Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2011-08-25 18:39:11 -0500
committerDan McGee <dan@archlinux.org>2011-08-30 08:23:46 -0500
commit7479bf21e85c118067351769cdc9f1fd589ac4dc (patch)
treefcc5275770af699d4c050199d6b13cb93bd2e647
parent06b228b20fff23500e5bb9bc8cdf96a86ca244e8 (diff)
pacman-key master key generation
This enables pacman-key, during --init, to generate a single secret key for the pacman keyring if one is not present. This will be used as the root of the web of trust for those that do not wish to manage it with their own key, as will be the default. This does not preclude later adding other secret keys to the keyring, or removing this one- we simply ensure you have at least one secret key available. Signed-off-by: Dan McGee <dan@archlinux.org>
-rw-r--r--scripts/pacman-key.sh.in25
1 files changed, 25 insertions, 0 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index c200d8e4..8f108250 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -100,6 +100,25 @@ get_from() {
return 1
}
+generate_master_key() {
+ # Generate the master key, which will be in both pubring and secring
+ "${GPG_PACMAN[@]}" --gen-key --batch <<EOF
+%echo Generating pacman keychain master key...
+Key-Type: RSA
+Key-Length: 2048
+Key-Usage: sign
+Name-Real: Pacman Keychain Master Key
+Name-Email: pacman@localhost
+Expire-Date: 0
+%commit
+%echo Done
+EOF
+}
+
+secret_keys_available() {
+ "${GPG_PACMAN[@]}" -K --with-colons | wc -l
+}
+
# Adds the given gpg.conf option if it is not present in the file.
# Note that if we find it commented out, we won't add the option.
# args: $1 conffile, $2 option-name, $3 (optional) option-value
@@ -135,6 +154,12 @@ initialize() {
add_gpg_conf_option "$conffile" 'no-permission-warning'
add_gpg_conf_option "$conffile" 'lock-never'
add_gpg_conf_option "$conffile" 'keyserver' 'hkp://keys.gnupg.net'
+
+ # set up a private signing key (if none available)
+ if [[ $(secret_keys_available) -lt 1 ]]; then
+ generate_master_key
+ UPDATEDB=1
+ fi
}
check_keyring() {