[pacman-dev] [PATCH 5/5] pacman-key: rework and document holding keys in keyring
Allan McRae
allan at archlinux.org
Tue Aug 23 02:17:46 EDT 2011
The HoldKey option was undocumented and was not suited for pacman.conf.
Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list
of keys not to be removed from the pacman keyring with the --populate
option.
Signed-off-by: Allan McRae <allan at archlinux.org>
---
doc/pacman-key.8.txt | 8 ++++++--
scripts/pacman-key.sh.in | 12 +++++-------
2 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index ff8d38d..077b3ba 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid
PGP keys used in the signing of its packages and repository databases that can
be readily imported into the pacman keyring. This is achieved by providing a
PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
-directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
+directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
provided containing a list of revoked key IDs for that keyring. These files are
required to be signed (detached) by a trusted PGP key that the user must
-manually import to the pacman keyring. This prevents a potentially malicious
+manually import to the pacman keyring. This prevents a potentially malicious
repository adding keys to the pacman keyring without the users knowledge.
+A key being marked as revoked always takes priority over the key being added to
+the pacman keyring, regardless of the keyring it is provided in. To prevent a
+key from being revoked when using --populate, its ID can be listed in
++{sysconfdir}/pacman.d/gnupg/heldkeys+.
See Also
--------
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 6d07482..da12a1e 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -232,17 +232,15 @@ populate_keyring() {
fi
done
- # List of keys that must be kept installed, even if in the list of keys to be removed
- local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")"
-
- # Remove the keys that must be kept from the set of keys that should be removed
- if [[ -n ${HOLD_KEYS} ]]; then
- for key in ${HOLD_KEYS}; do
+ # Read list of keys that must be kept installed and remove them from the list
+ # of keys to be removed
+ if [[ -f "${PACMAN_KEYRING_DIR}/heldkeys" ]]; then
+ while read key; do
key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
if [[ -n "${removed_ids[$key_id]}" ]]; then
unset removed_ids[$key_id]
fi
- done
+ done < "${PACMAN_KEYRING_DIR}/heldkeys"
fi
# Remove the keys not marked to keep
--
1.7.6
More information about the pacman-dev
mailing list