pacman-key: Reduce gpg trustdb checks
Every time we modify gpg's state by signing or revoking a key, gpg marks the trustdb as stale and rechecks it the next time key_is_lsigned() or key_is_revoked() is called. Currently, we alternate calls signing of keys and calling key_is_lsigned() (idem for revoking) which means that for each key we sign (or revoke), gpg will check the trustdb once. To avoid checking the trustb so many times, we can simply do all the key_is_lsigned() and key_is_revoked() checks upfront. Inbetween read operations the trustdb is not marked stale and inbetween write operations the trustdb is also not marked stale. This reduces the amount of trustdb checks from 50 to 1. Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Daan De Meyer
Allan McRae
parent
160f5bec8c
commit
c7e4f45922
1 changed files with 17 additions and 15 deletions
|
|
@ -333,12 +333,29 @@ populate_keyring() {
|
||||||
# skip blank lines, comments; these are valid in this file
|
# skip blank lines, comments; these are valid in this file
|
||||||
[[ -z $key_id || ${key_id:0:1} = \# ]] && continue
|
[[ -z $key_id || ${key_id:0:1} = \# ]] && continue
|
||||||
|
|
||||||
|
if key_is_lsigned "$key_id" ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
# Mark this key to be lsigned
|
# Mark this key to be lsigned
|
||||||
trusted_ids[$key_id]=$keyring
|
trusted_ids[$key_id]=$keyring
|
||||||
done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
|
done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
local -A revoked_ids
|
||||||
|
for keyring in "${KEYRINGIDS[@]}"; do
|
||||||
|
if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then
|
||||||
|
while read -r key_id; do
|
||||||
|
if key_is_revoked "$key_id" ; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
revoked_ids["$key_id"]=1
|
||||||
|
done <"$KEYRING_IMPORT_DIR/$keyring-revoked"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
if (( ${#trusted_ids[@]} > 0 )); then
|
if (( ${#trusted_ids[@]} > 0 )); then
|
||||||
msg "$(gettext "Locally signing trusted keys in keyring...")"
|
msg "$(gettext "Locally signing trusted keys in keyring...")"
|
||||||
lsign_keys "${!trusted_ids[@]}"
|
lsign_keys "${!trusted_ids[@]}"
|
||||||
|
|
@ -350,22 +367,10 @@ populate_keyring() {
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local -A revoked_ids
|
|
||||||
for keyring in "${KEYRINGIDS[@]}"; do
|
|
||||||
if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then
|
|
||||||
while read -r key_id; do
|
|
||||||
revoked_ids["$key_id"]=1
|
|
||||||
done <"$KEYRING_IMPORT_DIR/$keyring-revoked"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
if (( ${#revoked_ids[@]} > 0 )); then
|
if (( ${#revoked_ids[@]} > 0 )); then
|
||||||
local key_count=0
|
local key_count=0
|
||||||
msg "$(gettext "Disabling revoked keys in keyring...")"
|
msg "$(gettext "Disabling revoked keys in keyring...")"
|
||||||
for key_id in "${!revoked_ids[@]}"; do
|
for key_id in "${!revoked_ids[@]}"; do
|
||||||
if key_is_revoked "$key_id" ; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
if (( VERBOSE )); then
|
if (( VERBOSE )); then
|
||||||
msg2 "$(gettext "Disabling key %s...")" "${key_id}"
|
msg2 "$(gettext "Disabling key %s...")" "${key_id}"
|
||||||
fi
|
fi
|
||||||
|
|
@ -485,9 +490,6 @@ lsign_keys() {
|
||||||
local ret=0
|
local ret=0
|
||||||
local key_count=0
|
local key_count=0
|
||||||
for key_id in "$@"; do
|
for key_id in "$@"; do
|
||||||
if key_is_lsigned "$key_id" ; then
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
if (( VERBOSE )); then
|
if (( VERBOSE )); then
|
||||||
msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
|
msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue