summaryrefslogtreecommitdiffstats
path: root/scripts/pacman-key.sh.in
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/pacman-key.sh.in')
-rw-r--r--scripts/pacman-key.sh.in259
1 files changed, 155 insertions, 104 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 948c8d52..e5b60214 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -24,7 +24,7 @@
export TEXTDOMAIN='pacman-scripts'
export TEXTDOMAINDIR='@localedir@'
-myver="@PACKAGE_VERSION@"
+declare -r myver="@PACKAGE_VERSION@"
# Options
ADD=0
@@ -49,40 +49,43 @@ DEFAULT_KEYSERVER='hkp://pool.sks-keyservers.net'
m4_include(library/output_format.sh)
-m4_include(library/parse_options.sh)
+m4_include(library/parseopts.sh)
usage() {
printf "pacman-key (pacman) %s\n" ${myver}
echo
- printf -- "$(gettext "Usage: %s [options]")\n" $(basename $0)
+ printf -- "$(gettext "Usage: %s [options] operation [targets]")\n" $(basename $0)
echo
printf -- "$(gettext "Manage pacman's list of trusted keys")\n"
echo
- printf -- "$(gettext "Options:")\n"
- printf -- "$(gettext " -a, --add [file(s)] Add the specified keys (empty for stdin)")\n"
- printf -- "$(gettext " -d, --delete <keyid(s)> Remove the specified keyids")\n"
- printf -- "$(gettext " -e, --export [keyid(s)] Export the specified or all keyids")\n"
- printf -- "$(gettext " -f, --finger [keyid(s)] List fingerprint for specified or all keyids")\n"
- printf -- "$(gettext " -h, --help Show this help message and exit")\n"
- printf -- "$(gettext " -l, --list-keys [keyid(s)] List the specified or all keys")\n"
- printf -- "$(gettext " -r, --recv-keys <keyid(s)> Fetch the specified keyids")\n"
+ printf -- "$(gettext "Operations:")\n"
+ printf -- "$(gettext " -a, --add Add the specified keys (empty for stdin)")\n"
+ printf -- "$(gettext " -d, --delete Remove the specified keyids")\n"
+ printf -- "$(gettext " -e, --export Export the specified or all keyids")\n"
+ printf -- "$(gettext " -f, --finger List fingerprint for specified or all keyids")\n"
+ printf -- "$(gettext " -l, --list-keys List the specified or all keys")\n"
+ printf -- "$(gettext " -r, --recv-keys Fetch the specified keyids")\n"
printf -- "$(gettext " -u, --updatedb Update the trustdb of pacman")\n"
- printf -- "$(gettext " -v, --verify <signature> Verify the file specified by the signature")\n"
- printf -- "$(gettext " -V, --version Show program version")\n"
+ printf -- "$(gettext " -v, --verify Verify the file(s) specified by the signature(s)")\n"
+ printf -- "$(gettext " --edit-key Present a menu for key management task on keyids")\n"
+ printf -- "$(gettext " --import Imports pubring.gpg from dir(s)")\n"
+ printf -- "$(gettext " --import-trustdb Imports ownertrust values from trustdb.gpg in dir(s)")\n"
+ printf -- "$(gettext " --init Ensure the keyring is properly initialized")\n"
+ printf -- "$(gettext " --list-sigs List keys and their signatures")\n"
+ printf -- "$(gettext " --lsign-key Locally sign the specified keyid")\n"
+ printf -- "$(gettext " --populate Reload the default keys from the (given) keyrings\n\
+ in '%s'")\n" "@pkgdatadir@/keyrings"
+ printf -- "$(gettext " --refresh-keys Update specified or all keys from a keyserver")\n"
+ echo
+ printf -- "$(gettext "Options:")\n"
printf -- "$(gettext " --config <file> Use an alternate config file (instead of\n\
'%s')")\n" "@sysconfdir@/pacman.conf"
- printf -- "$(gettext " --edit-key <keyid(s)> Present a menu for key management task on keyids")\n"
printf -- "$(gettext " --gpgdir <dir> Set an alternate directory for GnuPG (instead\n\
of '%s')")\n" "@sysconfdir@/pacman.d/gnupg"
- printf -- "$(gettext " --import <dir(s)> Imports pubring.gpg from dir(s)")\n"
- printf -- "$(gettext " --import-trustdb <dir(s)> Imports ownertrust values from trustdb.gpg in dir(s)")\n"
- printf -- "$(gettext " --init Ensure the keyring is properly initialized")\n"
- printf -- "$(gettext " --keyserver Specify a keyserver to use if necessary")\n"
- printf -- "$(gettext " --list-sigs [keyid(s)] List keys and their signatures")\n"
- printf -- "$(gettext " --lsign-key <keyid> Locally sign the specified keyid")\n"
- printf -- "$(gettext " --populate [keyring(s)] Reload the default keys from the (given) keyrings\n\
- in '%s'")\n" "@pkgdatadir@/keyrings"
- printf -- "$(gettext " --refresh-keys [keyid(s)] Update specified or all keys from a keyserver")\n"
+ printf -- "$(gettext " --keyserver <server-url> Specify a keyserver to use if necessary")\n"
+ echo
+ printf -- "$(gettext " -h, --help Show this help message and exit")\n"
+ printf -- "$(gettext " -V, --version Show program version")\n"
}
version() {
@@ -113,6 +116,30 @@ get_from() {
return 1
}
+key_lookup_from_name() {
+ local ids
+
+ mapfile -t ids < \
+ <("${GPG_PACMAN[@]}" --search-keys --batch --with-colons "$1" 2>/dev/null |
+ awk -F: '$1 == "pub" { print $2 }')
+
+ # only return success on non-ambiguous lookup
+ case ${#ids[*]} in
+ 0)
+ error "$(gettext "Failed to lookup key by name:") %s" "$name"
+ return 1
+ ;;
+ 1)
+ printf '%s' "${ids[0]}"
+ return 0
+ ;;
+ *)
+ error "$(gettext "Key name is ambiguous:") %s" "$name"
+ return 1
+ ;;
+ esac
+}
+
generate_master_key() {
# Generate the master key, which will be in both pubring and secring
"${GPG_PACMAN[@]}" --gen-key --batch <<EOF
@@ -146,7 +173,7 @@ add_gpg_conf_option() {
check_keyids_exist() {
local ret=0
- for key in "${KEYIDS[@]}"; do
+ for key in "$@"; do
# Verify if the key exists in pacman's keyring
if ! "${GPG_PACMAN[@]}" --list-keys "$key" &>/dev/null ; then
error "$(gettext "The key identified by %s could not be found locally.")" "$key"
@@ -217,16 +244,16 @@ check_keyring() {
populate_keyring() {
local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
- local keyring
+ local keyring KEYRINGIDS=("$@")
local ret=0
- if [[ -z ${KEYRINGIDS[@]} ]]; then
+ if (( ${#KEYRINGIDS[*]} == 0 )); then
# get list of all available keyrings
shopt -s nullglob
KEYRINGIDS=("$KEYRING_IMPORT_DIR"/*.gpg)
shopt -u nullglob
KEYRINGIDS=("${KEYRINGIDS[@]##*/}")
KEYRINGIDS=("${KEYRINGIDS[@]%.gpg}")
- if [[ -z ${KEYRINGIDS[@]} ]]; then
+ if (( ${#KEYRINGIDS[*]} == 0 )); then
error "$(gettext "No keyring files exist in %s.")" "$KEYRING_IMPORT_DIR"
ret=1
fi
@@ -245,8 +272,7 @@ populate_keyring() {
fi
# Variable used for iterating on keyrings
- local key
- local key_id
+ local keys key_id
# Add keys from requested keyrings
for keyring in "${KEYRINGIDS[@]}"; do
@@ -262,14 +288,12 @@ populate_keyring() {
local -A trusted_ids
for keyring in "${KEYRINGIDS[@]}"; do
if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
- while read key; do
- # skip comments; these are valid in this file
- [[ $key = \#* ]] && continue
- key_id="${key%%:*}"
- if [[ -n ${key_id} ]]; then
- # Mark this key to be lsigned
- trusted_ids[$key_id]="${keyring}"
- fi
+ while IFS=: read key_id _; do
+ # skip blank lines, comments; these are valid in this file
+ [[ -z $key_id || ${key_id:0:1} = \# ]] && continue
+
+ # Mark this key to be lsigned
+ trusted_ids[$key_id]=$keyring
done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
fi
done
@@ -278,7 +302,7 @@ populate_keyring() {
msg "$(gettext "Locally signing trusted keys in keyring...")"
for key_id in "${!trusted_ids[@]}"; do
msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
- "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}"
+ lsign_keys "${key_id}"
done
msg "$(gettext "Importing owner trust values...")"
for keyring in "${KEYRINGIDS[@]}"; do
@@ -294,13 +318,13 @@ populate_keyring() {
local -A revoked_ids
for keyring in "${KEYRINGIDS[@]}"; do
if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
- while read key; do
- key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
- if [[ -n ${key_id} ]]; then
+ mapfile -t keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
+ while IFS=: read _ _ _ _ key_id _; do
+ if [[ -n $key_id ]]; then
# Mark this key to be disabled
revoked_ids[$key_id]="${keyring}"
fi
- done < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
+ done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null)
fi
done
@@ -314,24 +338,24 @@ populate_keyring() {
}
add_keys() {
- if ! "${GPG_PACMAN[@]}" --quiet --batch --import "${KEYFILES[@]}" ; then
+ if ! "${GPG_PACMAN[@]}" --quiet --batch --import "$@" ; then
error "$(gettext "A specified keyfile could not be added to the keyring.")"
exit 1
fi
}
delete_keys() {
- check_keyids_exist
- if ! "${GPG_PACMAN[@]}" --quiet --batch --delete-key --yes "${KEYIDS[@]}" ; then
+ check_keyids_exist "$@"
+ if ! "${GPG_PACMAN[@]}" --quiet --batch --delete-key --yes "$@" ; then
error "$(gettext "A specified key could not be removed from the keyring.")"
exit 1
fi
}
edit_keys() {
- check_keyids_exist
+ check_keyids_exist "$@"
local ret=0
- for key in "${KEYIDS[@]}"; do
+ for key in "$@"; do
if ! "${GPG_PACMAN[@]}" --edit-key "$key" ; then
error "$(gettext "The key identified by %s could not be edited.")" "$key"
ret=1
@@ -343,8 +367,8 @@ edit_keys() {
}
export_keys() {
- check_keyids_exist
- if ! "${GPG_PACMAN[@]}" --armor --export "${KEYIDS[@]}" ; then
+ check_keyids_exist "$@"
+ if ! "${GPG_PACMAN[@]}" --armor --export "$@" ; then
error "$(gettext "A specified key could not be exported from the keyring.")"
exit 1
fi
@@ -352,7 +376,7 @@ export_keys() {
finger_keys() {
check_keyids_exist
- if ! "${GPG_PACMAN[@]}" --batch --fingerprint "${KEYIDS[@]}" ; then
+ if ! "${GPG_PACMAN[@]}" --batch --fingerprint "$@" ; then
error "$(gettext "The fingerprint of a specified key could not be determined.")"
exit 1
fi
@@ -361,7 +385,7 @@ finger_keys() {
import_trustdb() {
local importdir
local ret=0
- for importdir in "${IMPORT_DIRS[@]}"; do
+ for importdir in "$@"; do
if [[ -f "${importdir}/trustdb.gpg" ]]; then
gpg --homedir "${importdir}" --export-ownertrust | \
"${GPG_PACMAN[@]}" --import-ownertrust -
@@ -382,7 +406,7 @@ import_trustdb() {
import() {
local importdir
local ret=0
- for importdir in "${IMPORT_DIRS[@]}"; do
+ for importdir in "$@"; do
if [[ -f "${importdir}/pubring.gpg" ]]; then
if ! "${GPG_PACMAN[@]}" --quiet --batch --import "${importdir}/pubring.gpg" ; then
error "$(gettext "%s could not be imported.")" "${importdir}/pubring.gpg"
@@ -400,7 +424,7 @@ import() {
list_keys() {
check_keyids_exist
- if ! "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}" ; then
+ if ! "${GPG_PACMAN[@]}" --batch --list-keys "$@" ; then
error "$(gettext "A specified key could not be listed.")"
exit 1
fi
@@ -408,7 +432,7 @@ list_keys() {
list_sigs() {
check_keyids_exist
- if ! "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}" ; then
+ if ! "${GPG_PACMAN[@]}" --batch --list-sigs "$@" ; then
error "$(gettext "A specified signature could not be listed.")"
exit 1
fi
@@ -416,7 +440,8 @@ list_sigs() {
lsign_keys() {
check_keyids_exist
- printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${KEYIDS[@]}" 2>/dev/null
+ # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid
+ printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "$@" 2>/dev/null
if (( PIPESTATUS[1] )); then
error "$(gettext "A specified key could not be locally signed.")"
exit 1
@@ -424,25 +449,45 @@ lsign_keys() {
}
receive_keys() {
- if ! "${GPG_PACMAN[@]}" --recv-keys "${KEYIDS[@]}" ; then
+ local name id keyids
+
+ # if the key is not a hex ID, do a lookup
+ for name; do
+ if [[ $name = ?(0x)+([0-9a-fA-F]) ]]; then
+ keyids+=("$name")
+ else
+ if id=$(key_lookup_from_name "$name"); then
+ keyids+=("$id")
+ fi
+ fi
+ done
+
+ (( ${#keyids[*]} > 0 )) || exit 1
+
+ if ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
error "$(gettext "Remote key not fetched correctly from keyserver.")"
exit 1
fi
}
refresh_keys() {
- check_keyids_exist
- if ! "${GPG_PACMAN[@]}" --refresh-keys "${KEYIDS[@]}" ; then
+ check_keyids_exist "$@"
+ if ! "${GPG_PACMAN[@]}" --refresh-keys "$@" ; then
error "$(gettext "A specified local key could not be updated from a keyserver.")"
exit 1
fi
}
verify_sig() {
- if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify $SIGNATURE | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
- error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
- exit 1
- fi
+ local ret=0
+ for sig; do
+ msg "Checking %s ..." "$sig"
+ if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
+ error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
+ ret=1
+ fi
+ done
+ exit $ret
}
updatedb() {
@@ -460,56 +505,55 @@ if ! type gettext &>/dev/null; then
}
fi
-OPT_SHORT="a::d:e::f::hl::r:uv:V"
-OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
-OPT_LONG+=",help,import:,import-trustdb:,init,keyserver:,list-keys::,list-sigs::"
-OPT_LONG+=",lsign-key:,populate::,recv-keys:,refresh-keys::,updatedb"
-OPT_LONG+=",verify:,version"
-if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
- echo; usage; exit 1 # E_INVALID_OPTION;
+OPT_SHORT="adefhlruvV"
+OPT_LONG=('add' 'config:' 'delete' 'edit-key' 'export' 'finger' 'gpgdir:'
+ 'help' 'import' 'import-trustdb' 'init' 'keyserver:' 'list-keys' 'list-sigs'
+ 'lsign-key' 'populate' 'recv-keys' 'refresh-keys' 'updatedb'
+ 'verify' 'version')
+if ! parseopts "$OPT_SHORT" "${OPT_LONG[@]}" -- "$@"; then
+ exit 1 # E_INVALID_OPTION;
fi
-eval set -- "$OPT_TEMP"
-unset OPT_SHORT OPT_LONG OPT_TEMP
+set -- "${OPTRET[@]}"
+unset OPT_SHORT OPT_LONG OPTRET
if [[ $1 == "--" ]]; then
usage;
exit 0;
fi
-while true; do
- case "$1" in
- -a|--add) ADD=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYFILES=($1); UPDATEDB=1 ;;
+while (( $# )); do
+ case $1 in
+ -a|--add) ADD=1 UPDATEDB=1 ;;
--config) shift; CONFIG=$1 ;;
- -d|--delete) DELETE=1; shift; KEYIDS=($1); UPDATEDB=1 ;;
- --edit-key) EDITKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;;
- -e|--export) EXPORT=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
- -f|--finger) FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+ -d|--delete) DELETE=1 UPDATEDB=1 ;;
+ --edit-key) EDITKEY=1 UPDATEDB=1 ;;
+ -e|--export) EXPORT=1 ;;
+ -f|--finger) FINGER=1 ;;
--gpgdir) shift; PACMAN_KEYRING_DIR=$1 ;;
- --import) IMPORT=1; shift; IMPORT_DIRS=($1); UPDATEDB=1 ;;
- --import-trustdb) IMPORT_TRUSTDB=1; shift; IMPORT_DIRS=($1); UPDATEDB=1 ;;
+ --import) IMPORT=1 UPDATEDB=1 ;;
+ --import-trustdb) IMPORT_TRUSTDB=1 UPDATEDB=1 ;;
--init) INIT=1 ;;
--keyserver) shift; KEYSERVER=$1 ;;
- -l|--list-keys) LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
- --list-sigs) LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
- --lsign-key) LSIGNKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;;
- --populate) POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;;
- -r|--recv-keys) RECEIVE=1; shift; KEYIDS=($1); UPDATEDB=1 ;;
- --refresh-keys) REFRESH=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+ -l|--list-keys) LISTKEYS=1 ;;
+ --list-sigs) LISTSIGS=1 ;;
+ --lsign-key) LSIGNKEY=1 UPDATEDB=1 ;;
+ --populate) POPULATE=1 UPDATEDB=1 ;;
+ -r|--recv-keys) RECEIVE=1 UPDATEDB=1 ;;
+ --refresh-keys) REFRESH=1 ;;
-u|--updatedb) UPDATEDB=1 ;;
- -v|--verify) VERIFY=1; shift; SIGNATURE=$1 ;;
+ -v|--verify) VERIFY=1 ;;
-h|--help) usage; exit 0 ;;
-V|--version) version; exit 0 ;;
- --) OPT_IND=0; shift; break;;
- *) usage; exit 1 ;;
+ --) shift; break 2 ;;
esac
shift
done
if ! type -p gpg >/dev/null; then
- error "$(gettext "Cannot find the %s binary required for all %s operations.")" "gpg" "pacman-key"
+ error "$(gettext "Cannot find the %s binary required for all %s operations.")" "gpg" "pacman-key"
exit 1
fi
@@ -552,23 +596,30 @@ case $numopt in
;;
esac
+# check for targets where needed
+if (( (ADD || DELETE || EDIT || IMPORT || IMPORT_TRUSTDB ||
+ LSIGNKEY || RECEIVE || VERIFY) && $# == 0 )); then
+ error "$(gettext "No targets specified")"
+ exit 1
+fi
+
(( ! INIT )) && check_keyring
-(( ADD )) && add_keys
-(( DELETE )) && delete_keys
-(( EDITKEY )) && edit_keys
-(( EXPORT )) && export_keys
-(( FINGER )) && finger_keys
-(( IMPORT )) && import
-(( IMPORT_TRUSTDB)) && import_trustdb
+(( ADD )) && add_keys "$@"
+(( DELETE )) && delete_keys "$@"
+(( EDITKEY )) && edit_keys "$@"
+(( EXPORT )) && export_keys "$@"
+(( FINGER )) && finger_keys "$@"
+(( IMPORT )) && import "$@"
+(( IMPORT_TRUSTDB)) && import_trustdb "$@"
(( INIT )) && initialize
-(( LISTKEYS )) && list_keys
-(( LISTSIGS )) && list_sigs
-(( LSIGNKEY )) && lsign_keys
-(( POPULATE )) && populate_keyring
-(( RECEIVE )) && receive_keys
-(( REFRESH )) && refresh_keys
-(( VERIFY )) && verify_sig
+(( LISTKEYS )) && list_keys "$@"
+(( LISTSIGS )) && list_sigs "$@"
+(( LSIGNKEY )) && lsign_keys "$@"
+(( POPULATE )) && populate_keyring "$@"
+(( RECEIVE )) && receive_keys "$@"
+(( REFRESH )) && refresh_keys "$@"
+(( VERIFY )) && verify_sig "$@"
(( UPDATEDB )) && updatedb