Re: [pacman-dev] [PATCH] pacman-key: Add --import and --import-trustdb

[Allan McRae]

On 10/07/11 14:10, Pang Yan Han wrote:

The issue I mentioned is with regards to pacman -U and pacman-key --import.
I edited the patch so that it'll work with the new pacman-key code, and
the same
thing happens.

Basically, I tried installing 2 packages signed by 2 different keys.
They are
"ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz"
Their respective .sig files (detached signatures) are in the same
directories.

So I did:

[root@localhost ~] # pacman-key --init
gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found

[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP
signature)

[root@localhost ~] # pacman --import .gnupg/
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
Works now with pacman, but I didn't install anything.

Then, I proceeded to import the trustdb with the key for the archlinux
wallpaper package.

[root@localhost ~] # pacman-key --import /home/yh/.gnupg/
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

[root@localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz
Works now

But then the one for ack fails:
[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP
signature)



This is because of how --import-ownertrust works:

--import-ownertrust
       Update the trustdb with the ownertrust values  stored  in  files
       (or  STDIN  if  not given); existing values will be overwritten.

That last bit is the key to the issue!  So we need to be smarter in this 
bit here....

+import_trustdb() {
+       local importdir
+       for importdir in "${IMPORT_DIRS[@]}"; do
+               if [[ -f "${importdir}/trustdb.gpg" ]]; then
+			gpg --homedir "${importdir}" --export-ownertrust | ${GPG_PACMAN} 
--import-ownertrust
+               fi
+       done
+}


Only that last trustdb will end up being imported.   I think that doing 
something like this instead:

${GPG_PACMAN} --export-owner-trust > tmp.file
for importdir in "${IMPORT_DIRS[@]}"; do
        if [[ -f "${importdir}/trustdb.gpg" ]]; then
                gpg --homedir "${importdir}" --export-ownertrust >> tmp.file
        fi
done
${GPG_PACMAN} --import-ownertrust tmp.file

should work...  but I have not tested.  If appending the trustdb's 
together does not work, then create a temporary folder instead and store 
them all in individual files and pass --import-ownertrust multiple files.

Hopefully that fixes this and we cna merge this patch.

Cheers,
Allan