From 1df9b2aa79c5017d394e26619449ab0a49c65c16 Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Wed, 21 Sep 2011 17:51:02 -0500
Subject: pacman-key: add an additional plain text 'foo-trusted' file

This is similar to the 'foo-revoked' file we had. This will be used to
inform the user what keys in the shipped keyring need to be explicitly
trusted by the user.

A distro such as Arch will likely have 3-4 master keys listed in this
trusted file, but an additional 25 developer keys present in the keyring
that the user shouldn't have to directly sign.

We use this list to prompt the user to sign the keys locally. If the key
is already signed locally gpg will print a bit of junk but will continue
without pestering the user.

Signed-off-by: Dan McGee <dan@archlinux.org>
---
 scripts/pacman-key.sh.in | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

(limited to 'scripts')

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index cb76a403..d0f338f6 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -219,6 +219,11 @@ verify_keyring_input() {
 		keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
 		validate_with_gpg "${keyfile}" || ret=1
 
+		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+		if [[ -f "${keyfile}" ]]; then
+			validate_with_gpg "${keyfile}" || ret=1
+		fi
+
 		keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
 		if [[ -f "${keyfile}" ]]; then
 			validate_with_gpg "${keyfile}" || ret=1
@@ -270,9 +275,31 @@ populate_keyring() {
 		"${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg"
 	done
 
-	# Read the revoked key IDs to an array. The conversion from whatever is inside the file
+	# Read the trusted key IDs to an array. The conversion from whatever is inside the file
 	# to key ids is important, because key ids are the only guarantee of identification
 	# for the keys.
+	local -A trusted_ids
+	for keyring in "${KEYRINGIDS[@]}"; do
+		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
+			while read key; do
+				key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
+				if [[ -n ${key_id} ]]; then
+					# Mark this key to be lsigned
+					trusted_ids[$key_id]="${keyring}"
+				fi
+			done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+		fi
+	done
+
+	if (( ${#trusted_ids[@]} > 0 )); then
+		msg "$(gettext "Locally signing trusted keys in keyring...")"
+		for key_id in "${!trusted_ids[@]}"; do
+			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
+			"${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}"
+		done
+	fi
+
+	# Read the revoked key IDs to an array.
 	local -A revoked_ids
 	for keyring in "${KEYRINGIDS[@]}"; do
 		if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
-- 
cgit v1.2.3-24-g4f1b