[pacman-dev] [PATCHv2 3/3] makepkg: Introduce validpgpkeys array

Allan McRae allan at archlinux.org
Sun May 4 02:50:07 EDT 2014 

On 09/03/14 05:22, Thomas Bächler wrote:
> If validpgpkeys is set in the PKGBUILD, signature checking fails if
> the fingerprint of the key used to create the signature is not listed
> in the array.
> 
> The key's trust value is ignored.
> ---
>  doc/PKGBUILD.5.txt    |  7 +++++++
>  scripts/makepkg.sh.in | 17 ++++++++++++++---
>  2 files changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
> index 50d8347..7a1e924 100644
> --- a/doc/PKGBUILD.5.txt
> +++ b/doc/PKGBUILD.5.txt
> @@ -128,6 +128,13 @@ Files in the source array with extensions `.sig`, `.sign` or, `.asc` are
>  recognized by makepkg as PGP signatures and will be automatically used to verify
>  the integrity of the corresponding source file.
>  
> +*validpgpkeys (array)*::
> +	An array of PGP fingerprints. If this array is non-empty, makepkg will
> +	only accept signatures from the keys listed here and will ignore the
> +	trust values from the keyring.
> ++
> +Fingerprints must be uppercase and must not contain whitespace characters.
> +
>  *noextract (array)*::
>  	An array of file names corresponding to those from the source array. Files
>  	listed here will not be extracted with the rest of the source files. This
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index d0e4fb5..d24a2cd 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1283,6 +1283,13 @@ parse_gpg_statusfile() {
>  					status="error"
>  				fi
>  				;;
> +			VALIDSIG)
> +				if [[ $arg10 ]]; then
> +					fingerprint=$arg10
> +				else
> +					fingerprint=$arg1
> +				fi
> +				;;

And here goes $arg10...   But on every file I tested, $arg1 was always
the fingerprint.  How can $arg10 be different?

Allan

>  			TRUST_UNDEFINED|TRUST_NEVER)
>  				trusted=0
>  				;;
> @@ -1299,7 +1306,7 @@ check_pgpsigs() {
>  
>  	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>  
> -	local file ext decompress found pubkey success status trusted
> +	local file ext decompress found pubkey success status fingerprint trusted
>  	local warning=0
>  	local errors=0
>  	local statusfile=$(mktemp)
> @@ -1345,6 +1352,7 @@ check_pgpsigs() {
>  		success=0
>  		status=
>  		pubkey=
> +		fingerprint=
>  		trusted=
>  		parse_gpg_statusfile "$statusfile"
>  		if (( ! $success )); then
> @@ -1365,9 +1373,12 @@ check_pgpsigs() {
>  			esac
>  			errors=1
>  		else
> -			if (( ! $trusted )); then
> +			if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then
>  				printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2
>  				errors=1
> +			elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then
> +				printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")"
> +				errors=1
>  			else
>  				printf '%s' "$(gettext "Passed")" >&2
>  				case "$status" in
> @@ -2875,7 +2886,7 @@ fi
>  
>  unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
>  unset md5sums replaces depends conflicts backup source install changelog build
> -unset makedepends optdepends options noextract
> +unset makedepends optdepends options noextract validpgpkeys
>  
>  BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
>  if [[ ! -f $BUILDFILE ]]; then
>

More information about the pacman-dev mailing list