pacman-key: Remove useless signature verification in --populate command
Verifing the keyring at this point is useless as a malicious package is already installed and as such has several options to bypass this check anyway. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Pierre Schmitz
Dan McGee
parent
4ffa0401d2
commit
1fe6cabc4d
|
|
@ -129,11 +129,6 @@ any signing", so should be used with prudence. A key being marked as revoked
|
|||
will be disabled in the keyring and no longer treated as valid, so this always
|
||||
takes priority over it's trusted state in any other keyring.
|
||||
|
||||
All files are required to be signed (detached) by a trusted PGP key that the
|
||||
user must manually import to the pacman keyring. This prevents a potentially
|
||||
malicious repository adding keys to the pacman keyring without the users
|
||||
knowledge.
|
||||
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
|
|
|||
|
|
@ -214,43 +214,6 @@ check_keyring() {
|
|||
fi
|
||||
}
|
||||
|
||||
validate_with_gpg() {
|
||||
msg2 "$(gettext "Verifying %s...")" "$1"
|
||||
if [[ ! -f "$1.sig" ]]; then
|
||||
error "$(gettext "File %s is unsigned, cannot continue.")" "$1"
|
||||
return 1
|
||||
elif ! "${GPG_PACMAN[@]}" --verify "$1.sig"; then
|
||||
error "$(gettext "The signature of file %s is not valid.")" "$1"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
verify_keyring_input() {
|
||||
local ret=0;
|
||||
local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
|
||||
|
||||
# Verify signatures of keyring files and trusted/revoked files if they exist
|
||||
msg "$(gettext "Verifying keyring file signatures...")"
|
||||
local keyring keyfile
|
||||
for keyring in "${KEYRINGIDS[@]}"; do
|
||||
keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
|
||||
validate_with_gpg "${keyfile}" || ret=1
|
||||
|
||||
keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
|
||||
if [[ -f "${keyfile}" ]]; then
|
||||
validate_with_gpg "${keyfile}" || ret=1
|
||||
fi
|
||||
|
||||
keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
|
||||
if [[ -f "${keyfile}" ]]; then
|
||||
validate_with_gpg "${keyfile}" || ret=1
|
||||
fi
|
||||
done
|
||||
|
||||
return $ret
|
||||
}
|
||||
|
||||
populate_keyring() {
|
||||
local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
|
||||
|
||||
|
|
@ -281,8 +244,6 @@ populate_keyring() {
|
|||
exit 1
|
||||
fi
|
||||
|
||||
verify_keyring_input || exit 1
|
||||
|
||||
# Variable used for iterating on keyrings
|
||||
local key
|
||||
local key_id
|
||||
|
|
|
|||
Loading…
Reference in New Issue