summaryrefslogtreecommitdiffstats
path: root/scripts/libmakepkg/executable/checksum.sh.in
diff options
context:
space:
mode:
authorJonas Witschel <diabonas@archlinux.org>2019-10-02 16:40:55 +0200
committerAllan McRae <allan@archlinux.org>2019-10-07 03:21:46 +0200
commit48752f1b4b16cd1dad56649cd36b253494aa9ff1 (patch)
tree6f72496dedf13637633069fb9636f5ee13022032 /scripts/libmakepkg/executable/checksum.sh.in
parent80e2e1c7c9f2cc2795f497f2101b0aeb7b7e8638 (diff)
downloadpacman-48752f1b4b16cd1dad56649cd36b253494aa9ff1.tar.gz
pacman-48752f1b4b16cd1dad56649cd36b253494aa9ff1.tar.xz
signing: add ability to import keys using a WKD
Currently pacman relies on the SKS keyserver network to fetch unknown PGP keys. These keyservers are vulnerable to signature spamming attacks, potentionally making it impossible to import the required keys. An alternative to keyservers is a so-called Web Key Directory (WKD), a well-known, trusted location on a server from where the keys can be fetched. This commit adds the ability to retrieve keys from a WKD. Due to the mentioned vulnerabilities, the WKD is tried first, falling back to the keyservers only if no appropriate key is found there. In contrast to keyservers, keys in a WKD are not looked up using their fingerprint, but by email address. Since the email address of the signing key is usually not included in the signature, we will use the packager email address to perform the lookup. Also see FS#63171. Signed-off-by: Jonas Witschel <diabonas@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/libmakepkg/executable/checksum.sh.in')
0 files changed, 0 insertions, 0 deletions