From 091b244d0ffa281ba9968606184d709e59c2a2d5 Mon Sep 17 00:00:00 2001 From: Matthew Sexton Date: Mon, 4 Nov 2019 22:30:06 -0500 Subject: pacman-key: ignore already lsigned/deleted keys Added two new functions, key_is_lsigned() and key_is_revoked() that check whether a key has been locally signed or revoked respectively during --populate. If the key is already signed or revoked, it is quietly ignored. Suggested-by: Eli Schwartz Signed-off-by: Matthew Sexton Signed-off-by: Allan McRae --- scripts/pacman-key.sh.in | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 3627a805..366fd205 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -190,6 +190,31 @@ check_keyids_exist() { fi } +key_is_lsigned() { + secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | awk -F : 'NR==1 {print $5}') + while IFS=: read -r type valid _ _ sign_key _; do + if [[ $type != "sig" || $valid != "!" ]]; then + continue + fi + if [[ "$sign_key" == "$secret_key" ]]; then + return 0 + fi + done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1") + return 1 +} + +key_is_revoked() { + while IFS=: read -r type _ _ _ _ _ _ _ _ _ _ flags _; do + if [[ $type != "pub" ]]; then + continue + fi + if [[ $flags == *"D"* ]]; then + return 0 + fi + done < <("${GPG_PACMAN[@]}" --with-colons --list-key "$1") + return 1 +} + initialize() { local conffile keyserv # Check for simple existence rather than for a directory as someone @@ -247,7 +272,7 @@ check_keyring() { fi fi - if (( LSIGNKEY )); then + if (( LSIGNKEY || POPULATE )); then if [[ $(secret_keys_available) -lt 1 ]]; then error "$(gettext "There is no secret key available to sign with.")" msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init" @@ -337,13 +362,18 @@ populate_keyring() { local key_count=0 msg "$(gettext "Disabling revoked keys in keyring...")" for key_id in "${!revoked_ids[@]}"; do + if key_is_revoked "$key_id" ; then + continue + fi if (( VERBOSE )); then msg2 "$(gettext "Disabling key %s...")" "${key_id}" fi printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null key_count=$((key_count+1)) done - msg2 "$(gettext "Disabled %s keys.")" "${key_count}" + if (( key_count )); then + msg2 "$(gettext "Disabled %s keys.")" "${key_count}" + fi fi } @@ -454,6 +484,9 @@ lsign_keys() { local ret=0 local key_count=0 for key_id in "$@"; do + if key_is_lsigned "$key_id" ; then + continue + fi if (( VERBOSE )); then msg2 "$(gettext "Locally signing key %s...")" "${key_id}" fi @@ -469,7 +502,9 @@ lsign_keys() { if (( ret )); then exit 1 fi - msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" + if (( key_count )); then + msg2 "$(gettext "Locally signed %s keys.")" "${key_count}" + fi } receive_keys() { -- cgit v1.2.3-24-g4f1b