[pacman-dev] [PATCH] pacman-key: stricter parsing for -verify
Allan McRae
allan at archlinux.org
Sat Aug 9 02:36:42 EDT 2014
Prevents trust being spoofed by using TRUST_FULLY in the signatory's name
or in an added notation.
Fixes FS#41147.
Signed-off-by: Allan McRae <allan at archlinux.org>
---
scripts/pacman-key.sh.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 82340f9..ba8d02e 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -482,7 +482,7 @@ verify_sig() {
local ret=0
for sig; do
msg "Checking %s ..." "$sig"
- if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
+ if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$'; then
error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
ret=1
fi
--
2.0.4
More information about the pacman-dev
mailing list