bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pacman-key: add --lsign-key operation

Browse source 
This allows local signing of a given key to help establish the web of
trust rooted at the generated (or imported) master key.

Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Dan McGee 2011-08-29 12:52:51 -05:00
parent 7479bf21e8
commit 50f53b293c
1 changed files with 14 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
scripts/pacman-key.sh.in
View file

@ -37,6 +37,7 @@ IMPORT_TRUSTDB=0
INIT=0 INIT=0
LISTKEYS=0 LISTKEYS=0
LISTSIGS=0 LISTSIGS=0
LSIGNKEY=0
POPULATE=0 POPULATE=0
RECEIVE=0 RECEIVE=0
UPDATEDB=0 UPDATEDB=0
@ -178,6 +179,13 @@ check_keyring() {
fi fi
fi fi
if (( LSIGNKEY )); then
if [[ $(secret_keys_available) -lt 1 ]]; then
error "$(gettext "There is no secret key available to sign with.")"
msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init"
exit 1
fi
fi
} }
verify_keyring_input() { verify_keyring_input() {
@ -357,7 +365,7 @@ fi
OPT_SHORT="a::d:e:f::hl::r:uv:V" OPT_SHORT="a::d:e:f::hl::r:uv:V"
OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::" OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::"
OPT_LONG+=",populate::,receive:,updatedb,verify:,version" OPT_LONG+=",lsign-key:,populate::,receive:,updatedb,verify:,version"
if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
echo; usage; exit 1 # E_INVALID_OPTION; echo; usage; exit 1 # E_INVALID_OPTION;
fi fi
@ -383,6 +391,7 @@ while true; do
--init) INIT=1 ;; --init) INIT=1 ;;
-l|--list-keys) LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; -l|--list-keys) LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
--list-sigs) LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; --list-sigs) LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
--lsign-key) LSIGNKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;;
--populate) POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;; --populate) POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;;
-r|--receive) RECEIVE=1; shift; TMP=($1); KEYSERVER=${TMP[0]}; KEYIDS=(${TMP[@]:1}); unset TMP; UPDATEDB=1 ;; -r|--receive) RECEIVE=1; shift; TMP=($1); KEYSERVER=${TMP[0]}; KEYIDS=(${TMP[@]:1}); unset TMP; UPDATEDB=1 ;;
-u|--updatedb) UPDATEDB=1 ;; -u|--updatedb) UPDATEDB=1 ;;
@ -403,7 +412,7 @@ if ! type -p gpg >/dev/null; then
exit 1 exit 1
fi fi
if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || LSIGNKEY || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then
error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key" error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
exit 1 exit 1
fi fi
@ -423,7 +432,7 @@ GPG_PACMAN=(gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning)
# check only a single operation has been given # check only a single operation has been given
# don't include UPDATEDB in here as other opts can induce it # don't include UPDATEDB in here as other opts can induce it
numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB + numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB +
INIT + LISTKEYS + LISTSIGS + POPULATE + RECEIVE + VERIFY )) INIT + LISTKEYS + LISTSIGS + LSIGNKEY + POPULATE + RECEIVE + VERIFY ))
case $numopt in case $numopt in
0) 0)
@ -451,6 +460,8 @@ esac
(( INIT )) && initialize (( INIT )) && initialize
(( LISTKEYS )) && "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}" (( LISTKEYS )) && "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}"
(( LISTSIGS )) && "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}" (( LISTSIGS )) && "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}"
# TODO: we can't do --batch on lsign until we figure out --command-fd
(( LSIGNKEY )) && "${GPG_PACMAN[@]}" --lsign-key "${KEYIDS[@]}"
(( POPULATE )) && populate_keyring (( POPULATE )) && populate_keyring
(( RECEIVE )) && receive_keys (( RECEIVE )) && receive_keys
(( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE (( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE