Re: [pacman-dev] [PATCH] pacman-key: just accept one file to verify, and enforce detached sigs
On 30/5/18 3:00 am, Eli Schwartz wrote:
> Simply pass options on to gpg the same way gpg uses them -- no looping
> through and checking lots of signatures.
>
> This prevents a situation where the signature file to be verified is
> manipulated to contain a complete signature which is valid, but not a
> detached signature for the file you are actually trying to verify.
>
> gpg does not offer an option to verify many files at once by naming each
> signature/file pair, and there's no reason for us to do so either, since
> it would be quite tiresome to do so.
>
> Signed-off-by: Eli Schwartz
> ---
> scripts/pacman-key.sh.in | 25 +
> 1 file changed, 13 insertions(+), 12 deletions(-)
>
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index 0f1630a9..0573e92f 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -486,18 +486,19 @@ refresh_keys() {
> }
>
> verify_sig() {
> - local ret=0
> - for sig; do
> - msg "Checking %s..." "$sig"
> - if grep -q 'BEGIN PGP SIGNATURE' "$sig"; then
> - error "$(gettext "Cannot use armored signatures for
> packages: %s")" "$sig"
> - return 1
> - fi
> - if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep
> -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then
> - error "$(gettext "The signature identified by %s could
> not be verified.")" "$sig"
> - ret=1
> - fi
> - done
> + local ret=0 sig=$1 file=$2
> + if [[ -z $file ]]; then
> + file=${sig%.*}
> + fi
Only do this if $file exists. Otherwise we can assume it is an embedded
signature.
> + msg "Checking %s..." "$sig"
Can we add a (detached) at the end here if $file exists?
Also, docs will need updated.
> + if grep -q 'BEGIN PGP SIGNATURE' "$sig"; then
> + error "$(gettext "Cannot use armored signatures for packages:
> %s")" "$sig"
> + exit 1
> + fi
> + if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" "$file" | grep
> -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then
> + error "$(gettext "The signature identified by %s could not be
> verified.")" "$sig"
> + ret=1
> + fi
> exit $ret
> }
>
>
Re: [pacman-dev] [PATCH] pacman-key: just accept one file to verify, and enforce detached sigs
On 30/05/18 03:00, Eli Schwartz wrote:
> Simply pass options on to gpg the same way gpg uses them -- no looping
> through and checking lots of signatures.
>
> This prevents a situation where the signature file to be verified is
> manipulated to contain a complete signature which is valid, but not a
> detached signature for the file you are actually trying to verify.
>
> gpg does not offer an option to verify many files at once by naming each
> signature/file pair, and there's no reason for us to do so either, since
> it would be quite tiresome to do so.
>
> Signed-off-by: Eli Schwartz
> ---
> scripts/pacman-key.sh.in | 25 +
> 1 file changed, 13 insertions(+), 12 deletions(-)
>
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index 0f1630a9..0573e92f 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -486,18 +486,19 @@ refresh_keys() {
> }
>
> verify_sig() {
> - local ret=0
> - for sig; do
> - msg "Checking %s..." "$sig"
> - if grep -q 'BEGIN PGP SIGNATURE' "$sig"; then
> - error "$(gettext "Cannot use armored signatures for
> packages: %s")" "$sig"
> - return 1
> - fi
> - if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep
> -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then
> - error "$(gettext "The signature identified by %s could
> not be verified.")" "$sig"
> - ret=1
> - fi
> - done
> + local ret=0 sig=$1 file=$2
> + if [[ -z $file ]]; then
> + file=${sig%.*}
> + fi
Opinions on if we should we do this? All pacman's infrastructure
assumes detached signatures, but this is a difference from how gpg does
things when only one argument is given.
> + msg "Checking %s..." "$sig"
> + if grep -q 'BEGIN PGP SIGNATURE' "$sig"; then
> + error "$(gettext "Cannot use armored signatures for packages:
> %s")" "$sig"
> + exit 1
> + fi
> + if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" "$file" | grep
> -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then
> + error "$(gettext "The signature identified by %s could not be
> verified.")" "$sig"
> + ret=1
> + fi
> exit $ret
> }
>
>
