pacman-key: remove holdkeys functionality
We're putting the cart ahead of the horse a bit here. Given that our keyring is not one where everything is implicitly trusted (ala gpgv), keeping or deleting a key has no bearing on its trusted status, only whether we can actually verify things signed by said key. If we need to address this down the road, we can find a solution that works for the problem at hand rather than trying to solve it now before signing is even widespread. Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
parent
595e1a437f
commit
33685b960d
|
@ -121,9 +121,7 @@ manually import to the pacman keyring. This prevents a potentially malicious
|
|||
repository adding keys to the pacman keyring without the users knowledge.
|
||||
|
||||
A key being marked as revoked always takes priority over the key being added to
|
||||
the pacman keyring, regardless of the keyring it is provided in. To prevent a
|
||||
key from being revoked when using '\--populate', its ID can be listed in
|
||||
+{sysconfdir}/pacman.d/gnupg/holdkeys+.
|
||||
the pacman keyring, regardless of the keyring it is provided in.
|
||||
|
||||
See Also
|
||||
--------
|
||||
|
|
|
@ -288,18 +288,6 @@ populate_keyring() {
|
|||
fi
|
||||
done
|
||||
|
||||
# Read list of keys that must be kept installed and remove them from the list
|
||||
# of keys to be removed
|
||||
if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then
|
||||
while read key; do
|
||||
key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
|
||||
if [[ -n "${revoked_ids[$key_id]}" ]]; then
|
||||
unset revoked_ids[$key_id]
|
||||
fi
|
||||
done < "${PACMAN_KEYRING_DIR}/holdkeys"
|
||||
fi
|
||||
|
||||
# Remove the keys not marked to keep
|
||||
if (( ${#revoked_ids[@]} > 0 )); then
|
||||
msg "$(gettext "Disabling revoked keys in keyring...")"
|
||||
for key_id in "${!revoked_ids[@]}"; do
|
||||
|
|
Loading…
Reference in New Issue