Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan McRae <allan@archlinux.org>2011-08-23 15:00:19 +1000
committerAllan McRae <allan@archlinux.org>2011-08-29 11:55:22 +1000
commit710e83999bbf8ae614b9310744c5306a7cbc858b (patch)
treea1831fbc56e22792ae3d7973dfac43a1f0147cdb
parentd1240f67eab6dfa7e3344cd84dd8849b38ce337c (diff)
pacman-key: import everything then revoke on --populate
The optimization of only importing keys that were not to be later revoked was a not smart enough. For example, if a key was in both a repos keyring and its revoke list, alternate runs of pacman-key --populate would add then remove the key from the pacman keyring. This problem is made worse when considering the possibility of multiple keyrings being imported. Instead, import all keys followed by the revoking of all keys. This may result in a key being added then revoked, but that is not much of an issue given that is a very fast operation. Signed-off-by: Allan McRae <allan@archlinux.org>
-rw-r--r--scripts/pacman-key.sh.in23
1 files changed, 10 insertions, 13 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 85801006..3e31abbf 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -199,7 +199,16 @@ populate_keyring() {
local key
local key_id
- # Read the key ids to an array. The conversion from whatever is inside the file
+ # Add keys from requested keyrings
+ for keyring in ${KEYRINGIDS[@]}; do
+ msg "$(gettext "Appending keys from %s.gpg...")" "$keyring"
+ local add_keys="$("${GPG_NOKEYRING[@]}" --keyring "${KEYRING_IMPORT_DIR}/${keyring}.gpg" --with-colons --list-keys | grep ^pub | cut -d: -f5)"
+ for key_id in ${add_keys}; do
+ "${GPG_NOKEYRING[@]}" --keyring "${KEYRING_IMPORT_DIR}/${keyring}.gpg" --export "${key_id}" | "${GPG_PACMAN[@]}" --import
+ done
+ done
+
+ # Read the revoked key IDs to an array. The conversion from whatever is inside the file
# to key ids is important, because key ids are the only guarantee of identification
# for the keys.
local -A removed_ids
@@ -236,18 +245,6 @@ populate_keyring() {
done
fi
- # Add keys from requested keyrings
- for keyring in ${KEYRINGIDS[@]}; do
- msg "$(gettext "Appending keys from %s.gpg...")" "$keyring"
- local add_keys="$("${GPG_NOKEYRING[@]}" --keyring "${KEYRING_IMPORT_DIR}/${keyring}.gpg" --with-colons --list-keys | grep ^pub | cut -d: -f5)"
- for key_id in ${add_keys}; do
- # There is no point in adding a key that will be deleted right after
- if [[ -z "${removed_ids[$key_id]}" ]]; then
- "${GPG_NOKEYRING[@]}" --keyring "${KEYRING_IMPORT_DIR}/${keyring}.gpg" --export "${key_id}" | "${GPG_PACMAN[@]}" --import
- fi
- done
- done
-
# Remove the keys not marked to keep
if (( ${#removed_ids[@]} > 0 )); then
msg "$(gettext "Removing revoked keys from keyring...")"