[pacman-dev] [PATCH 1/3] Revert "makepkg: allow less than the full fingerprint in validpgpkeys"
This reverts commit 50296576d006d433fbfd4a6c57d5f95a942f7833. --- doc/PKGBUILD.5.txt | 4 +--- scripts/makepkg.sh.in | 21 +-------------------- 2 files changed, 2 insertions(+), 23 deletions(-) diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index 8a43bae..74aea32 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -138,9 +138,7 @@ the integrity of the corresponding source file. trust values from the keyring. If the source file was signed with a subkey, makepkg will still use the primary key for comparison. + -Fingerprints must be uppercase and must not contain whitespace characters. They -must be either the full fingerprint or match at least 16 characters of the full -fingerprint, starting from the end of the fingerprint. +Fingerprints must be uppercase and must not contain whitespace characters. *noextract (array)*:: An array of file names corresponding to those from the source array. Files diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 9d3ba2c..f949403 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1410,25 +1410,6 @@ parse_gpg_statusfile() { done < "$1" } -is_known_valid_pgp_key() { - local fprint subject=$1 validfprints=("${@:2}") - - for fprint in "${validfprints[@]}"; do - # we always honor full fingerprint matches - if [[ "$subject" = "$fprint" ]]; then - return 0 - fi - - # we'll also honor a suffix match, assuming that the fprint is long enough - # to be worthy. - if (( ${#fprint} >= 16 )) && [[ $subject = *"$fprint" ]]; then - return 0 - fi - done - - return 1 -} - check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 @@ -1515,7 +1496,7 @@ check_pgpsigs() { if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2 errors=1 - elif ! is_known_valid_pgp_key "$fingerprint" "${validpgpkeys[@]}"; then + elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")" errors=1 else -- 2.1.2
Rather than implementing suffix matching, which might clash, let's just print the full fingerprint of the err'ing key so that the user can copy/paste it into validpgpkeys. Also, make it clear in the manpage that validpgpkeys needs full fingerprints, and nothing else. --- doc/PKGBUILD.5.txt | 3 ++- scripts/makepkg.sh.in | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index 74aea32..7fa91ff 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -138,7 +138,8 @@ the integrity of the corresponding source file. trust values from the keyring. If the source file was signed with a subkey, makepkg will still use the primary key for comparison. + -Fingerprints must be uppercase and must not contain whitespace characters. +Only full fingerprints are accepted. They must be uppercase and must not +contain whitespace characters. *noextract (array)*:: An array of file names corresponding to those from the source array. Files diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index f949403..9082206 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1494,10 +1494,10 @@ check_pgpsigs() { errors=1 else if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then - printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2 + printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$fingerprint" >&2 errors=1 elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then - printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")" + printf "%s (%s %s)" "$(gettext "FAILED")" "$(gettext "invalid public key")" "$fingerprint" errors=1 else printf '%s' "$(gettext "Passed")" >&2 -- 2.1.2
Interesting attributes created with 'local' or 'declare' won't be surfaced in .PKGINFO, so we shouldn't try to look for them. --- This mirrors upstream commit: https://github.com/falconindy/pkgbuild-introspection/commit/def0dff scripts/makepkg.sh.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 9082206..4a3ae2e 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -2398,14 +2398,14 @@ extract_function_var() { local funcname=$1 attr=$2 isarray=$3 outputvar=$4 attr_regex= decl= r=1 if (( isarray )); then - printf -v attr_regex '^[[:space:]]*(declare( -[[:alpha:]])*)? %q\+?=\(' "$2" + printf -v attr_regex '^[[:space:]]* %s\+?=\(' "$2" else - printf -v attr_regex '^[[:space:]]*(declare( -[[:alpha:]])*)? %q\+?=[^(]' "$2" + printf -v attr_regex '^[[:space:]]* %s\+?=[^(]' "$2" fi while read -r; do # strip leading whitespace and any usage of declare - decl=${REPLY##*([[:space:]])?(declare +(-+([[:alpha:]]) ))} + decl=${REPLY##*([[:space:]])} eval "${decl/#$attr/$outputvar}" # entering this loop at all means we found a match, so notify the caller. -- 2.1.2
participants (1)
-
Dave Reisner