non-interactive function.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 3 ++- 1 Datei geändert, 2 Zeilen hinzugefügt(+), 1 Zeile entfernt(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index ae491d2..e5b6021 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -302,7 +302,7 @@ populate_keyring() { msg "$(gettext "Locally signing trusted keys in keyring...")" for key_id in "${!trusted_ids[@]}"; do msg2 "$(gettext "Locally signing key %s...")" "${key_id}" - "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}" + lsign_keys "${key_id}" done msg "$(gettext "Importing owner trust values...")" for keyring in "${KEYRINGIDS[@]}"; do @@ -440,6 +440,7 @@ list_sigs() {
lsign_keys() { check_keyids_exist + # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "$@" 2>/dev/null if (( PIPESTATUS[1] )); then error "$(gettext "A specified key could not be locally signed.")"
Ack.
participants (2)
-
Allan McRae
-
Pierre Schmitz