On 04/06/13 04:13, Dave Reisner wrote: > Given a revoked keyring containing only: > > BC1FBE4D2826A0B51E47ED62E2539214C6C11350 > > We should only disable this specific keyid. This change enforces that the > contents of the -revoked keyring file are full fingerprints which can uniquely > identify a key. > > Before: > > # pacman-key --populate archlinux > ==> Appending keys from archlinux.gpg... > ==> Locally signing trusted keys in keyring... > -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2... > -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8... > -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887... > -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0... > -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7... > ==> Importing owner trust values... > ==> Disabling revoked keys in keyring... > -> Disabling key 1390420191... > -> Disabling key E2539214C6C11350... > -> Disabling key 8544EA82113502DE... > ==> Updating trust database... > gpg: next trustdb check due at 2014-01-22 > > After: > > # pacman-key --populate archlinux > ==> Appending keys from archlinux.gpg... > ==> Locally signing trusted keys in keyring... > -> Locally signing key 0E8B644079F599DFC1DDC3973348882F6AC6A4C2... > -> Locally signing key 684148BB25B49E986A4944C55184252D824B18E8... > -> Locally signing key 44D4A033AC140143927397D47EFD567D4C7EA887... > -> Locally signing key 27FFC4769E19F096D41D9265A04F9397CDFD6BB0... > -> Locally signing key AB19265E5D7D20687D303246BA1DFB64FFF979E7... > ==> Importing owner trust values... > ==> Disabling revoked keys in keyring... > -> Disabling key BC1FBE4D2826A0B51E47ED62E2539214C6C11350... > ==> Updating trust database... > gpg: next trustdb check due at 2014-01-22 > > Partially addresses FS#35478. This does nothing to confirm whether or not the > key was successfully disabled -- a ridiculously simple request which appears > to > be far too difficult for gpg to manage. > > Signed-off-by: Dave Reisner <[email protected]>
Signed-off-by: Me -> maint > --- > Seriously, wtf gpg. The only indication that the key was successfully disabled > appears to come from the output that we dump to /dev/null: > > gpg: WARNING: unsafe permissions on homedir `/etc/pacman.d/gnupg' > > pub 2048R/C6C11350 created: 2012-11-30 expires: never usage: SC > trust: unknown validity: marginal > *** This key has been disabled > sub 2048R/113502DE created: 2012-11-30 expires: never usage: E > [marginal] (1). Federico Cinelli <[email protected]> > > You can try to use the key as a recipient for an encrypted message, but this > seems to only fail with INV_RECP, e.g.: > > $ gpg --homedir /etc/pacman.d/gnupg --batch -aer > BC1FBE4D2826A0B51E47ED62E2539214C6C11350 --status-fd=1 <<<'' 2>/dev/null > [GNUPG:] INV_RECP 0 BC1FBE4D2826A0B51E47ED62E2539214C6C11350 > > BUT... INV_RECP doesn't say anything about the reason the recipient is > invalid. > It might be invalid because it's disabled, and it might be invalid because it > can't be found. So... blah. Suggestions welcome. > > Also, just a point of clarification -- I assume that we disable keys rather > than revoke signatures out of concern that the key could be trustworthy > based on signatures other than those of the master key owners? Partly. Also it is often quicker for a distro to release an updated keyring with a key disabled than it is to get the required master key holders to revoke it. > scripts/pacman-key.sh.in | 15 ++++----------- > 1 file changed, 4 insertions(+), 11 deletions(-) > > diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in > index 92875ef..30fba10 100644 > --- a/scripts/pacman-key.sh.in > +++ b/scripts/pacman-key.sh.in > @@ -310,19 +310,12 @@ populate_keyring() { > done > fi > > - # Read the revoked key IDs to an array. The conversion from whatever is > - # inside the file to key ids is important, because key ids are the only > - # guarantee of identification for the keys. > local -A revoked_ids > for keyring in "${KEYRINGIDS[@]}"; do > - if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then > - mapfile -t keys < > "${KEYRING_IMPORT_DIR}/${keyring}-revoked" > - while IFS=: read _ _ _ _ key_id _; do > - if [[ -n $key_id ]]; then > - # Mark this key to be disabled > - revoked_ids[$key_id]="${keyring}" > - fi > - done < <("${GPG_PACMAN[@]}" --quiet --with-colons > --list-keys "${keys[@]}" 2>/dev/null) > + if [[ -s $KEYRING_IMPORT_DIR/$keyring-revoked ]]; then > + while read -r key_id; do > + revoked_ids["$key_id"]=1 > + done <"$KEYRING_IMPORT_DIR/$keyring-revoked" > fi > done > >
