[pacman-dev] [PATCH 0/8] [RFC] Signature checking overhaul

Fri Nov 2 11:28:14 EDT 2012

The main change here is that pacman will now check the needed keys are in the
keyring before doing package validation.  Example output:

:: Retrieving packages ...
 systemd-sysvcompat-...     5.4 KiB   671K/s 00:00 [######################] 100%
(1/1) checking keys in keyring                     [######################] 100%
:: Import PGP key 2048R/F56C0C53, "Dave Reisner <d at falconindy.com>", created: 2011-06-26? [Y/n] 
(1/1) checking package integrity                   [######################] 100%
(1/1) loading package files                        [######################] 100%

This removed the repeat validation after key downloading and made the following
much easier to implement:
1) packages with bad signatures get the "pkg is corrupt, delete?" type message
2) pacman -U now downloads a signature if needed.

These patches need a very good review...

Allan McRae (8):
  Make key_in_keychain available in library
  Move key importing into separate function
  Add function to extract key id from signatures
  Make decode_signature available to the library
  Check keys are in keyring before package validation
  Remove retry path from signature validation
  Prompt to delete packages with signature fails
  Import key if needed when installing package from file

 lib/libalpm/alpm.h       |   9 ++-
 lib/libalpm/be_package.c |  40 ++++++++++
 lib/libalpm/signing.c    | 197 ++++++++++++++++++++++++++++++++++++++---------
 lib/libalpm/signing.h    |   7 ++
 lib/libalpm/sync.c       |  87 ++++++++++++++++++---
 src/pacman/callback.c    |   9 +++
 6 files changed, 300 insertions(+), 49 deletions(-)

-- 
1.8.0