From 1df9b2aa79c5017d394e26619449ab0a49c65c16 Mon Sep 17 00:00:00 2001 From: Dan McGee Date: Wed, 21 Sep 2011 17:51:02 -0500 Subject: pacman-key: add an additional plain text 'foo-trusted' file This is similar to the 'foo-revoked' file we had. This will be used to inform the user what keys in the shipped keyring need to be explicitly trusted by the user. A distro such as Arch will likely have 3-4 master keys listed in this trusted file, but an additional 25 developer keys present in the keyring that the user shouldn't have to directly sign. We use this list to prompt the user to sign the keys locally. If the key is already signed locally gpg will print a bit of junk but will continue without pestering the user. Signed-off-by: Dan McGee --- doc/pacman-key.8.txt | 29 +++++++++++++++++++---------- scripts/pacman-key.sh.in | 29 ++++++++++++++++++++++++++++- 2 files changed, 47 insertions(+), 11 deletions(-) diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 225b352f..103a1fdd 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -110,18 +110,27 @@ Options Providing a Keyring for Import ------------------------------ -A distribution or other repository provided may want to provide a set of valid +A distribution or other repository provided may want to provide a set of PGP keys used in the signing of its packages and repository databases that can -be readily imported into the pacman keyring. This is achieved by providing a +be readily imported into the pacman keyring. This is achieved by providing a PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the -directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be -provided containing a list of revoked key IDs for that keyring. These files are -required to be signed (detached) by a trusted PGP key that the user must -manually import to the pacman keyring. This prevents a potentially malicious -repository adding keys to the pacman keyring without the users knowledge. - -A key being marked as revoked always takes priority over the key being added to -the pacman keyring, regardless of the keyring it is provided in. +directory +{pkgdatadir}/keyrings+. + +Optionally, the file `foo-trusted` can be provided containing a list of trusted +key IDs for that keyring. This file will inform the user which keys a user +needs to verify and sign to build a local web of trust. + +Also optionally, the file `foo-revoked` can be provided containing a list of +revoked key IDs for that keyring. Revoked is defined as "no longer valid for +any signing", so should be used with prudence. A key being marked as revoked +will be disabled in the keyring and no longer treated as valid, so this always +takes priority over it's trusted state in any other keyring. + +All files are required to be signed (detached) by a trusted PGP key that the +user must manually import to the pacman keyring. This prevents a potentially +malicious repository adding keys to the pacman keyring without the users +knowledge. + See Also -------- diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index cb76a403..d0f338f6 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -219,6 +219,11 @@ verify_keyring_input() { keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg" validate_with_gpg "${keyfile}" || ret=1 + keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted" + if [[ -f "${keyfile}" ]]; then + validate_with_gpg "${keyfile}" || ret=1 + fi + keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked" if [[ -f "${keyfile}" ]]; then validate_with_gpg "${keyfile}" || ret=1 @@ -270,9 +275,31 @@ populate_keyring() { "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg" done - # Read the revoked key IDs to an array. The conversion from whatever is inside the file + # Read the trusted key IDs to an array. The conversion from whatever is inside the file # to key ids is important, because key ids are the only guarantee of identification # for the keys. + local -A trusted_ids + for keyring in "${KEYRINGIDS[@]}"; do + if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then + while read key; do + key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)" + if [[ -n ${key_id} ]]; then + # Mark this key to be lsigned + trusted_ids[$key_id]="${keyring}" + fi + done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted" + fi + done + + if (( ${#trusted_ids[@]} > 0 )); then + msg "$(gettext "Locally signing trusted keys in keyring...")" + for key_id in "${!trusted_ids[@]}"; do + msg2 "$(gettext "Locally signing key %s...")" "${key_id}" + "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}" + done + fi + + # Read the revoked key IDs to an array. local -A revoked_ids for keyring in "${KEYRINGIDS[@]}"; do if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then -- cgit v1.2.3-70-g09d2