summaryrefslogtreecommitdiffstats
path: root/scripts/pacman-key.sh.in
diff options
context:
space:
mode:
authorAllan McRae <allan@archlinux.org>2014-08-09 08:36:42 +0200
committerAllan McRae <allan@archlinux.org>2014-08-09 09:29:08 +0200
commit879e4665c4ed76376c9e2d9f2c597bb9cdabb79a (patch)
treec9ba61a815a79ecbd737c9a74046cb2e79be8d37 /scripts/pacman-key.sh.in
parent3e19cd366add23390ce4d0c9531b2c07e009a217 (diff)
downloadpacman-879e4665c4ed76376c9e2d9f2c597bb9cdabb79a.tar.gz
pacman-879e4665c4ed76376c9e2d9f2c597bb9cdabb79a.tar.xz
pacman-key: stricter parsing for -verify
Prevents trust being spoofed by using TRUST_FULLY in the signatory's name or in an added notation. Fixes FS#41147. Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/pacman-key.sh.in')
-rw-r--r--scripts/pacman-key.sh.in2
1 files changed, 1 insertions, 1 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 82340f9f..ba8d02e8 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -482,7 +482,7 @@ verify_sig() {
local ret=0
for sig; do
msg "Checking %s ..." "$sig"
- if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
+ if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$'; then
error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
ret=1
fi