This was really only half a fix for FS#28445, as it still doesn't
correctly handle the case of filenames with spaces. In the short term,
there is no obvious fix for this. In the long term, I believe the
correct decision is to rewrite the options parser to be more in line
with GNU getopt_long.
This reverts commits:
ca41427141.
969dcddbdf.
We cannot rely on gpg's exit code. Instead we have to check the status-fd to
figure out whether a signature is valid or not.
In addition to this pacman-key --verify can now be used in scripts as it will
return an exit code of 1 if the signature is invalid.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
User reports indicate that the SKS keyservers are more reliable
than both the gnupg.net and mit.edu ones.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Using -e without arguments failed to export all keys. Using --export
worked as expected.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Verifing the keyring at this point is useless as a malicious package is already
installed and as such has several options to bypass this check anyway.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
Modify parse_options logic to fill an array instead of printing parsed
options. Avoid eval like the plague. Because it is the plague.
Fixes bugs such as FS#28445.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Instead of iterating over the revocation keyfile and calling gpg once
for each key, map the file into an array and call gpg once, iterating
over this output to mark each key as revoked.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This addresses two problems:
1) echo's behavior is inconsistent when dealing with flags, and can
potentially be problematic.
$ echo -n
$ echo -- -n
-- -n
2) Always using the end of options markers prevents translated strings
from throwing errors, as shown in FS#28069.
The remaining "inconsistencies" are because printf is being used in a
guaranteed safe manner, e.g.
printf '%s\n' "$(gettext "--this can never break")"
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Return codes from gpg commands are currently lost. This adds the functionality
of taking non-zero exit statuses from gpg. This includes error reporting for all
gpg commands that are run individually, run in a loop, and run through a pipe.
Includes the check_keyids_exist function which verifies a key exists locally
prior to attempted local manipulation of the key.
If a gpg command has a non-zero status, pacman-key will now exit with a non-zero
status. It will print a gettext error message of gpg's failure.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Adds functions for every gpg command. By pulling out the gpg commands from the
"program start" section, additional commands can be run before or after a
specific gpg command without adding additional clutter to the function call
section.
Adds an explicit exit status of 0 to prevent arithmetic expansions from
returning non-zero, thereby falsely causing pacman-key to have a non-zero exit
status.
This change creates the framework for additional error messages and better
exit statuses being added to every pacman-key gpg call.
Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Be more semantically accurate and avoid accidental overwriting of some
configuration variables that are considered to be constant.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
The default is supposidely 30 seconds from the gpg manpage, but that
sure wasn't what I was seeing- it was somewhere closer to two minutes of
silence. Add a more reasonable 10 second timeout value which should be
good enough for any keyserver that doesn't totally stink at it's job.
Signed-off-by: Dan McGee <dan@archlinux.org>
This allows it to serve double-duty. In order to allow users to base
verification decisions off of both a valid signature and a trusted
signature, we need to assign some level of owner trust to the keys we
designate as trusted on import.
Signed-off-by: Dan McGee <dan@archlinux.org>
* --import now only imports keys from pubkey.gpg and does not import
owner trust; if you want to have both simply run the operations in
sequence.
* --import-trustdb has been simplified; it will overwrite existing
values in the trust database as before, but there is no need to export
it first as those values are safe if left untouched.
* Fix the manpage referring to a non-existent option.
Signed-off-by: Dan McGee <dan@archlinux.org>
We're ill equipped to be using this flag as we don't trap and respond to
the ERR signal. The result is that if is ever tripped, pacman-key will
instantly exit with no indication of why. At the same time, we're
already fairly good about doing our own error checking and verbalizing
it before dying.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This prevents the error trap being set off when GPGDir is commented
in pacman.conf. Bug introduced in 507b01b9.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Keep the non-zero return val to let the caller know that the key wasn't
found.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This is similar to the 'foo-revoked' file we had. This will be used to
inform the user what keys in the shipped keyring need to be explicitly
trusted by the user.
A distro such as Arch will likely have 3-4 master keys listed in this
trusted file, but an additional 25 developer keys present in the keyring
that the user shouldn't have to directly sign.
We use this list to prompt the user to sign the keys locally. If the key
is already signed locally gpg will print a bit of junk but will continue
without pestering the user.
Signed-off-by: Dan McGee <dan@archlinux.org>
We're putting the cart ahead of the horse a bit here. Given that our
keyring is not one where everything is implicitly trusted (ala gpgv),
keeping or deleting a key has no bearing on its trusted status, only
whether we can actually verify things signed by said key.
If we need to address this down the road, we can find a solution that
works for the problem at hand rather than trying to solve it now before
signing is even widespread.
Signed-off-by: Dan McGee <dan@archlinux.org>
Unlike our protégé apt-key, removing a key from our keyring is not
sufficient to prevent it from being trusted or used for verification. We
are better off flagging it as disabled and leaving it in the keyring so
it cannot be reimported or fetched at a later date from a keyserver and
continue to be used.
Implement the logic to disable the key instead of delete it, figuring
out --command-fd in the process.
Note that the surefire way to disable a key involves including said key
in the keyring package, such that it is both in foobar.gpg and
foobar-revoked.
Signed-off-by: Dan McGee <dan@archlinux.org>
This finishes the cleanup started in 710e83999b. We can do a straight
import from another keyring rather than all the funky parsing and piping
business we were doing.
Signed-off-by: Dan McGee <dan@archlinux.org>
Otherwise we're hiding extremely relevant bits like this one:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Signed-off-by: Dan McGee <dan@archlinux.org>
* Ensure usage message is indented correctly
* Show short filenames for both the gpg keyring and revocation file
Signed-off-by: Dan McGee <dan@archlinux.org>
This also renames '--receive' to '-recv-keys' to match the wrapped gpg
option name, rather than invent a new one, now that the calling
convention is the same.
Signed-off-by: Dan McGee <dan@archlinux.org>
We were using the mystical [<foobar>] options which is some sort of
cross between a <required> argument and an [optional] one. Remove this
madness and do some other general cleanup/consistency work in the
manpage.
Signed-off-by: Dan McGee <dan@archlinux.org>
This allows local signing of a given key to help establish the web of
trust rooted at the generated (or imported) master key.
Signed-off-by: Dan McGee <dan@archlinux.org>
This enables pacman-key, during --init, to generate a single secret key
for the pacman keyring if one is not present. This will be used as the
root of the web of trust for those that do not wish to manage it with
their own key, as will be the default.
This does not preclude later adding other secret keys to the keyring, or
removing this one- we simply ensure you have at least one secret key
available.
Signed-off-by: Dan McGee <dan@archlinux.org>
Any option that flips UPDATEDB=1 doesn't work right now due to what we
thought was a good idea in commit cab1379a1a. Fix this by not
including the update operation in the option count and special casing
it where necessary.
Also, bring back the helpful "Updating trust database" message.
Signed-off-by: Dan McGee <dan@archlinux.org>
This adds a add_gpg_conf_option() helper function which tries to be
intelligent and only add not found options, and those which have not
been explicitly commented out.
The new options added are 'no-greeting', 'no-permission-warning', and a
default 'keyserver'.
Signed-off-by: Dan McGee <dan@archlinux.org>
* secring.gpg can be 600, readable by root user only
* ensure grep for lock-never option in check_keyring doesn't catch comments
Signed-off-by: Dan McGee <dan@archlinux.org>
The HoldKey option was undocumented and was not suited for pacman.conf.
Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list
of keys not to be removed from the pacman keyring with the --populate
option.
Signed-off-by: Allan McRae <allan@archlinux.org>
After most operations that touch the keyring, it is a good idea to
always run a check on the trustdb as this prevents gpg complaining
on later operations.
Inspiration-from: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>