[arch-projects] [dbscripts][PATCH] Prevent master keys signing packages

Allan McRae Sat, 02 Nov 2013 18:20:07 -0700

Signed-off-by: Allan McRae <[email protected]>
---
 config       |  1 +
 db-functions | 14 ++++++++++++++
 db-update    |  2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)


diff --git a/config b/config
index 3df6c95..d1413cc 100644
--- a/config
+++ b/config
@@ -18,6 +18,7 @@ SOURCE_CLEANUP_DRYRUN=false
 SOURCE_CLEANUP_KEEP=14
 
 REQUIRE_SIGNATURE=true
+MASTER_KEYS=('6AC6A4C2' '824B18E8' '4C7EA887' 'FFF979E7' 'CDFD6BB0')
 
 LOCK_DELAY=10
 LOCK_TIMEOUT=300
diff --git a/db-functions b/db-functions
index bb49894..26e6825 100644
--- a/db-functions
+++ b/db-functions
@@ -381,6 +381,20 @@ check_pkgsvn() {
        return 0
 }
 
+check_signature() {
+       local pkgfile="${1}"
+
+       if ! pacman-key -v "${pkgfile}.sig" >/dev/null 2>&1
+               return 1
+       fi
+
+       for k in ${MASTER_KEYS}; do
+               if pacman-key -v "${pkgfile}.sig" 2>&1 | grep -q "key ID ${k}"
+                       return 1
+               fi
+       done
+}
+
 check_splitpkgs() {
        local repo="${1}"
        shift
diff --git a/db-update b/db-update
index 576fe2b..087a248 100755
--- a/db-update
+++ b/db-update
@@ -42,7 +42,7 @@ for repo in ${repos[@]}; do
                        if ! check_pkgfile "${pkg}"; then
                                die "Package ${repo}/${pkg##*/} is not 
consistent with its meta data"
                        fi
-                       if ${REQUIRE_SIGNATURE} && ! pacman-key -v "${pkg}.sig" 
>/dev/null 2>&1; then
+                       if ${REQUIRE_SIGNATURE} && ! check_pkgsig ${pkg}; then
                                die "Package ${repo}/${pkg##*/} does not have a 
valid signature"
                        fi
                        if ! check_pkgsvn "${pkg}" "${repo}"; then
-- 
1.8.4.2

[arch-projects] [dbscripts][PATCH] Prevent master keys signing packages

Reply via email to