diff options
| author | Dan McGee <dan@archlinux.org> | 2011-09-22 00:51:02 +0200 |
|---|---|---|
| committer | Dan McGee <dan@archlinux.org> | 2011-09-22 18:15:45 +0200 |
| commit | 1df9b2aa79c5017d394e26619449ab0a49c65c16 (patch) | |
| tree | fb5874fe81ee81032396a7ac6b4bd885f3c824a5 | |
| parent | 067721cbff9652d5c436d277f9be3f8fa2a71796 (diff) | |
| download | pacman-1df9b2aa79c5017d394e26619449ab0a49c65c16.tar.gz pacman-1df9b2aa79c5017d394e26619449ab0a49c65c16.tar.xz | |
pacman-key: add an additional plain text 'foo-trusted' file
This is similar to the 'foo-revoked' file we had. This will be used to
inform the user what keys in the shipped keyring need to be explicitly
trusted by the user.
A distro such as Arch will likely have 3-4 master keys listed in this
trusted file, but an additional 25 developer keys present in the keyring
that the user shouldn't have to directly sign.
We use this list to prompt the user to sign the keys locally. If the key
is already signed locally gpg will print a bit of junk but will continue
without pestering the user.
Signed-off-by: Dan McGee <dan@archlinux.org>
| -rw-r--r-- | doc/pacman-key.8.txt | 29 | ||||
| -rw-r--r-- | scripts/pacman-key.sh.in | 29 |
2 files changed, 47 insertions, 11 deletions
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 225b352f..103a1fdd 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -110,18 +110,27 @@ Options Providing a Keyring for Import ------------------------------ -A distribution or other repository provided may want to provide a set of valid +A distribution or other repository provided may want to provide a set of PGP keys used in the signing of its packages and repository databases that can -be readily imported into the pacman keyring. This is achieved by providing a +be readily imported into the pacman keyring. This is achieved by providing a PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the -directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be -provided containing a list of revoked key IDs for that keyring. These files are -required to be signed (detached) by a trusted PGP key that the user must -manually import to the pacman keyring. This prevents a potentially malicious -repository adding keys to the pacman keyring without the users knowledge. - -A key being marked as revoked always takes priority over the key being added to -the pacman keyring, regardless of the keyring it is provided in. +directory +{pkgdatadir}/keyrings+. + +Optionally, the file `foo-trusted` can be provided containing a list of trusted +key IDs for that keyring. This file will inform the user which keys a user +needs to verify and sign to build a local web of trust. + +Also optionally, the file `foo-revoked` can be provided containing a list of +revoked key IDs for that keyring. Revoked is defined as "no longer valid for +any signing", so should be used with prudence. A key being marked as revoked +will be disabled in the keyring and no longer treated as valid, so this always +takes priority over it's trusted state in any other keyring. + +All files are required to be signed (detached) by a trusted PGP key that the +user must manually import to the pacman keyring. This prevents a potentially +malicious repository adding keys to the pacman keyring without the users +knowledge. + See Also -------- diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index cb76a403..d0f338f6 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -219,6 +219,11 @@ verify_keyring_input() { keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg" validate_with_gpg "${keyfile}" || ret=1 + keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted" + if [[ -f "${keyfile}" ]]; then + validate_with_gpg "${keyfile}" || ret=1 + fi + keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked" if [[ -f "${keyfile}" ]]; then validate_with_gpg "${keyfile}" || ret=1 @@ -270,9 +275,31 @@ populate_keyring() { "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" done - # Read the revoked key IDs to an array. The conversion from whatever is inside the file + # Read the trusted key IDs to an array. The conversion from whatever is inside the file # to key ids is important, because key ids are the only guarantee of identification # for the keys. + local -A trusted_ids + for keyring in "${KEYRINGIDS[@]}"; do + if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then + while read key; do + key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)" + if [[ -n ${key_id} ]]; then + # Mark this key to be lsigned + trusted_ids[$key_id]="${keyring}" + fi + done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + fi + done + + if (( ${#trusted_ids[@]} > 0 )); then + msg "$(gettext "Locally signing trusted keys in keyring...")" + for key_id in "${!trusted_ids[@]}"; do + msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}" + done + fi + + # Read the revoked key IDs to an array. local -A revoked_ids for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then |