[pacman-dev] [PATCH v3] pacman-key: receive keys from WKD with -r/--recv-keys

Jonas Witschel diabonas at archlinux.org
Mon Oct 7 10:56:02 UTC 2019 

If an email address is specified, we use --locate-key to look up the key
using WKD and keyserver as a fallback. If the key is specified as a key
ID, this doesn't work, so we use the normal keyserver-based --recv-keys.

Note that --refresh-keys still uses the keyservers exclusively for
refreshing, though the situation might potentially be improved in a new
version of GnuPG:
https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062169.html

Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
---

Apply suggested changes:
- Use "clear,nodefault" instead of "nodefault,clear" (verified with
  GnuPG 2.2.17 that the latter indeed doesn't clear the default "local")
- Attempt lookups by key ID instead of bailing out early if lookup by
  email address failed

 scripts/pacman-key.sh.in | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 117acc40..8c8ffc3f 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -461,25 +461,34 @@ lsign_keys() {
 }
 
 receive_keys() {
-	local name id keyids
+	local ret=0 name id keyids emails
 
 	# if the key is not a hex ID, do a lookup
 	for name; do
 		if [[ $name = ?(0x)+([0-9a-fA-F]) ]]; then
 			keyids+=("$name")
-		else
-			if id=$(key_lookup_from_name "$name"); then
-				keyids+=("$id")
-			fi
+		elif [[ $name = *@*.* ]]; then
+			emails+=("$name")
+		elif id=$(key_lookup_from_name "$name"); then
+			keyids+=("$id")
 		fi
 	done
 
-	(( ${#keyids[*]} > 0 )) || exit 1
+	(( ${#keyids[*]}+${#emails[*]} > 0 )) || exit 1
+
+	if (( ${#emails[*]} > 0 )) && \
+	   ! "${GPG_PACMAN[@]}" --auto-key-locate clear,nodefault,wkd,keyserver \
+	                        --locate-key "${emails[@]}" ; then
+		error "$(gettext "Remote key not fetched correctly from WKD or keyserver.")"
+		ret=1
+	fi
 
-	if ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
+	if (( ${#keyids[*]} > 0 )) && ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
 		error "$(gettext "Remote key not fetched correctly from keyserver.")"
-		exit 1
+		ret=1
 	fi
+
+	exit $ret
 }
 
 refresh_keys() {
-- 
2.23.0

More information about the pacman-dev mailing list