[pacman-dev] [PATCH] pacman-key: Remove useless signature verification in --populate command

Pierre Schmitz pierre at archlinux.de
Sun Mar 4 07:25:56 EST 2012


Verifing the keyring at this point is useless as a malicious package is already
installed and as such has several options to bypass this check anyway.

Signed-off-by: Pierre Schmitz <pierre at archlinux.de>
---
 doc/pacman-key.8.txt     |    5 -----
 scripts/pacman-key.sh.in |   39 ---------------------------------------
 2 files changed, 44 deletions(-)

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index 1582a3c..3631ec8 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -129,11 +129,6 @@ any signing", so should be used with prudence. A key being marked as revoked
 will be disabled in the keyring and no longer treated as valid, so this always
 takes priority over it's trusted state in any other keyring.
 
-All files are required to be signed (detached) by a trusted PGP key that the
-user must manually import to the pacman keyring. This prevents a potentially
-malicious repository adding keys to the pacman keyring without the users
-knowledge.
-
 
 See Also
 --------
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index c393370..482b56d 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -214,43 +214,6 @@ check_keyring() {
 	fi
 }
 
-validate_with_gpg() {
-	msg2 "$(gettext "Verifying %s...")" "$1"
-	if [[ ! -f "$1.sig" ]]; then
-		error "$(gettext "File %s is unsigned, cannot continue.")" "$1"
-		return 1
-	elif ! "${GPG_PACMAN[@]}" --verify "$1.sig"; then
-		error "$(gettext "The signature of file %s is not valid.")" "$1"
-		return 1
-	fi
-	return 0
-}
-
-verify_keyring_input() {
-	local ret=0;
-	local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
-
-	# Verify signatures of keyring files and trusted/revoked files if they exist
-	msg "$(gettext "Verifying keyring file signatures...")"
-	local keyring keyfile
-	for keyring in "${KEYRINGIDS[@]}"; do
-		keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
-		validate_with_gpg "${keyfile}" || ret=1
-
-		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
-		if [[ -f "${keyfile}" ]]; then
-			validate_with_gpg "${keyfile}" || ret=1
-		fi
-
-		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
-		if [[ -f "${keyfile}" ]]; then
-			validate_with_gpg "${keyfile}" || ret=1
-		fi
-	done
-
-	return $ret
-}
-
 populate_keyring() {
 	local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
 
@@ -281,8 +244,6 @@ populate_keyring() {
 		exit 1
 	fi
 
-	verify_keyring_input || exit 1
-
 	# Variable used for iterating on keyrings
 	local keys key_id
 
-- 
1.7.9.2


More information about the pacman-dev mailing list