[pacman-dev] [PATCH] pacman-key: Do not reinterpret keys from revoked keyrings

Dave Reisner dreisner at archlinux.org
Mon Jun 3 14:13:08 EDT 2013 

Given a revoked keyring containing only:

  BC1FBE4D2826A0B51E47ED62E2539214C6C11350

We should only disable this specific keyid. This change enforces that the
contents of the -revoked keyring file are full fingerprints which can uniquely
identify a key.

Before:

  # pacman-key --populate archlinux
  ==> Appending keys from archlinux.gpg...
  ==> Locally signing trusted keys in keyring...
    -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
    -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
    -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
    -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
    -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
  ==> Importing owner trust values...
  ==> Disabling revoked keys in keyring...
    -> Disabling key 1390420191...
    -> Disabling key E2539214C6C11350...
    -> Disabling key 8544EA82113502DE...
  ==> Updating trust database...
  gpg: next trustdb check due at 2014-01-22

After:

  # pacman-key --populate archlinux
  ==> Appending keys from archlinux.gpg...
  ==> Locally signing trusted keys in keyring...
    -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
    -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
    -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
    -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
    -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
  ==> Importing owner trust values...
  ==> Disabling revoked keys in keyring...
    -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
  ==> Updating trust database...
  gpg: next trustdb check due at 2014-01-22

Partially addresses FS#35478. This does nothing to confirm whether or not the
key was successfully disabled -- a ridiculously simple request which appears to
be far too difficult for gpg to manage.

Signed-off-by: Dave Reisner <dreisner at archlinux.org>
---
Seriously, wtf gpg. The only indication that the key was successfully disabled
appears to come from the output that we dump to /dev/null:

  gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg'

  pub  2048R/C6C11350  created: 2012-11-30  expires: never       usage: SC
                       trust: unknown       validity: marginal
  *** This key has been disabled
  sub  2048R/113502DE  created: 2012-11-30  expires: never       usage: E
  [marginal] (1). Federico Cinelli <cinelli.federico at gmail.com>

You can try to use the key as a recipient for an encrypted message, but this
seems to only fail with INV_RECP, e.g.:

$ gpg --homedir /etc/pacman.d/gnupg --batch -aer BC1FBE4D2826A0B51E47ED62E2539214C6C11350 --status-fd=1 <<<'' 2>/dev/null
[GNUPG:] INV_RECP 0 BC1FBE4D2826A0B51E47ED62E2539214C6C11350

BUT... INV_RECP doesn't say anything about the reason the recipient is invalid.
It might be invalid because it's disabled, and it might be invalid because it
can't be found. So... blah. Suggestions welcome.

Also, just a point of clarification -- I assume that we disable keys rather
than revoke signatures out of concern that the key could be trustworthy
based on signatures other than those of the master key owners?

 scripts/pacman-key.sh.in | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 92875ef..30fba10 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -310,19 +310,12 @@ populate_keyring() {
 		done
 	fi
 
-	# Read the revoked key IDs to an array. The conversion from whatever is
-	# inside the file to key ids is important, because key ids are the only
-	# guarantee of identification for the keys.
 	local -A revoked_ids
 	for keyring in "${KEYRINGIDS[@]}"; do
-		if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
-			mapfile -t keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
-			while IFS=: read _ _ _ _ key_id _; do
-				if [[ -n $key_id ]]; then
-					# Mark this key to be disabled
-					revoked_ids[$key_id]="${keyring}"
-				fi
-			done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null)
+		if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then
+			while read -r key_id; do
+				revoked_ids["$key_id"]=1
+			done <"$KEYRING_IMPORT_DIR/$keyring-revoked"
 		fi
 	done
 
-- 
1.8.3

More information about the pacman-dev mailing list