summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
authorDave Reisner <dreisner@archlinux.org>2014-09-25 19:29:13 +0200
committerAllan McRae <allan@archlinux.org>2014-09-30 06:00:43 +0200
commit50296576d006d433fbfd4a6c57d5f95a942f7833 (patch)
treea5957f895e67d316a4558849a44994d0b45d41f5 /scripts
parent60c1f2857bad53deed4a8849c1d733dc7d526379 (diff)
downloadpacman-50296576d006d433fbfd4a6c57d5f95a942f7833.tar.gz
pacman-50296576d006d433fbfd4a6c57d5f95a942f7833.tar.xz
makepkg: allow less than the full fingerprint in validpgpkeys
I found this feature confusing, and the documentation wasn't any help. It was pointed out to me on IRC that validpgpkeys expects full fingerprints, and won't accept shorter forms. This makes the documentation insufficient, and the variable name itself misleading. This patch bolsters the documentation to explain more about what the contents should be, and implements suffix matching to allow matching on shorters fingerprint suffices. Now, when makepkg tells you that a key ID isn't valid, it's sufficient to manually check the key ID against the known good ID, and add it as is to validpgpkeys. Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts')
-rw-r--r--scripts/makepkg.sh.in21
1 files changed, 20 insertions, 1 deletions
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index f9494037..9d3ba2cd 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1410,6 +1410,25 @@ parse_gpg_statusfile() {
done < "$1"
}
+is_known_valid_pgp_key() {
+ local fprint subject=$1 validfprints=("${@:2}")
+
+ for fprint in "${validfprints[@]}"; do
+ # we always honor full fingerprint matches
+ if [[ "$subject" = "$fprint" ]]; then
+ return 0
+ fi
+
+ # we'll also honor a suffix match, assuming that the fprint is long enough
+ # to be worthy.
+ if (( ${#fprint} >= 16 )) && [[ $subject = *"$fprint" ]]; then
+ return 0
+ fi
+ done
+
+ return 1
+}
+
check_pgpsigs() {
(( SKIPPGPCHECK )) && return 0
! source_has_signatures && return 0
@@ -1496,7 +1515,7 @@ check_pgpsigs() {
if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then
printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2
errors=1
- elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then
+ elif ! is_known_valid_pgp_key "$fingerprint" "${validpgpkeys[@]}"; then
printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")"
errors=1
else