[pacman-dev] [PATCH 5/5] pacman-key: rework and document holding keys in keyring
Dan McGee
dpmcgee at gmail.com
Tue Aug 23 02:30:10 EDT 2011
On Tue, Aug 23, 2011 at 1:17 AM, Allan McRae <allan at archlinux.org> wrote:
> The HoldKey option was undocumented and was not suited for pacman.conf.
> Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list
> of keys not to be removed from the pacman keyring with the --populate
> option.
>
> Signed-off-by: Allan McRae <allan at archlinux.org>
> ---
We have 'heldkeys' and 'HOLD_KEYS' here- perhaps we should pick one
tense and word-splitting combo? I'd prefer holdkeys/HOLDKEYS, only
because the tense of 'heldkeys' seems different than anything else we
do to me.
Otherwise this looks pretty good. Is it worth providing an example in
pacman-key documentation of a valid format for the held and revoked
lists?
> doc/pacman-key.8.txt | 8 ++++++--
> scripts/pacman-key.sh.in | 12 +++++-------
> 2 files changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
> index ff8d38d..077b3ba 100644
> --- a/doc/pacman-key.8.txt
> +++ b/doc/pacman-key.8.txt
> @@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid
> PGP keys used in the signing of its packages and repository databases that can
> be readily imported into the pacman keyring. This is achieved by providing a
> PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
> -directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
> +directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
> provided containing a list of revoked key IDs for that keyring. These files are
> required to be signed (detached) by a trusted PGP key that the user must
> -manually import to the pacman keyring. This prevents a potentially malicious
> +manually import to the pacman keyring. This prevents a potentially malicious
> repository adding keys to the pacman keyring without the users knowledge.
>
> +A key being marked as revoked always takes priority over the key being added to
> +the pacman keyring, regardless of the keyring it is provided in. To prevent a
> +key from being revoked when using --populate, its ID can be listed in
> ++{sysconfdir}/pacman.d/gnupg/heldkeys+.
>
> See Also
> --------
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index 6d07482..da12a1e 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -232,17 +232,15 @@ populate_keyring() {
> fi
> done
>
> - # List of keys that must be kept installed, even if in the list of keys to be removed
> - local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")"
> -
> - # Remove the keys that must be kept from the set of keys that should be removed
> - if [[ -n ${HOLD_KEYS} ]]; then
> - for key in ${HOLD_KEYS}; do
> + # Read list of keys that must be kept installed and remove them from the list
> + # of keys to be removed
> + if [[ -f "${PACMAN_KEYRING_DIR}/heldkeys" ]]; then
> + while read key; do
> key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
> if [[ -n "${removed_ids[$key_id]}" ]]; then
> unset removed_ids[$key_id]
> fi
> - done
> + done < "${PACMAN_KEYRING_DIR}/heldkeys"
> fi
>
> # Remove the keys not marked to keep
> --
> 1.7.6
>
>
>
More information about the pacman-dev
mailing list