On 09/03/14 05:22, Thomas Bächler wrote:
> If validpgpkeys is set in the PKGBUILD, signature checking fails if
> the fingerprint of the key used to create the signature is not listed
> in the array.
>
> The key's trust value is ignored.
> ---
> doc/PKGBUILD.5.txt | 7 +++++++
> scripts/makepkg.sh.in | 17 ++++++++++++++---
> 2 files changed, 21 insertions(+), 3 deletions(-)
>
> diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
> index 50d8347..7a1e924 100644
> --- a/doc/PKGBUILD.5.txt
> +++ b/doc/PKGBUILD.5.txt
> @@ -128,6 +128,13 @@ Files in the source array with extensions `.sig`,
> `.sign` or, `.asc` are
> recognized by makepkg as PGP signatures and will be automatically used to
> verify
> the integrity of the corresponding source file.
>
> +*validpgpkeys (array)*::
> + An array of PGP fingerprints. If this array is non-empty, makepkg will
> + only accept signatures from the keys listed here and will ignore the
> + trust values from the keyring.
> ++
> +Fingerprints must be uppercase and must not contain whitespace characters.
> +
> *noextract (array)*::
> An array of file names corresponding to those from the source array.
> Files
> listed here will not be extracted with the rest of the source files.
> This
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index d0e4fb5..d24a2cd 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1283,6 +1283,13 @@ parse_gpg_statusfile() {
> status="error"
> fi
> ;;
> + VALIDSIG)
> + if [[ $arg10 ]]; then
> + fingerprint=$arg10
> + else
> + fingerprint=$arg1
> + fi
> + ;;
And here goes $arg10... But on every file I tested, $arg1 was always
the fingerprint. How can $arg10 be different?
Allan
> TRUST_UNDEFINED|TRUST_NEVER)
> trusted=0
> ;;
> @@ -1299,7 +1306,7 @@ check_pgpsigs() {
>
> msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>
> - local file ext decompress found pubkey success status trusted
> + local file ext decompress found pubkey success status fingerprint
> trusted
> local warning=0
> local errors=0
> local statusfile=$(mktemp)
> @@ -1345,6 +1352,7 @@ check_pgpsigs() {
> success=0
> status=
> pubkey=
> + fingerprint=
> trusted=
> parse_gpg_statusfile "$statusfile"
> if (( ! $success )); then
> @@ -1365,9 +1373,12 @@ check_pgpsigs() {
> esac
> errors=1
> else
> - if (( ! $trusted )); then
> + if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then
> printf "%s ($(gettext "the public key %s is not
> trusted"))" $(gettext "FAILED") "$pubkey" >&2
> errors=1
> + elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array
> "$fingerprint" "${validpgpkeys[@]}"; then
> + printf "%s (%s $pubkey)" "$(gettext "FAILED")"
> "$(gettext "invalid public key")"
> + errors=1
> else
> printf '%s' "$(gettext "Passed")" >&2
> case "$status" in
> @@ -2875,7 +2886,7 @@ fi
>
> unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
> unset md5sums replaces depends conflicts backup source install changelog
> build
> -unset makedepends optdepends options noextract
> +unset makedepends optdepends options noextract validpgpkeys
>
> BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
> if [[ ! -f $BUILDFILE ]]; then
>
