[pacman-dev] [PATCH 0/8] [RFC] Signature checking overhaul
Allan McRae
allan at archlinux.org
Fri Nov 2 11:28:14 EDT 2012
The main change here is that pacman will now check the needed keys are in the
keyring before doing package validation. Example output:
:: Retrieving packages ...
systemd-sysvcompat-... 5.4 KiB 671K/s 00:00 [######################] 100%
(1/1) checking keys in keyring [######################] 100%
:: Import PGP key 2048R/F56C0C53, "Dave Reisner <d at falconindy.com>", created: 2011-06-26? [Y/n]
(1/1) checking package integrity [######################] 100%
(1/1) loading package files [######################] 100%
This removed the repeat validation after key downloading and made the following
much easier to implement:
1) packages with bad signatures get the "pkg is corrupt, delete?" type message
2) pacman -U now downloads a signature if needed.
These patches need a very good review...
Allan McRae (8):
Make key_in_keychain available in library
Move key importing into separate function
Add function to extract key id from signatures
Make decode_signature available to the library
Check keys are in keyring before package validation
Remove retry path from signature validation
Prompt to delete packages with signature fails
Import key if needed when installing package from file
lib/libalpm/alpm.h | 9 ++-
lib/libalpm/be_package.c | 40 ++++++++++
lib/libalpm/signing.c | 197 ++++++++++++++++++++++++++++++++++++++---------
lib/libalpm/signing.h | 7 ++
lib/libalpm/sync.c | 87 ++++++++++++++++++---
src/pacman/callback.c | 9 +++
6 files changed, 300 insertions(+), 49 deletions(-)
--
1.8.0
More information about the pacman-dev
mailing list