[pacman-dev] [PATCH v3] pacman-key: receive keys from WKD with -r/--recv-keys

Allan McRae allan at archlinux.org
Mon Oct 7 11:40:44 UTC 2019 

On 7/10/19 8:56 pm, Jonas Witschel wrote:
> If an email address is specified, we use --locate-key to look up the key
> using WKD and keyserver as a fallback. If the key is specified as a key
> ID, this doesn't work, so we use the normal keyserver-based --recv-keys.
> 
> Note that --refresh-keys still uses the keyservers exclusively for
> refreshing, though the situation might potentially be improved in a new
> version of GnuPG:
> https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062169.html
> 
> Signed-off-by: Jonas Witschel <diabonas at archlinux.org>
> ---
> 
> Apply suggested changes:
> - Use "clear,nodefault" instead of "nodefault,clear" (verified with
>   GnuPG 2.2.17 that the latter indeed doesn't clear the default "local")
> - Attempt lookups by key ID instead of bailing out early if lookup by
>   email address failed


Great - thanks!

> 
>  scripts/pacman-key.sh.in | 25 +++++++++++++++++--------
>  1 file changed, 17 insertions(+), 8 deletions(-)
> 
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index 117acc40..8c8ffc3f 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -461,25 +461,34 @@ lsign_keys() {
>  }
>  
>  receive_keys() {
> -	local name id keyids
> +	local ret=0 name id keyids emails
>  
>  	# if the key is not a hex ID, do a lookup
>  	for name; do
>  		if [[ $name = ?(0x)+([0-9a-fA-F]) ]]; then
>  			keyids+=("$name")
> -		else
> -			if id=$(key_lookup_from_name "$name"); then
> -				keyids+=("$id")
> -			fi
> +		elif [[ $name = *@*.* ]]; then
> +			emails+=("$name")
> +		elif id=$(key_lookup_from_name "$name"); then
> +			keyids+=("$id")
>  		fi
>  	done
>  
> -	(( ${#keyids[*]} > 0 )) || exit 1
> +	(( ${#keyids[*]}+${#emails[*]} > 0 )) || exit 1
> +
> +	if (( ${#emails[*]} > 0 )) && \
> +	   ! "${GPG_PACMAN[@]}" --auto-key-locate clear,nodefault,wkd,keyserver \
> +	                        --locate-key "${emails[@]}" ; then
> +		error "$(gettext "Remote key not fetched correctly from WKD or keyserver.")"
> +		ret=1
> +	fi
>  
> -	if ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
> +	if (( ${#keyids[*]} > 0 )) && ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
>  		error "$(gettext "Remote key not fetched correctly from keyserver.")"
> -		exit 1
> +		ret=1
>  	fi
> +
> +	exit $ret
>  }
>  
>  refresh_keys() {
>

More information about the pacman-dev mailing list