[pacman-dev] [PATCH] pacman-key: ignores keys already lsigned during populate
WORK IN PROGRESS. I'm only emailing this patch to get some feedback. I added a function that checks whether a key being imported has already been signed, and if it has been, skip lsigning it. I'm not 100% sure this line is entirely necessary: if (( LSIGNKEY || POPULATE )); then I wanted to ensure that there -was- a signing key to check against. It might be a superfluous check, but I couldn't find where --populate implies having run --init. I may've missed it. Otherwise, just looking for feedback before I move on to step 2 which is not disabling already disabled keys. Let me know if there are any glaring errors you see, or if there is a more elegant way of doing what I did. Signed-off-by: Matthew Sexton <wsdmatty@gmail.com> --- scripts/pacman-key.sh.in | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 3627a805..796375a5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -247,7 +247,7 @@ check_keyring() { fi fi - if (( LSIGNKEY )); then + if (( LSIGNKEY || POPULATE )); then if [[ $(secret_keys_available) -lt 1 ]]; then error "$(gettext "There is no secret key available to sign with.")" msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init" @@ -447,6 +447,25 @@ list_sigs() { exit 1 fi } +lsigned_already() { + # Determines whether a key has already been signed locally by getting the + # local pacman secret key and comparing it against signatures on the key + # returns 1 if key is not signed, 0 if signed + secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | head -n1 | awk -F : '{print $5}') + NEEDS_SIGNED=1 + while read line; do + while IFS=: read -r _ valid _ _ signkey _; do + if [ "$valid" != "!" ]; then + continue + fi + if [[ "$signkey" == "$secret_key" ]]; then + NEEDS_SIGNED=0 + break + fi + done + done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1") + +} lsign_keys() { check_keyids_exist @@ -454,6 +473,10 @@ lsign_keys() { local ret=0 local key_count=0 for key_id in "$@"; do + lsigned_already "$key_id" + if [[ "$NEEDS_SIGNED" == 0 ]]; then + continue + fi if (( VERBOSE )); then msg2 "$(gettext "Locally signing key %s...")" "${key_id}" fi @@ -469,7 +492,9 @@ lsign_keys() { if (( ret )); then exit 1 fi + if (( key_count )); then msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" + fi } receive_keys() { -- 2.23.0
+lsigned_already() { + # Determines whether a key has already been signed locally by getting
On Monday, November 4, 2019 12:08:15 PM EST you wrote: the
+ # local pacman secret key and comparing it against signatures on the key + # returns 1 if key is not signed, 0 if signed
I edited this, but forgot to save it before making the patch. This function returns nothing. It changes a variable NEEDS_SIGNED.
participants (1)
-
Matthew Sexton