1
0
mirror of https://github.com/moparisthebest/pacman synced 2025-01-10 13:28:12 -05:00

pacman-key: disable, don't remove, revoked keys

Unlike our protégé apt-key, removing a key from our keyring is not
sufficient to prevent it from being trusted or used for verification. We
are better off flagging it as disabled and leaving it in the keyring so
it cannot be reimported or fetched at a later date from a keyserver and
continue to be used.

Implement the logic to disable the key instead of delete it, figuring
out --command-fd in the process.

Note that the surefire way to disable a key involves including said key
in the keyring package, such that it is both in foobar.gpg and
foobar-revoked.

Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Dan McGee 2011-09-21 16:19:12 -05:00
parent 6767de5380
commit 7d961c849b

View File

@ -275,22 +275,14 @@ populate_keyring() {
# Read the revoked key IDs to an array. The conversion from whatever is inside the file # Read the revoked key IDs to an array. The conversion from whatever is inside the file
# to key ids is important, because key ids are the only guarantee of identification # to key ids is important, because key ids are the only guarantee of identification
# for the keys. # for the keys.
local -A removed_ids local -A revoked_ids
for keyring in "${KEYRINGIDS[@]}"; do for keyring in "${KEYRINGIDS[@]}"; do
if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
while read key; do while read key; do
local key_values name key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
# extract key ID (field 5) and the name of owner (field 10)
key_values="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')"
if [[ -n $key_values ]]; then
# The first word is the key_id
key_id="${key_values%% *}"
# the rest is the name of the owner
name="${key_values#* }"
if [[ -n ${key_id} ]]; then if [[ -n ${key_id} ]]; then
# Mark this key to be deleted # Mark this key to be disabled
removed_ids[$key_id]="$name" revoked_ids[$key_id]="${keyring}"
fi
fi fi
done < "${KEYRING_IMPORT_DIR}/${keyring}-revoked" done < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
fi fi
@ -300,19 +292,19 @@ populate_keyring() {
# of keys to be removed # of keys to be removed
if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then
while read key; do while read key; do
key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)" key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
if [[ -n "${removed_ids[$key_id]}" ]]; then if [[ -n "${revoked_ids[$key_id]}" ]]; then
unset removed_ids[$key_id] unset revoked_ids[$key_id]
fi fi
done < "${PACMAN_KEYRING_DIR}/holdkeys" done < "${PACMAN_KEYRING_DIR}/holdkeys"
fi fi
# Remove the keys not marked to keep # Remove the keys not marked to keep
if (( ${#removed_ids[@]} > 0 )); then if (( ${#revoked_ids[@]} > 0 )); then
msg "$(gettext "Removing revoked keys from keyring...")" msg "$(gettext "Disabling revoked keys in keyring...")"
for key_id in "${!removed_ids[@]}"; do for key_id in "${!revoked_ids[@]}"; do
echo " removing key $key_id - ${removed_ids[$key_id]}" msg2 "$(gettext "Disabling key %s...")" "${key_id}"
"${GPG_PACMAN[@]}" --quiet --batch --yes --delete-key "${key_id}" printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null
done done
fi fi
} }