[pacman-dev] [PATCH] pacman-key: Add --import and --import-trustdb

Allan McRae allan at archlinux.org
Sat Jul 16 09:30:51 EDT 2011 

On 10/07/11 14:10, Pang Yan Han wrote:
>
> The issue I mentioned is with regards to pacman -U and pacman-key --import.
> I edited the patch so that it'll work with the new pacman-key code, and
> the same
> thing happens.
>
> Basically, I tried installing 2 packages signed by 2 different keys.
> They are
> "ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz"
> Their respective .sig files (detached signatures) are in the same
> directories.
>
> So I did:
>
> [root at localhost ~] # pacman-key --init
> gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created
> gpg: no ultimately trusted keys found
>
> [root at localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
> error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP
> signature)
>
> [root at localhost ~] # pacman --import .gnupg/
> gpg: inserting ownertrust of 6
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
>
> [root at localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
> Works now with pacman, but I didn't install anything.
>
> Then, I proceeded to import the trustdb with the key for the archlinux
> wallpaper package.
>
> [root at localhost ~] # pacman-key --import /home/yh/.gnupg/
> gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
> gpg: inserting ownertrust of 6
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
>
> [root at localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz
> Works now
>
> But then the one for ack fails:
> [root at localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
> error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP
> signature)
>


This is because of how --import-ownertrust works:

--import-ownertrust
        Update the trustdb with the ownertrust values  stored  in  files
        (or  STDIN  if  not given); existing values will be overwritten.

That last bit is the key to the issue!  So we need to be smarter in this 
bit here....

+import_trustdb() {
+	local importdir
+	for importdir in "${IMPORT_DIRS[@]}"; do
+		if [[ -f "${importdir}/trustdb.gpg" ]]; then
+			gpg --homedir "${importdir}" --export-ownertrust | ${GPG_PACMAN} 
--import-ownertrust
+		fi
+	done
+}


Only that last trustdb will end up being imported.   I think that doing 
something like this instead:

${GPG_PACMAN} --export-owner-trust > tmp.file
for importdir in "${IMPORT_DIRS[@]}"; do
	if [[ -f "${importdir}/trustdb.gpg" ]]; then
		gpg --homedir "${importdir}" --export-ownertrust >> tmp.file
	fi
done
${GPG_PACMAN} --import-ownertrust tmp.file

should work...  but I have not tested.  If appending the trustdb's 
together does not work, then create a temporary folder instead and store 
them all in individual files and pass --import-ownertrust multiple files.

Hopefully that fixes this and we cna merge this patch.

Cheers,
Allan

More information about the pacman-dev mailing list