[pacman-dev] [PATCH 3/3] makepkg: Introduce validpgpkeys array

Dave Reisner d at falconindy.com
Sat Mar 8 12:20:08 EST 2014 

On Sat, Mar 08, 2014 at 05:40:17PM +0100, Thomas Bächler wrote:
> If validpgpkeys is set in the PKGBUILD, signature checking fails if
> the fingerprint of the key used to create the signature is not listed
> in the array.
> 
> The key's trust value is ignored.
> ---
>  doc/PKGBUILD.5.txt    |  7 +++++++
>  scripts/makepkg.sh.in | 16 ++++++++++++++--
>  2 files changed, 21 insertions(+), 2 deletions(-)
> 
> diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
> index 50d8347..7a1e924 100644
> --- a/doc/PKGBUILD.5.txt
> +++ b/doc/PKGBUILD.5.txt
> @@ -128,6 +128,13 @@ Files in the source array with extensions `.sig`, `.sign` or, `.asc` are
>  recognized by makepkg as PGP signatures and will be automatically used to verify
>  the integrity of the corresponding source file.
>  
> +*validpgpkeys (array)*::
> +	An array of PGP fingerprints. If this array is non-empty, makepkg will
> +	only accept signatures from the keys listed here and will ignore the
> +	trust values from the keyring.
> ++
> +Fingerprints must be uppercase and must not contain whitespace characters.
> +
>  *noextract (array)*::
>  	An array of file names corresponding to those from the source array. Files
>  	listed here will not be extracted with the rest of the source files. This
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 015bdd7..6eb6d11 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1244,6 +1244,15 @@ check_checksums() {
>  	fi
>  }
>  
> +is_valid_pgpkey() {
> +	local pubkey
> +
> +	pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;')

I think you just want:

  pubkey=$(sed -n '/VALIDSIG/ s/.* VALIDSIG \([[:alnum:]]*\) .*/\1/p' "$statusfile")

sed's -r flag isn't portable.

> +	echo "$pubkey"

Don't you only want to echo this if the check that follows succeeds?

> +	in_array "$pubkey" ${validpgpkeys[@]}

The array needs quoting.

> +	return $?

Wholly redundant for this function in its current form.

> +}
> +
>  check_pgpsigs() {
>  	(( SKIPPGPCHECK )) && return 0
>  	! source_has_signatures && return 0
> @@ -1303,9 +1312,12 @@ check_pgpsigs() {
>  			if grep -q "REVKEYSIG" "$statusfile"; then
>  				printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2
>  				errors=1
> -			elif grep -q -e "TRUST_UNDEFINED" -e "TRUST_NEVER" "$statusfile"; then
> +			elif (( ${#validpgpkeys[@]} == 0 )) && grep -q -e "TRUST_UNDEFINED" -e "TRUST_NEVER" "$statusfile"; then
>  				printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key is not trusted")" >&2
>  				errors=1
> +			elif (( ${#validpgpkeys[@]} > 0 )) && ! pubkey=$(is_valid_pgpkey "$statusfile"); then
> +				printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid key")"
> +				errors=1

Is there a decent way to extract the real status from the file once and
then do string comparisons in bash, rather than forking to grep all the
time?

>  			else
>  				printf '%s' "$(gettext "Passed")" >&2
>  				if grep -q "EXPSIG" "$statusfile"; then
> @@ -2810,7 +2822,7 @@ fi
>  
>  unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
>  unset md5sums replaces depends conflicts backup source install changelog build
> -unset makedepends optdepends options noextract
> +unset makedepends optdepends options noextract validpgpkeys
>  
>  BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
>  if [[ ! -f $BUILDFILE ]]; then
> -- 
> 1.9.0
> 
>

More information about the pacman-dev mailing list