[pacman-dev] [PATCH v3] pacman-key: ignore already lsigned/deleted keys

Matthew Sexton wsdmatty at gmail.com
Tue Nov 5 02:12:36 UTC 2019


Added two new functions, key_is_lsigned() and key_is_revoked()
that check whether a key has been locally signed or revoked
respectively during --populate. If the key is already signed
or revoked, it is quietly ignored.

Suggested-by: Eli Schwartz <eschwartz at archlinux.org>
Signed-off-by: Matthew Sexton <wsdmatty at gmail.com>
---
v3. Fixed spaced to tabs, renamed functions, moved functions
to the proper location, key_is_lsigned now ensures it's reading
from the 'sig' line, and a few stylistic corrections suggested
by Allan and Morgan. 

 scripts/pacman-key.sh.in | 42 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 3627a805..d1c9a456 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -190,6 +190,32 @@ check_keyids_exist() {
 	fi
 }
 
+key_is_lsigned() {
+	secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | awk -F : 'NR==1 {print $5}')
+	while IFS=: read -r type valid _ _ sign_key _; do
+		if [[ $type != "sig" ]] || [[ $valid != "!" ]]; then
+			continue
+		fi
+		if [[ "$sign_key" == "$secret_key" ]]; then
+			return 0
+		fi
+	done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1")
+	return 1
+
+}
+
+key_is_revoked() {
+	while IFS=: read -r type _ _ _ _ _ _ _ _ _ _ flags _; do
+		if [[ $type != "pub" ]]; then
+			continue
+		fi
+		if [[ $flags == *"D"* ]]; then
+			return 0
+		fi
+	done < <("${GPG_PACMAN[@]}" --with-colons --list-key "$1")
+	return 1
+}
+
 initialize() {
 	local conffile keyserv
 	# Check for simple existence rather than for a directory as someone
@@ -247,7 +273,7 @@ check_keyring() {
 		fi
 	fi
 
-	if (( LSIGNKEY )); then
+	if (( LSIGNKEY || POPULATE )); then
 		if [[ $(secret_keys_available) -lt 1 ]]; then
 			error "$(gettext "There is no secret key available to sign with.")"
 			msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init"
@@ -337,13 +363,18 @@ populate_keyring() {
 		local key_count=0
 		msg "$(gettext "Disabling revoked keys in keyring...")"
 		for key_id in "${!revoked_ids[@]}"; do
+			if key_is_revoked "$key_id" ; then
+				continue
+			fi
 			if (( VERBOSE )); then
 				msg2 "$(gettext "Disabling key %s...")" "${key_id}"
 			fi
 			printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null
 			key_count=$((key_count+1))
 		done
-		msg2 "$(gettext "Disabled %s keys.")" "${key_count}"
+		if (( key_count )); then
+			msg2 "$(gettext "Disabled %s keys.")" "${key_count}"
+		fi
 	fi
 }
 
@@ -454,6 +485,9 @@ lsign_keys() {
 	local ret=0
 	local key_count=0
 	for key_id in "$@"; do
+		if key_is_lsigned "$key_id" ; then
+			continue
+		fi
 		if (( VERBOSE )); then
 			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
 		fi
@@ -469,7 +503,9 @@ lsign_keys() {
 	if (( ret )); then
 		exit 1
 	fi
-	msg2 "$(gettext "Locally signed %s keys.")" "${key_count}"
+	if (( key_count )); then
+		msg2 "$(gettext "Locally signed %s keys.")" "${key_count}"
+	fi
 }
 
 receive_keys() {
-- 
2.23.0


More information about the pacman-dev mailing list