moparisthebest
/
pacman
mirror of https://github.com/moparisthebest/pacman
1
0
Fork 0
Code Issues Releases Wiki Activity

pacman-key: stricter parsing for -verify 

Prevents trust being spoofed by using TRUST_FULLY in the signatory's name
or in an added notation.

Fixes FS#41147.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae 2014-08-09 16:36:42 +10:00
parent 3e19cd366a
commit 879e4665c4
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/pacman-key.sh.in
View File

@ -482,7 +482,7 @@ verify_sig() {
local ret=0
for sig; do
msg "Checking %s ..." "$sig"
if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$'; then
error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
ret=1
fi