From c7e4f4592274e97b95de7ad81ac4eb114106a3a2 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Thu, 26 Aug 2021 21:07:20 +0100
Subject: [PATCH] pacman-key: Reduce gpg trustdb checks

Every time we modify gpg's state by signing or revoking a key, gpg
marks the trustdb as stale and rechecks it the next time key_is_lsigned()
or key_is_revoked() is called.

Currently, we alternate calls signing of keys and calling key_is_lsigned()
(idem for revoking) which means that for each key we sign (or revoke), gpg
will check the trustdb once.

To avoid checking the trustb so many times, we can simply do all the
key_is_lsigned() and key_is_revoked() checks upfront. Inbetween read
operations the trustdb is not marked stale and inbetween write operations
the trustdb is also not marked stale. This reduces the amount of trustdb
checks from 50 to 1.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 scripts/pacman-key.sh.in | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 0526532f..f7f1dd61 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -333,12 +333,29 @@ populate_keyring() {
 				# skip blank lines, comments; these are valid in this file
 				[[ -z $key_id || ${key_id:0:1} = \# ]] && continue
 
+				if key_is_lsigned "$key_id" ; then
+					continue
+				fi
+
 				# Mark this key to be lsigned
 				trusted_ids[$key_id]=$keyring
 			done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
 		fi
 	done
 
+	local -A revoked_ids
+	for keyring in "${KEYRINGIDS[@]}"; do
+		if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then
+			while read -r key_id; do
+				if key_is_revoked "$key_id" ; then
+					continue
+				fi
+
+				revoked_ids["$key_id"]=1
+			done <"$KEYRING_IMPORT_DIR/$keyring-revoked"
+		fi
+	done
+
 	if (( ${#trusted_ids[@]} > 0 )); then
 		msg "$(gettext "Locally signing trusted keys in keyring...")"
 		lsign_keys "${!trusted_ids[@]}"
@@ -350,22 +367,10 @@ populate_keyring() {
 		done
 	fi
 
-	local -A revoked_ids
-	for keyring in "${KEYRINGIDS[@]}"; do
-		if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then
-			while read -r key_id; do
-				revoked_ids["$key_id"]=1
-			done <"$KEYRING_IMPORT_DIR/$keyring-revoked"
-		fi
-	done
-
 	if (( ${#revoked_ids[@]} > 0 )); then
 		local key_count=0
 		msg "$(gettext "Disabling revoked keys in keyring...")"
 		for key_id in "${!revoked_ids[@]}"; do
-			if key_is_revoked "$key_id" ; then
-				continue
-			fi
 			if (( VERBOSE )); then
 				msg2 "$(gettext "Disabling key %s...")" "${key_id}"
 			fi
@@ -485,9 +490,6 @@ lsign_keys() {
 	local ret=0
 	local key_count=0
 	for key_id in "$@"; do
-		if key_is_lsigned "$key_id" ; then
-			continue
-		fi
 		if (( VERBOSE )); then
 			msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
 		fi