diff options
author | Jonas Witschel <diabonas@archlinux.org> | 2019-10-02 16:40:55 +0200 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2019-10-07 03:21:46 +0200 |
commit | 48752f1b4b16cd1dad56649cd36b253494aa9ff1 (patch) | |
tree | 6f72496dedf13637633069fb9636f5ee13022032 /scripts/libmakepkg/executable/checksum.sh.in | |
parent | 80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638 (diff) | |
download | pacman-48752f1b4b16cd1dad56649cd36b253494aa9ff1.tar.gz pacman-48752f1b4b16cd1dad56649cd36b253494aa9ff1.tar.xz |
signing: add ability to import keys using a WKD
Currently pacman relies on the SKS keyserver network to fetch unknown
PGP keys. These keyservers are vulnerable to signature spamming attacks,
potentionally making it impossible to import the required keys. An
alternative to keyservers is a so-called Web Key Directory (WKD), a
well-known, trusted location on a server from where the keys can be
fetched.
This commit adds the ability to retrieve keys from a WKD. Due to the
mentioned vulnerabilities, the WKD is tried first, falling back to the
keyservers only if no appropriate key is found there.
In contrast to keyservers, keys in a WKD are not looked up using their
fingerprint, but by email address. Since the email address of the
signing key is usually not included in the signature, we will use the
packager email address to perform the lookup.
Also see FS#63171.
Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/libmakepkg/executable/checksum.sh.in')
0 files changed, 0 insertions, 0 deletions