[pacman-dev] [PATCH] pacman-key: --refresh-keys queries WKD before keyserver

Allan McRae allan at archlinux.org
Mon Jan 11 01:29:46 UTC 2021 

On 11/1/21 5:53 am, foxboron at archlinux.org wrote:
> From: Morten Linderud <morten at linderud.pw>
> 
> With the recent outages of the keyservers there is a possibility of
> `--refresh-keys` failing to fetch new keys. A lot of current key
> distribution is done over WKD these days, and `pacman-key` has the
> ability to use it for `--recv-key`.
> 
> There was a hope `gpg` would end up supporting WKD for the refresh
> functionality, but this seems to be limited to expired keys fetched
> through WKD. Since this functionality isn't yet available it makes sense
> to stuff it into `pacman-key`.
> 
> The current implementation looks over all available keyids in the
> keyring, attempts to fetch over WKD and then fall backs to keyservers if
> no email has a valid WKD available. The downside of this approach is
> that it takes a bit longer to refresh the keys, but it should be more
> robust as the distribution should be providing their own WKDs.
> 

I'm going to assume most keys will have WKD.  Otherwise a bit longer
becomes much, much longer as we no long fetch keys in parallel...


> Co-authored-by: Jonas Witschel <diabonas at archlinux.org>
> Signed-off-by: Morten Linderud <morten at linderud.pw>
> ---
>  scripts/pacman-key.sh.in | 36 +++++++++++++++++++++++++++++++++---
>  1 file changed, 33 insertions(+), 3 deletions(-)
> 
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index c65669f5..3bd8ea3e 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -540,11 +540,41 @@ receive_keys() {
>  }
>  
>  refresh_keys() {
> +	local ret=0 ids masterkey emails
> +
>  	check_keyids_exist "$@"
> -	if ! "${GPG_PACMAN[@]}" --refresh-keys "$@" ; then
> -		error "$(gettext "A specified local key could not be updated from a keyserver.")"
> -		exit 1
> +
> +	# don't try to refresh the user's local masterkey
> +	masterkey="$("${GPG_PACMAN[@]}" --list-keys --with-colons pacman at localhost |
> +		awk -F: '$1 == "pub" { print $5 }')"
> +
> +	mapfile -t ids < \
> +		<("${GPG_PACMAN[@]}" --list-keys --with-colons "$@" |
> +			awk -F: '$1 == "pub" { print $5 }' | grep -v "^$masterkey$")

Can we just use "grep -vx" here?

> +
> +	if (( ! ${#ids[*]} )); then
> +	    error "No keys in the keyring."

Error not translated, and incorrect if specifc key IDs are passed to
--refresh-keys

> +	    exit 1
>  	fi
> +
> +	for id in "${ids[@]}"; do
> +		mapfile -t emails < \
> +			<("${GPG_PACMAN[@]}" --list-keys --list-options show-only-fpr-mbox "$id" |
> +				awk '{print $2 }')
> +
> +		# first try looking up the key in a WKD (only works by email address)
> +		for email in "${emails[@]}"; do
> +			"${GPG_PACMAN[@]}" --locate-external-keys "$email" && break
> +		done

There is going to be so much error spam to the terminal with this.
Peoples distro IDs are rarely first.

> +
> +		# if no key was found, fall back to using the keyservers (with the key fingerprint instead)
> +		if (( $? )) &&  ! "${GPG_PACMAN[@]}" --refresh-keys "$id"; then
> +			error "$(gettext "A specified local key could not be updated from WKD or keyserver.")"

This error can be improved given we fetch the key one at a time now.

> +			ret=1
> +		fi
> +	done
> +
> +	exit $ret
>  }
>  
>  verify_sig() {
>

More information about the pacman-dev mailing list