On 11/1/21 5:53 am, [email protected] wrote: > From: Morten Linderud <[email protected]> > > With the recent outages of the keyservers there is a possibility of > `--refresh-keys` failing to fetch new keys. A lot of current key > distribution is done over WKD these days, and `pacman-key` has the > ability to use it for `--recv-key`. > > There was a hope `gpg` would end up supporting WKD for the refresh > functionality, but this seems to be limited to expired keys fetched > through WKD. Since this functionality isn't yet available it makes sense > to stuff it into `pacman-key`. > > The current implementation looks over all available keyids in the > keyring, attempts to fetch over WKD and then fall backs to keyservers if > no email has a valid WKD available. The downside of this approach is > that it takes a bit longer to refresh the keys, but it should be more > robust as the distribution should be providing their own WKDs. >
I'm going to assume most keys will have WKD. Otherwise a bit longer becomes much, much longer as we no long fetch keys in parallel... > Co-authored-by: Jonas Witschel <[email protected]> > Signed-off-by: Morten Linderud <[email protected]> > --- > scripts/pacman-key.sh.in | 36 +++++++++++++++++++++++++++++++++--- > 1 file changed, 33 insertions(+), 3 deletions(-) > > diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in > index c65669f5..3bd8ea3e 100644 > --- a/scripts/pacman-key.sh.in > +++ b/scripts/pacman-key.sh.in > @@ -540,11 +540,41 @@ receive_keys() { > } > > refresh_keys() { > + local ret=0 ids masterkey emails > + > check_keyids_exist "$@" > - if ! "${GPG_PACMAN[@]}" --refresh-keys "$@" ; then > - error "$(gettext "A specified local key could not be updated > from a keyserver.")" > - exit 1 > + > + # don't try to refresh the user's local masterkey > + masterkey="$("${GPG_PACMAN[@]}" --list-keys --with-colons > pacman@localhost | > + awk -F: '$1 == "pub" { print $5 }')" > + > + mapfile -t ids < \ > + <("${GPG_PACMAN[@]}" --list-keys --with-colons "$@" | > + awk -F: '$1 == "pub" { print $5 }' | grep -v > "^$masterkey$") Can we just use "grep -vx" here? > + > + if (( ! ${#ids[*]} )); then > + error "No keys in the keyring." Error not translated, and incorrect if specifc key IDs are passed to --refresh-keys > + exit 1 > fi > + > + for id in "${ids[@]}"; do > + mapfile -t emails < \ > + <("${GPG_PACMAN[@]}" --list-keys --list-options > show-only-fpr-mbox "$id" | > + awk '{print $2 }') > + > + # first try looking up the key in a WKD (only works by email > address) > + for email in "${emails[@]}"; do > + "${GPG_PACMAN[@]}" --locate-external-keys "$email" && > break > + done There is going to be so much error spam to the terminal with this. Peoples distro IDs are rarely first. > + > + # if no key was found, fall back to using the keyservers (with > the key fingerprint instead) > + if (( $? )) && ! "${GPG_PACMAN[@]}" --refresh-keys "$id"; then > + error "$(gettext "A specified local key could not be > updated from WKD or keyserver.")" This error can be improved given we fetch the key one at a time now. > + ret=1 > + fi > + done > + > + exit $ret > } > > verify_sig() { >
