[pacman-dev,5/5,v2] pacman-key: receive keys from WKD with -r/--recv-keys

Message ID 20190805153237.6427-3-diabonas@gmx.de
State Superseded, archived
Headers show
Series
  • Untitled series #403
Related show

Commit Message

Jonas Witschel Aug. 5, 2019, 3:32 p.m. UTC
If an email address is specified, we use --locate-key to look up the key
using WKD and keyserver as a fallback. If the key is specified as a key
ID, this doesn't work, so we use the normal keyserver-based --recv-keys.

Note that --refresh-keys still uses the keyservers exclusively for
refreshing, though the situation might potentially be improved in a new
version of GnuPG:
https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062169.html

Signed-off-by: Jonas Witschel <diabonas@gmx.de>
---
 scripts/pacman-key.sh.in | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

--
2.22.0

Comments

Allan McRae Oct. 7, 2019, 8:38 a.m. UTC | #1
On 6/8/19 1:32 am, Jonas Witschel wrote:
> If an email address is specified, we use --locate-key to look up the key
> using WKD and keyserver as a fallback. If the key is specified as a key
> ID, this doesn't work, so we use the normal keyserver-based --recv-keys.
> 
> Note that --refresh-keys still uses the keyservers exclusively for
> refreshing, though the situation might potentially be improved in a new
> version of GnuPG:
> https://lists.gnupg.org/pipermail/gnupg-users/2019-July/062169.html
> 
> Signed-off-by: Jonas Witschel <diabonas@gmx.de>
> ---

Some fairly minor changes below.

>  scripts/pacman-key.sh.in | 21 ++++++++++++++-------
>  1 file changed, 14 insertions(+), 7 deletions(-)
> 
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index b05754e5..a4bdbaa9 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -455,22 +455,29 @@ lsign_keys() {
>  }
> 
>  receive_keys() {
> -	local name id keyids
> +	local name id keyids emails
> 
>  	# if the key is not a hex ID, do a lookup
>  	for name; do
>  		if [[ $name = ?(0x)+([0-9a-fA-F]) ]]; then
>  			keyids+=("$name")
> -		else
> -			if id=$(key_lookup_from_name "$name"); then
> -				keyids+=("$id")
> -			fi
> +		elif [[ $name = *@*.* ]]; then
> +			emails+=("$name")
> +		elif id=$(key_lookup_from_name "$name"); then
> +			keyids+=("$id")
>  		fi
>  	done
> 
> -	(( ${#keyids[*]} > 0 )) || exit 1
> +	(( ${#keyids[*]}+${#emails[*]} > 0 )) || exit 1
> +
> +	if (( ${#emails[*]} > 0 )) && \
> +	   ! "${GPG_PACMAN[@]}" --auto-key-locate nodefault,clear,wkd,keyserver \

From the man page:

clear  Clear all defined mechanisms.  This is useful to override
       mechanisms given in a config file.  Note that a nodefault
       in mechanisms will also be cleared unless it is given af‐
       ter the clear.

so clear,nodefault,wkd,keyserver ?


> +	                        --locate-key "${emails[@]}" ; then
> +		error "$(gettext "Remote key not fetched correctly from WKD or keyserver.")"
> +		exit 1

Instead of exiting here, catch the failure (ret=1), both here and...

> +	fi
> 
> -	if ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
> +	if (( ${#keyids[*]} > 0 )) && ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
>  		error "$(gettext "Remote key not fetched correctly from keyserver.")"
>  		exit 1

here...

>  	fi

and exit here if there was a failure.

> --
> 2.22.0
> .
>

Patch

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index b05754e5..a4bdbaa9 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -455,22 +455,29 @@  lsign_keys() {
 }

 receive_keys() {
-	local name id keyids
+	local name id keyids emails

 	# if the key is not a hex ID, do a lookup
 	for name; do
 		if [[ $name = ?(0x)+([0-9a-fA-F]) ]]; then
 			keyids+=("$name")
-		else
-			if id=$(key_lookup_from_name "$name"); then
-				keyids+=("$id")
-			fi
+		elif [[ $name = *@*.* ]]; then
+			emails+=("$name")
+		elif id=$(key_lookup_from_name "$name"); then
+			keyids+=("$id")
 		fi
 	done

-	(( ${#keyids[*]} > 0 )) || exit 1
+	(( ${#keyids[*]}+${#emails[*]} > 0 )) || exit 1
+
+	if (( ${#emails[*]} > 0 )) && \
+	   ! "${GPG_PACMAN[@]}" --auto-key-locate nodefault,clear,wkd,keyserver \
+	                        --locate-key "${emails[@]}" ; then
+		error "$(gettext "Remote key not fetched correctly from WKD or keyserver.")"
+		exit 1
+	fi

-	if ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
+	if (( ${#keyids[*]} > 0 )) && ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
 		error "$(gettext "Remote key not fetched correctly from keyserver.")"
 		exit 1
 	fi