[pacman-dev] [PATCH 2/2] pacman-key: hid lsign and revoke spam behind --verbose

Eli Schwartz eschwartz at archlinux.org
Mon Nov 4 02:58:03 UTC 2019 

On 11/3/19 6:35 PM, Allan McRae wrote:
>> This commit closes:
>> FS#64142 - pacman-key: make populate less noisy
> 
> There is an addition comment in the bug:
> "Additionally, we should consider only counting keys to be disabled that
> are not currently disabled. Same with lsign key."
> 
> So, partially implements FS#64142.

So I dug around in /usr/share/doc/gnupg/DETAILS and I think I basically
know what we need to get the rest of the way there. gpg --with-colons
will be our friend here. We'll need to:

figure out the keyid of the local master key (secret key):

$ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning
--with-colons --list-secret-key
sec:u:2048:1:2150A73FE449203E:1539640294:::u:::scSC:::+:::23::0:
fpr:::::::::708A83C140BD668A8D52DDFF2150A73FE449203E:
grp:::::::::2595A2681C2DA4806EC088E4DF877DA80528FEB5:
uid:u::::1539640294::79311EDEA01302E0DBBB2F33AE799F8BB677652F::Pacman
Keyring Master Key <pacman at localhost>::::::::::0:

Find the sec line, find field 5, my local secret key is 2150A73FE449203E.

Now we need to find out whether a given keyring key is already lsigned:

$ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning
--with-colons --check-signatures anthraxx at master-key
tru::1:1572742808:1579736285:3:1:5
pub:f:4096:1:D6D055F927843F1C:1541685162:::m:::scESCA::::::23:1547746114:1
https\x3a//[2001\x3a4c48\x3a2\x3abf04\x3a20c\x3a29ff\x3afe84\x3ad087]\x3a443:
fpr:::::::::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:
uid:f::::1541685162::B588C0444DCADD3F0BBBEEBA44F9F02E089294E7::Levente
Polyak (Arch Linux Master Key)
<anthraxx at master-key.archlinux.org>:::::::::1547746114:1:
sig:!::1:39E4B877E62EB915:1546031667::::Sven-Hendrik Haase
<svenstaro at gmail.com>:10x::8FC15A064950A99DD1BD14DD39E4B877E62EB915:::8:
sig:!::1:FC1B547C8D8172C8:1542066833::::Levente Polyak (anthraxx)
<levente at leventepolyak.net>:10x::E240B57E2C4630BA768E2F26FC1B547C8D8172C8:::10:
sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux
Master Key)
<anthraxx at master-key.archlinux.org>:13x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10:
sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key
<pacman at localhost>:10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8:
sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10:
sub:f:4096:1:FEB12332C13054E7:1541685162::::::e::::::23:
fpr:::::::::86CC2A69D4B742C15239AD22FEB12332C13054E7:
sig:!::1:D6D055F927843F1C:1541685162::::Levente Polyak (Arch Linux
Master Key)
<anthraxx at master-key.archlinux.org>:18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10:
sig:?::22:F43D25535101A2C4:1561282892:::::10x::7F6A217EDE0E471E99964D5AF43D25535101A2C4:::10:
sub:f:4096:1:DEDF3FE3104A16F6:1541685530::::::a::::::23:
fpr:::::::::46A1EFF0753F9F10BB6B36DEDEDF3FE3104A16F6:
sig:!::1:D6D055F927843F1C:1541685530::::Levente Polyak (Arch Linux
Master Key)
<anthraxx at master-key.archlinux.org>:18x::D8AFDDA07A5B6EDFA7D8CCDAD6D055F927843F1C:::10:

Here's the line we need, a 'sig' line:

sig:!::1:2150A73FE449203E:1548318377::::Pacman Keyring Master Key
<pacman at localhost>:10l::708A83C140BD668A8D52DDFF2150A73FE449203E:::8:

Field 2 tells us whether the signature is good, either "!" for good or
"-" for bad. Field 5 (again) tells us the id of the key, in this case
the key which performed the signature. Does it match the previously
detected secret key? If not, try to find another signature that is a
secret key.

....

Now on to the "is it disabled" mode.

$ gpg --homedir /etc/pacman.d/gnupg --no-permission-warning
--with-colons --list-key 81D7F8241DB38BC759C80FCE3A726C6170E80477
tru::1:1572742808:1579736285:3:1:5
pub:-:2048:1:3A726C6170E80477:1321703264:::-:::scESCD::::::23::0:
fpr:::::::::81D7F8241DB38BC759C80FCE3A726C6170E80477:
uid:-::::1321703264::E0406C59D6C6B91ED55428F0A785052113EF060B::Роман
Кирилич (Roman Kyrylych) <roman at archlinux.org>::::::::::0:
sub:-:2048:1:A9E18694A8AA192C:1321703264::::::e::::::23:
fpr:::::::::BEC1D058200080E7938CC822A9E18694A8AA192C:

This person is retired from Arch, and his key is disabled. Look at the
'pub' line, field 12 -- it contains a "D", so his key is disabled.

Matthew -- you want to take this the rest of the way?

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20191103/74f043c9/attachment-0001.sig>

More information about the pacman-dev mailing list