moparisthebest/pacman
1
0
Fork 0
mirror of https://github.com/moparisthebest/pacman synced 2025-03-01 01:41:52 -05:00
Code Issues Releases Wiki Activity

pacman-key: Remove useless signature verification in --populate command

Browse Source 
Verifing the keyring at this point is useless as a malicious package is already
installed and as such has several options to bypass this check anyway.

Signed-off-by: Pierre Schmitz <pierre@archlinux.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Pierre Schmitz 2012-03-04 13:25:56 +01:00 committed by Dan McGee
parent 4ffa0401d2
commit 1fe6cabc4d
2 changed files with 0 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/pacman-key.8.txt
View File

@ -129,11 +129,6 @@ any signing", so should be used with prudence. A key being marked as revoked
will be disabled in the keyring and no longer treated as valid, so this always
takes priority over it's trusted state in any other keyring.
All files are required to be signed (detached) by a trusted PGP key that the
user must manually import to the pacman keyring. This prevents a potentially
malicious repository adding keys to the pacman keyring without the users
knowledge.
See Also
--------

39
scripts/pacman-key.sh.in
View File

@ -214,43 +214,6 @@ check_keyring() {
fi
}
validate_with_gpg() {
msg2 "$(gettext "Verifying %s...")" "$1"
if [[ ! -f "$1.sig" ]]; then
error "$(gettext "File %s is unsigned, cannot continue.")" "$1"
return 1
elif ! "${GPG_PACMAN[@]}" --verify "$1.sig"; then
error "$(gettext "The signature of file %s is not valid.")" "$1"
return 1
fi
return 0
}
verify_keyring_input() {
local ret=0;
local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
# Verify signatures of keyring files and trusted/revoked files if they exist
msg "$(gettext "Verifying keyring file signatures...")"
local keyring keyfile
for keyring in "${KEYRINGIDS[@]}"; do
keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
validate_with_gpg "${keyfile}" || ret=1
keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
if [[ -f "${keyfile}" ]]; then
validate_with_gpg "${keyfile}" || ret=1
fi
keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
if [[ -f "${keyfile}" ]]; then
validate_with_gpg "${keyfile}" || ret=1
fi
done
return $ret
}
populate_keyring() {
local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
@ -281,8 +244,6 @@ populate_keyring() {
exit 1
fi
verify_keyring_input || exit 1
# Variable used for iterating on keyrings
local key
local key_id