[pacman-dev] [PATCH v2] pacman-key: ignores keys already lsigned/deleted

Allan McRae allan at archlinux.org
Tue Nov 5 00:01:05 UTC 2019 

Some additional comments

On 5/11/19 9:40 am, Allan McRae wrote:
>> +lsigned_already() {
>> +	# Determines whether a key has already been signed locally by getting the
>> +	# local pacman secret key and comparing it against signatures on the key
>> +	# returns 0 if key is signed, 1 if it is unsigned
>> +	secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | head -n1 | awk -F : '{print $5}')

gpg --with-colons --list-secret-key | awk -F : 'NR==1 {print $5}'

>> +    while IFS=: read -r _ valid _ _ signkey _; do

We should read the first value and check it is "sig".

>> +            if [[ "$valid" != "!" ]]; then
> 
> We don't quote the left hand side.
> 
>> +                continue
>> +            fi
>> +            if [[ "$signkey" = "$secret_key" ]]; then
>> +                return 0
>> +            fi
>> +	done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1")
>> +	return 1
>> +
>> +}
>>  
>>  lsign_keys() {
>>  	check_keyids_exist
>> @@ -454,6 +475,7 @@ lsign_keys() {
>>  	local ret=0
>>  	local key_count=0
>>  	for key_id in "$@"; do
>> +		if lsigned_already "$key_id" ; then	continue; fi
> 
> Put this over multiple lines.
> 
>>  		if (( VERBOSE )); then
>>  			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
>>  		fi
>> @@ -469,7 +491,9 @@ lsign_keys() {
>>  	if (( ret )); then
>>  		exit 1
>>  	fi
>> -	msg2 "$(gettext "Locally signed %s keys.")" "${key_count}"
>> +	if (( key_count )); then
>> +		msg2 "$(gettext "Locally signed %s keys.")" "${key_count}"
>> +	fi
>>  }
>>  
>>  receive_keys() {
>> @@ -511,6 +535,19 @@ refresh_keys() {
>>  	fi
>>  }
>>  
>> +revoked_already() {
>> +
>> +    while IFS=: read -r type _ _ _ _ _ _ _ _ _ _ flags _; do
>> +            if [[ "$type" != "pub" ]]; then
>> +                continue
>> +            fi
>> +            if [[ "$flags" = *"D"* ]]; then
> 
> That quoting on the RHS looked weird to me, but I think is fine...
> 
>> +                return 0
>> +            fi
>> +	done < <("${GPG_PACMAN[@]}" --with-colons --list-key "$1")
>> +	return 1
>> +}
>> +
>>  verify_sig() {
>>  	local ret=0 sig=$1 file=$2
>>  	if [[  -z $file && -f ${sig%.*} ]]; then
>>
> .
>

More information about the pacman-dev mailing list