bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

makepkg/repo-add: handle GPGKEY with spaces

Browse source 
We pass this to gpg -u and this gpg option can accept a number of
different formats, not just the historical hexadecimal fingerprint we
assumed. We should not barf hard if a format is used which happens to
contain spaces.

This also fixes a validation bug. When we initially check if the desired
key is available, we don't quote spaces, so gpg goes ahead and treats
each space-separated string as a *different key* to search for,
returning partial matches, and returning success if at least one key is
found. But gpg --detach-sign -u will certainly not accept multiple keys!

Fixes FS#66949

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Eli Schwartz 2020-06-08 21:59:18 -04:00 committed by Allan McRae
parent bf458cced7
commit 899d39b635
3 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
scripts/libmakepkg/integrity/generate_signature.sh.in
View file

@ -29,12 +29,12 @@ create_signature() {
local ret=0 local ret=0
local filename="$1" local filename="$1"
local SIGNWITHKEY="" local SIGNWITHKEY=()
if [[ -n $GPGKEY ]]; then if [[ -n $GPGKEY ]]; then
SIGNWITHKEY="-u ${GPGKEY}" SIGNWITHKEY=(-u "${GPGKEY}")
fi fi
gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename" &>/dev/null || ret=$? gpg --detach-sign --use-agent "${SIGNWITHKEY[@]}" --no-armor "$filename" &>/dev/null || ret=$?
if (( ! ret )); then if (( ! ret )); then

2
scripts/makepkg.sh.in
View file

@ -1286,7 +1286,7 @@ fi
# check if gpg signature is to be created and if signing key is valid # check if gpg signature is to be created and if signing key is valid
if { [[ -z $SIGNPKG ]] && check_buildenv "sign" "y"; } || [[ $SIGNPKG == 'y' ]]; then if { [[ -z $SIGNPKG ]] && check_buildenv "sign" "y"; } || [[ $SIGNPKG == 'y' ]]; then
SIGNPKG='y' SIGNPKG='y'
if ! gpg --list-key ${GPGKEY} &>/dev/null; then if ! gpg --list-key ${GPGKEY:+"$GPGKEY"} &>/dev/null; then
if [[ ! -z $GPGKEY ]]; then if [[ ! -z $GPGKEY ]]; then
error "$(gettext "The key %s does not exist in your keyring.")" "${GPGKEY}" error "$(gettext "The key %s does not exist in your keyring.")" "${GPGKEY}"
else else

8
scripts/repo-add.sh.in
View file

@ -137,7 +137,7 @@ check_gpg() {
fi fi
if (( ! VERIFY )); then if (( ! VERIFY )); then
if ! gpg --list-key ${GPGKEY} &>/dev/null; then if ! gpg --list-key ${GPGKEY:+"$GPGKEY"} &>/dev/null; then
if [[ ! -z $GPGKEY ]]; then if [[ ! -z $GPGKEY ]]; then
error "$(gettext "The key ${GPGKEY} does not exist in your keyring.")" error "$(gettext "The key ${GPGKEY} does not exist in your keyring.")"
elif (( ! KEY )); then elif (( ! KEY )); then
@ -155,11 +155,11 @@ create_signature() {
local ret=0 local ret=0
msg "$(gettext "Signing database '%s'...")" "${dbfile##*/.tmp.}" msg "$(gettext "Signing database '%s'...")" "${dbfile##*/.tmp.}"
local SIGNWITHKEY="" local SIGNWITHKEY=()
if [[ -n $GPGKEY ]]; then if [[ -n $GPGKEY ]]; then
SIGNWITHKEY="-u ${GPGKEY}" SIGNWITHKEY=(-u "${GPGKEY}")
fi fi
gpg --detach-sign --use-agent --no-armor ${SIGNWITHKEY} "$dbfile" &>/dev/null || ret=$? gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "$dbfile" &>/dev/null || ret=$?
if (( ! ret )); then if (( ! ret )); then
msg2 "$(gettext "Created signature file '%s'")" "${dbfile##*/.tmp.}.sig" msg2 "$(gettext "Created signature file '%s'")" "${dbfile##*/.tmp.}.sig"