moparisthebest/pacman
1
0
Fork 0
mirror of https://github.com/moparisthebest/pacman synced 2025-02-28 17:31:52 -05:00
Code Issues Releases Wiki Activity

makepkg: allow less than the full fingerprint in validpgpkeys

Browse Source 
I found this feature confusing, and the documentation wasn't any help.
It was pointed out to me on IRC that validpgpkeys expects full
fingerprints, and won't accept shorter forms. This makes the
documentation insufficient, and the variable name itself misleading.

This patch bolsters the documentation to explain more about what the
contents should be, and implements suffix matching to allow matching on
shorters fingerprint suffices. Now, when makepkg tells you that a key
ID isn't valid, it's sufficient to manually check the key ID against
the known good ID, and add it as is to validpgpkeys.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Dave Reisner 2014-09-25 13:29:13 -04:00 committed by Allan McRae
parent 60c1f2857b
commit 50296576d0
2 changed files with 23 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/PKGBUILD.5.txt
View File

@ -138,7 +138,9 @@ the integrity of the corresponding source file.
trust values from the keyring. If the source file was signed with a
subkey, makepkg will still use the primary key for comparison.
+
Fingerprints must be uppercase and must not contain whitespace characters.
Fingerprints must be uppercase and must not contain whitespace characters. They
must be either the full fingerprint or match at least 16 characters of the full
fingerprint, starting from the end of the fingerprint.
*noextract (array)*::
An array of file names corresponding to those from the source array. Files

21
scripts/makepkg.sh.in
View File

@ -1410,6 +1410,25 @@ parse_gpg_statusfile() {
done < "$1"
}
is_known_valid_pgp_key() {
local fprint subject=$1 validfprints=("${@:2}")
for fprint in "${validfprints[@]}"; do
# we always honor full fingerprint matches
if [[ "$subject" = "$fprint" ]]; then
return 0
fi
# we'll also honor a suffix match, assuming that the fprint is long enough
# to be worthy.
if (( ${#fprint} >= 16 )) && [[ $subject = *"$fprint" ]]; then
return 0
fi
done
return 1
}
check_pgpsigs() {
(( SKIPPGPCHECK )) && return 0
! source_has_signatures && return 0
@ -1496,7 +1515,7 @@ check_pgpsigs() {
if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then
printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2
errors=1
elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then
elif ! is_known_valid_pgp_key "$fingerprint" "${validpgpkeys[@]}"; then
printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")"
errors=1
else