[pacman-dev] [PATCH v2] pacman-key: ignores keys already lsigned during populate

[Matthew Sexton]

WORK IN PROGRESS. I'm only emailing this patch to get some
feedback. I added a function that checks whether a key
being imported has already been signed, and if it has been,
skip lsigning it.

I'm not 100% sure this line is entirely necessary:
        if (( LSIGNKEY || POPULATE )); then

I wanted to ensure that there -was- a signing key to check
against. It might be a superfluous check, but I couldn't
find where --populate implies having run --init. I may've
missed it.
---
v2. Removed a redundant nested while loop and fixed the
handling of lsigned_already return value checking. Also
did a little cleanup for neater code. 
 scripts/pacman-key.sh.in | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 3627a805..a152f992 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -247,7 +247,7 @@ check_keyring() {
                fi
        fi
 
-       if (( LSIGNKEY )); then
+       if (( LSIGNKEY || POPULATE )); then
                if [[ $(secret_keys_available) -lt 1 ]]; then
                        error "$(gettext "There is no secret key available to 
sign with.")"
                        msg "$(gettext "Use '%s' to generate a default secret 
key.")" "pacman-key --init"
@@ -447,6 +447,18 @@ list_sigs() {
                exit 1
        fi
 }
+lsigned_already() {
+       # Determines whether a key has already been signed locally by getting 
the
+       # local pacman secret key and comparing it against signatures on the key
+       # returns 0 if key is signed, 1 if it is unsigned
+       secret_key=$("${GPG_PACMAN[@]}" --with-colons --list-secret-key | head 
-n1 | awk -F : '{print $5}')
+    while IFS=: read -r _ valid _ _ signkey _; do
+            if [ "$valid" != "!" ]; then continue; fi
+            if [[ "$signkey" == "$secret_key" ]]; then return 0; fi
+       done < <("${GPG_PACMAN[@]}" --with-colons --check-signatures "$1")
+       return 1
+
+}
 
 lsign_keys() {
        check_keyids_exist
@@ -454,6 +466,9 @@ lsign_keys() {
        local ret=0
        local key_count=0
        for key_id in "$@"; do
+               if ( lsigned_already "$key_id" ) ; then
+                       continue
+               fi
                if (( VERBOSE )); then
                        msg2 "$(gettext "Locally signing key %s...")" 
"${key_id}"
                fi
@@ -469,7 +484,9 @@ lsign_keys() {
        if (( ret )); then
                exit 1
        fi
+       if (( key_count )); then
        msg2 "$(gettext "Locally signed %s keys.")" "${key_count}"
+       fi
 }
 
 receive_keys() {
-- 
2.23.0