[PATCH] libmakepkg/integrity: handle PGP signature files containing multiple signatures

Jonas Witschel diabonas at archlinux.org
Wed Jun 8 21:16:55 UTC 2022


Thank you very much for your review, Levente! See below for my answers to the
points you raised.

On 2022-06-08 21:15, Levente Polyak wrote:
> I'm not too sure we really want to mimic gpgv behavior. Validating all
> signatures sounds great in theory, but the only real security guarantee
> we can give with the current control mechanisms and options in makepkg
> is basically "source has any signature available in validpgpkeys".
> 
> As we have no constraints to specify a signature threshold, there is no
> way for makepkg to consider tree, two or one available signature as more
> or less trustworthy. For instance a rogue maintainer can just distribute
> whatever they want using a single trusted signature which makepkg will
> happily consume. Hence the only guarantee we can provide currently is
> to have `any` signature instead of `all`.
> 
> While this is the case, this may lead to potential issues like "random"
> secondary signatures or potentially even old superseded keys that are
> still used as a multi signature which we don't actually wanna forcefully
> trust anymore.
> 
> Taking this into account, I'd suggest we go with an `any` approach
> instead of `all` for the time being. If makepkg ever gets finer trust
> control per source, such adjustments should be reflected here as well.

Having thought about this for a bit, I agree with your reasoning and have
implemented the "any" logic, which I will post as an updated version of the
patch.

> I believe a better place in libmakepkg would be to move `set_difference`
> into `scripts/libmakepkg/util/util.sh.in` next to `in_array`, `is_array`
> and friends and hence make it an exposed util function.
> 
> Potentially naming it array instead of set would make sense for such an
> util function, like `array_diff` or `array_difference`.

Done. Note that due to the changed logic it is not a "set_difference" any more,
but an "arrays_intersect" function because we need to check whether any of the
fingerprints is also in validpgpkeys to find a valid signature.

> > +	local -n first=$1
> > +	local -n second=$2
> > +	local -n result=$3
> 
> namerefs yield an error in bash if they are named equal to a variable in
> the caller scope. For all nameref's I would suggest to choose something
> very unique, possible with an underscore prefix. I'd maybe go with
> something like `_first_diff_array`, `_result_diff_array` or similar
> vars.

The variables are now called _arrays_intersect_{first,second} to avoid naming
collisions.

Best,
Jonas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20220608/9571bbc4/attachment-0001.sig>


More information about the pacman-dev mailing list