[pacman-dev] [PATCH] pacman-key: Do not reinterpret keys from revoked keyrings

Allan McRae allan at archlinux.org
Tue Jun 4 00:01:31 EDT 2013 

On 04/06/13 04:13, Dave Reisner wrote:
> Given a revoked keyring containing only:
> 
>   BC1FBE4D2826A0B51E47ED62E2539214C6C11350
> 
> We should only disable this specific keyid. This change enforces that the
> contents of the -revoked keyring file are full fingerprints which can uniquely
> identify a key.
> 
> Before:
> 
>   # pacman-key --populate archlinux
>   ==> Appending keys from archlinux.gpg...
>   ==> Locally signing trusted keys in keyring...
>     -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
>     -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
>     -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
>     -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
>     -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
>   ==> Importing owner trust values...
>   ==> Disabling revoked keys in keyring...
>     -> Disabling key 1390420191...
>     -> Disabling key E2539214C6C11350...
>     -> Disabling key 8544EA82113502DE...
>   ==> Updating trust database...
>   gpg: next trustdb check due at 2014-01-22
> 
> After:
> 
>   # pacman-key --populate archlinux
>   ==> Appending keys from archlinux.gpg...
>   ==> Locally signing trusted keys in keyring...
>     -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2...
>     -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8...
>     -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887...
>     -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0...
>     -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7...
>   ==> Importing owner trust values...
>   ==> Disabling revoked keys in keyring...
>     -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350...
>   ==> Updating trust database...
>   gpg: next trustdb check due at 2014-01-22
> 
> Partially addresses FS#35478. This does nothing to confirm whether or not the
> key was successfully disabled -- a ridiculously simple request which appears to
> be far too difficult for gpg to manage.
> 
> Signed-off-by: Dave Reisner <dreisner at archlinux.org>

Signed-off-by: Me
-> maint

> ---
> Seriously, wtf gpg. The only indication that the key was successfully disabled
> appears to come from the output that we dump to /dev/null:
> 
>   gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg'
> 
>   pub  2048R/C6C11350  created: 2012-11-30  expires: never       usage: SC
>                        trust: unknown       validity: marginal
>   *** This key has been disabled
>   sub  2048R/113502DE  created: 2012-11-30  expires: never       usage: E
>   [marginal] (1). Federico Cinelli <cinelli.federico at gmail.com>
> 
> You can try to use the key as a recipient for an encrypted message, but this
> seems to only fail with INV_RECP, e.g.:
> 
> $ gpg --homedir /etc/pacman.d/gnupg --batch -aer BC1FBE4D2826A0B51E47ED62E2539214C6C11350 --status-fd=1 <<<'' 2>/dev/null
> [GNUPG:] INV_RECP 0 BC1FBE4D2826A0B51E47ED62E2539214C6C11350
> 
> BUT... INV_RECP doesn't say anything about the reason the recipient is invalid.
> It might be invalid because it's disabled, and it might be invalid because it
> can't be found. So... blah. Suggestions welcome.
> 
> Also, just a point of clarification -- I assume that we disable keys rather
> than revoke signatures out of concern that the key could be trustworthy
> based on signatures other than those of the master key owners?

Partly.  Also it is often quicker for a distro to release an updated
keyring with a key disabled than it is to get the required master key
holders to revoke it.

>  scripts/pacman-key.sh.in | 15 ++++-----------
>  1 file changed, 4 insertions(+), 11 deletions(-)
> 
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index 92875ef..30fba10 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -310,19 +310,12 @@ populate_keyring() {
>  		done
>  	fi
>  
> -	# Read the revoked key IDs to an array. The conversion from whatever is
> -	# inside the file to key ids is important, because key ids are the only
> -	# guarantee of identification for the keys.
>  	local -A revoked_ids
>  	for keyring in "${KEYRINGIDS[@]}"; do
> -		if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
> -			mapfile -t keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
> -			while IFS=: read _ _ _ _ key_id _; do
> -				if [[ -n $key_id ]]; then
> -					# Mark this key to be disabled
> -					revoked_ids[$key_id]="${keyring}"
> -				fi
> -			done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null)
> +		if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then
> +			while read -r key_id; do
> +				revoked_ids["$key_id"]=1
> +			done <"$KEYRING_IMPORT_DIR/$keyring-revoked"
>  		fi
>  	done
>  
>

More information about the pacman-dev mailing list