FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Pacman Development

 
 
LinkBack Thread Tools
 
Old 07-09-2011, 12:37 PM
Allan McRae
 
Default pacman-key: Add --import and --import-trustdb

On 10/06/11 16:38, Pang Yan Han wrote:

Currently, pacman-key allows users to import their keys using the --add option
but no similar functionality exists for importing ownertrust values.

The --import-trustdb option takes in a list of directories and imports
ownertrust values if the directories have a trustdb.gpg database.

The --import is a combination of --add and --import-trustdb. It takes in a list
of directories and imports keys from pubring.gpg, ownertrust values from
trustdb.gpg if any of these files exist.

Signed-off-by: Pang Yan Han<pangyanhan@gmail.com>
---
NOTE: There is this very strange bug such that when new keys are added,
previously imported keys will fail for signature verification. This happens with
both --add and --import.

Eg. Say you want to import trustdb.gpg and pubring.gpg from directories "first",
"second" and "third", you'd have to:

# pacman-key --import first second third
# pacman-key --import first second third



I have not gone through your patch in detail yet, but I do not see this
issue you report when using the --add option:


allan@mugen /home/arch/code/pacman (working)
> ./scripts/pacman-key --verify
/home/allan/web/allanbrokeit/i686/allanbrokeit.db.sig

gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD
gpg: NOTE: trustdb not writable
gpg: Good signature from "Allan McRae <me@allanmcrae.com>"
gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"

allan@mugen /home/arch/code/pacman (working)
> sudo ./scripts/pacman-key --add /home/allan/dan.gpg
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

allan@mugen /home/arch/code/pacman (working)
> ./scripts/pacman-key --verify
/home/allan/web/allanbrokeit/i686/allanbrokeit.db.sig

gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD
gpg: NOTE: trustdb not writable
gpg: Good signature from "Allan McRae <me@allanmcrae.com>"
gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"


So the signature verification still works after adding a key with --add.
There are two possibilities here... 1) this is fixed due to the large
number of changes on my working branch, or 2) there is something wrong
with the --import stuff...


Can you give more details on this issue so I can follow it up and get
this patch merged.


Cheers,
Allan
 
Old 07-10-2011, 04:10 AM
Pang Yan Han
 
Default pacman-key: Add --import and --import-trustdb

Hi Allan,

I'll send 2 small patches to be applied on top of your working branch, and
an edited version of the --import patch soon.

The issue I mentioned is with regards to pacman -U and pacman-key --import.
I edited the patch so that it'll work with the new pacman-key code, and the
same
thing happens.

Basically, I tried installing 2 packages signed by 2 different keys. They
are
"ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz"
Their respective .sig files (detached signatures) are in the same
directories.

So I did:

[root@localhost ~] # pacman-key --init
gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found

[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP
signature)

[root@localhost ~] # pacman --import .gnupg/
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
Works now with pacman, but I didn't install anything.

Then, I proceeded to import the trustdb with the key for the archlinux
wallpaper package.

[root@localhost ~] # pacman-key --import /home/yh/.gnupg/
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

[root@localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz
Works now

But then the one for ack fails:
[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP
signature)

And the previously successful pacman-key --verify for the ack package spurt
out some warning messages this time:

[root@localhost ~] # pacman-key --verify ack-1.94-2-any.pkg.tar.xz
gpg: Signature made Fri 10 Jun 2011 11:44:28 AM SGT using RSA key ID
CF7AE1C9
gpg: Good signature from "testing123 <test123@hotmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.
Primary key fingerprint: <omitted>


The verification for archlinux-wallpaper is ok:

[root@localhos ~] # pacman-key --verify
archlinux-wallpaper-1.3-2-any.pkg.tar.xz
gpg: Signature made Sun 10 Jul 2011 11:41:18 AM SGT using RSA key ID
1582A729
gpg: Good signature from "Pang Yan Han <pangyanhan@gmail.com>"


Then, I imported the 2 directories at one go:

[root@localhost ~] # pacman-key --import /home/yh/.gnupg/ .gnupg/
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
gpg: setting ownertrust to 6
gpg: setting ownertrust to 6
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'

Subsequently, the pacman -U and pacman-key --verify worked for both
packages.


I can only suspect that it has something to do with importing from a
different user
since there are warnings with regards to "unsafe ownership".

It might be worth it to try the following:
1. As root, use "pacman-key --import" to import the trustdb
2. Create a new gpg key on another directory.
3. Use "pacman-key --import" to import the new trustdb
4. Sign 2 packages using the 2 different keys and try installing using
pacman -U
to see if the same problem exists.


On Sat, Jul 9, 2011 at 8:37 PM, Allan McRae <allan@archlinux.org> wrote:

> On 10/06/11 16:38, Pang Yan Han wrote:
>
>> Currently, pacman-key allows users to import their keys using the --add
>> option
>> but no similar functionality exists for importing ownertrust values.
>>
>> The --import-trustdb option takes in a list of directories and imports
>> ownertrust values if the directories have a trustdb.gpg database.
>>
>> The --import is a combination of --add and --import-trustdb. It takes in a
>> list
>> of directories and imports keys from pubring.gpg, ownertrust values from
>> trustdb.gpg if any of these files exist.
>>
>> Signed-off-by: Pang Yan Han<pangyanhan@gmail.com>
>> ---
>> NOTE: There is this very strange bug such that when new keys are added,
>> previously imported keys will fail for signature verification. This
>> happens with
>> both --add and --import.
>>
>> Eg. Say you want to import trustdb.gpg and pubring.gpg from directories
>> "first",
>> "second" and "third", you'd have to:
>>
>> # pacman-key --import first second third
>> # pacman-key --import first second third
>>
>
>
> I have not gone through your patch in detail yet, but I do not see this
> issue you report when using the --add option:
>
> allan@mugen /home/arch/code/pacman (working)
> > ./scripts/pacman-key --verify /home/allan/web/allanbrokeit/**
> i686/allanbrokeit.db.sig
> gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD
> gpg: NOTE: trustdb not writable
> gpg: Good signature from "Allan McRae <me@allanmcrae.com>"
> gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"
>
> allan@mugen /home/arch/code/pacman (working)
> > sudo ./scripts/pacman-key --add /home/allan/dan.gpg
> gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
> gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
>
> allan@mugen /home/arch/code/pacman (working)
> > ./scripts/pacman-key --verify /home/allan/web/allanbrokeit/**
> i686/allanbrokeit.db.sig
> gpg: Signature made Tue 05 Jul 2011 15:22:42 EST using RSA key ID EAE999BD
> gpg: NOTE: trustdb not writable
> gpg: Good signature from "Allan McRae <me@allanmcrae.com>"
> gpg: aka "Allan McRae (Developer) <allan@archlinux.org>"
>
>
> So the signature verification still works after adding a key with --add.
> There are two possibilities here... 1) this is fixed due to the large
> number of changes on my working branch, or 2) there is something wrong with
> the --import stuff...
>
> Can you give more details on this issue so I can follow it up and get this
> patch merged.
>
> Cheers,
> Allan
>
 
Old 07-10-2011, 04:31 AM
Pang Yan Han
 
Default pacman-key: Add --import and --import-trustdb

Currently, pacman-key allows the user to import their keys using the --add
option. However, no similar functionality exists for importing ownertrust
values.

The --import-trustdb option takes a list of directories and imports ownertrust
values if the directories have a trustdb.gpg database.

The --import option takes a list of directories and imports keys from
pubring.gpg and ownertrust values from trustdb.gpg. Think of it as a combination
of --add and --import-trustdb

Signed-off-by: Pang Yan Han <pangyanhan@gmail.com>
---
NOTE: To be applied on top of allan/working
There is an issue with this patch and pacman -U
See http://mailman.archlinux.org/pipermail/pacman-dev/2011-July/013780.html
for more info.

doc/pacman-key.8.txt | 7 +++++++
scripts/pacman-key.sh.in | 36 +++++++++++++++++++++++++++++++++---
2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index cf72b83..6314287 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -60,6 +60,13 @@ Options
*-h, --help*::
Output syntax and command line options.

+*--import* <dir(s)>::
+ Adds keys from pubring.gpg into pacman's keyring and imports ownertrust
+ values from trustdb.gpg in the specified directories.
+
+*--import-trustdb* <dir(s)>::
+ Imports ownertrust values from trustdb.gpg in the specified directories.
+
*--init*::
Ensure the keyring is properly initialized and has the required access
permissions.
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index cb108ac..91c3d87 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -32,6 +32,8 @@ DELETE=0
EDITKEY=0
EXPORT=0
FINGER=0
+IMPORT=0
+IMPORT_TRUSTDB=0
INIT=0
LIST=0
RECEIVE=0
@@ -66,6 +68,8 @@ usage() {
echo "$(gettext " --edit-key <keyid(s)> Present a menu for key management task on keyids")"
echo "$(gettext " --gpgdir <dir> Set an alternate directory for gnupg")"
printf "$(gettext " (instead of '%s')")
" "@sysconfdir@/pacman.d/gnupg"
+ echo "$(gettext " --import <dir(s)> Imports pubring.gpg and trustdb.gpg from dir(s)")"
+ echo "$(gettext " --import-trustdb <dir(s)> Imports ownertrust values from trustdb.gpg in dir(s)")"
echo "$(gettext " --init Ensure the keyring is properly initialized")"
echo "$(gettext " --reload Reload the default keys")"
}
@@ -278,6 +282,27 @@ edit_keys() {
done
}

+import_trustdb() {
+ local importdir
+ for importdir in "${IMPORT_DIRS[@]}"; do
+ if [[ -f "${importdir}/trustdb.gpg" ]]; then
+ gpg --homedir "${importdir}" --export-ownertrust | ${GPG_PACMAN} --import-ownertrust
+ fi
+ done
+}
+
+import() {
+ local importdir
+ for importdir in "${IMPORT_DIRS[@]}"; do
+ if [[ -f "${importdir}/trustdb.gpg" ]]; then
+ import_trustdb "${import_dir}"
+ fi
+ if [[ -f "${importdir}/pubring.gpg" ]]; then
+ ${GPG_PACMAN} --quiet --batch --import "${importdir}/pubring.gpg"
+ fi
+ done
+}
+
# PROGRAM START
if ! type gettext &>/dev/null; then
gettext() {
@@ -287,7 +312,8 @@ fi

OPT_SHORT="a::d:e:f::hlr:uv:V"
OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
-OPT_LONG+=",help,init,list,receive:,reload,updated b,verify:,version"
+OPT_LONG+=",help,import:,import-trustdb:,init,list,receive:,reload,updatedb"
+OPT_LONG+=",verify:,version"
if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
echo; usage; exit 1 # E_INVALID_OPTION;
fi
@@ -308,6 +334,8 @@ while true; do
-e|--export) EXPORT=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
-f|--finger) FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
--gpgdir) shift; PACMAN_KEYRING_DIR=$1 ;;
+ --import) IMPORT=1; shift; IMPORT_DIRS=($1) ;;
+ --import-trustdb) IMPORT_TRUSTDB=1; shift; IMPORT_DIRS=($1) ;;
--init) INIT=1 ;;
-l|--list) LIST=1 ;;
-r|--receive) RECEIVE=1; shift; KEYSERVER="${1[0]}"; KEYIDS=("${1[@]:1}") ;;
@@ -330,7 +358,7 @@ if ! type -p gpg >/dev/null; then
exit 1
fi

-if (( (ADD || DELETE || EDITKEY || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then
+if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then
error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
exit 1
fi
@@ -348,7 +376,7 @@ PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" || echo "
GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning"

# check only a single operation has been given
-numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + INIT + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY ))
+numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB + INIT + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY ))

if (( ! numopt )); then
error "$(gettext "No operations specified")"
@@ -370,6 +398,8 @@ fi
(( EDITKEY )) && edit_keys
(( EXPORT )) && ${GPG_PACMAN} --armor --export "${KEYIDS[@]}"
(( FINGER )) && ${GPG_PACMAN} --batch --fingerprint "${KEYIDS[@]}"
+(( IMPORT )) && import
+(( IMPORT_TRUSTDB)) && import_trustdb
(( INIT )) && initialize
(( LIST )) && ${GPG_PACMAN} --batch --list-sigs "${KEYIDS[@]}"
(( RECEIVE )) && receive_keys
--
1.7.6.132.g8b11f
 
Old 07-16-2011, 01:30 PM
Allan McRae
 
Default pacman-key: Add --import and --import-trustdb

On 10/07/11 14:10, Pang Yan Han wrote:


The issue I mentioned is with regards to pacman -U and pacman-key --import.
I edited the patch so that it'll work with the new pacman-key code, and
the same
thing happens.

Basically, I tried installing 2 packages signed by 2 different keys.
They are
"ack-1.94-2-any.pkg.tar.xz" and "archlinux-wallpaper-1.3-2-any.pkg.tar.xz"
Their respective .sig files (detached signatures) are in the same
directories.

So I did:

[root@localhost ~] # pacman-key --init
gpg: /usr/local/etc/pacman.d/gnupg/trustdb.gpg: trustdb created
gpg: no ultimately trusted keys found

[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': Invalid or corrupted package (PGP
signature)

[root@localhost ~] # pacman --import .gnupg/
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
Works now with pacman, but I didn't install anything.

Then, I proceeded to import the trustdb with the key for the archlinux
wallpaper package.

[root@localhost ~] # pacman-key --import /home/yh/.gnupg/
gpg: WARNING: unsafe ownership on homedir `/home/yh/.gnupg/'
gpg: inserting ownertrust of 6
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

[root@localhost ~] # pacman -U archlinux-wallpaper-1.3-2-any.pkg.tar.xz
Works now

But then the one for ack fails:
[root@localhost ~] # pacman -U ack-1.94-2-any.pkg.tar.xz
error: 'ack-1.94-2-any.pkg.tar.xz': invalid or corrupted package (PGP
signature)




This is because of how --import-ownertrust works:

--import-ownertrust
Update the trustdb with the ownertrust values stored in files
(or STDIN if not given); existing values will be overwritten.

That last bit is the key to the issue! So we need to be smarter in this
bit here....


+import_trustdb() {
+ local importdir
+ for importdir in "${IMPORT_DIRS[@]}"; do
+ if [[ -f "${importdir}/trustdb.gpg" ]]; then
+ gpg --homedir "${importdir}" --export-ownertrust | ${GPG_PACMAN}
--import-ownertrust

+ fi
+ done
+}


Only that last trustdb will end up being imported. I think that doing
something like this instead:


${GPG_PACMAN} --export-owner-trust > tmp.file
for importdir in "${IMPORT_DIRS[@]}"; do
if [[ -f "${importdir}/trustdb.gpg" ]]; then
gpg --homedir "${importdir}" --export-ownertrust >> tmp.file
fi
done
${GPG_PACMAN} --import-ownertrust tmp.file

should work... but I have not tested. If appending the trustdb's
together does not work, then create a temporary folder instead and store
them all in individual files and pass --import-ownertrust multiple files.


Hopefully that fixes this and we cna merge this patch.

Cheers,
Allan
 
Old 07-19-2011, 12:52 PM
Pang Yan Han
 
Default pacman-key: Add --import and --import-trustdb

Currently, pacman-key allows the user to import their keys using the --add
option. However, no similar functionality exists for importing ownertrust
values.

The --import-trustdb option takes a list of directories and imports ownertrust
values if the directories have a trustdb.gpg database.

The --import option takes a list of directories and imports keys from
pubring.gpg and ownertrust values from trustdb.gpg. Think of it as a combination
of --add and --import-trustdb

Signed-off-by: Pang Yan Han <pangyanhan@gmail.com>
---
doc/pacman-key.8.txt | 7 +++++++
scripts/pacman-key.sh.in | 45 ++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index cf72b83..14f3cb9 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -60,6 +60,13 @@ Options
*-h, --help*::
Output syntax and command line options.

+*--import* <dir(s)>::
+ Adds keys from pubring.gpg into pacman's keyring and imports ownertrust
+ values from trustdb.gpg in the specified directories.
+
+*--import-dirs* <dir(s)> ::
+ Imports ownertrust values from trustdb.gpg in the specified directories.
+
*--init*::
Ensure the keyring is properly initialized and has the required access
permissions.
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index cb108ac..ef23290 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -32,6 +32,8 @@ DELETE=0
EDITKEY=0
EXPORT=0
FINGER=0
+IMPORT=0
+IMPORT_TRUSTDB=0
INIT=0
LIST=0
RECEIVE=0
@@ -39,6 +41,9 @@ RELOAD=0
UPDATEDB=0
VERIFY=0

+# Globals
+TMP_TRUSTDB='tmp_trustdb.gpg'
+
m4_include(library/output_format.sh)

m4_include(library/parse_options.sh)
@@ -66,6 +71,8 @@ usage() {
echo "$(gettext " --edit-key <keyid(s)> Present a menu for key management task on keyids")"
echo "$(gettext " --gpgdir <dir> Set an alternate directory for gnupg")"
printf "$(gettext " (instead of '%s')")
" "@sysconfdir@/pacman.d/gnupg"
+ echo "$(gettext " --import <dir(s)> Imports pubring.gpg and trustdb.gpg from dir(s)")"
+ echo "$(gettext " --import-trustdb <dir(s)> Imports ownertrust values from trustdb.gpg in dir(s)")"
echo "$(gettext " --init Ensure the keyring is properly initialized")"
echo "$(gettext " --reload Reload the default keys")"
}
@@ -278,6 +285,33 @@ edit_keys() {
done
}

+import_trustdb() {
+ local importdir
+ ${GPG_PACMAN} --export-ownertrust > ${TMP_TRUSTDB}
+
+ for importdir in "${IMPORT_DIRS[@]}"; do
+ if [[ -f "${importdir}/trustdb.gpg" ]]; then
+ gpg --homedir "${importdir}" --export-ownertrust >> ${TMP_TRUSTDB}
+ fi
+ done
+
+ ${GPG_PACMAN} --import-ownertrust ${TMP_TRUSTDB}
+ rm -f ${TMP_TRUSTDB}
+}
+
+import() {
+ local importdir
+
+ # Imports public keys, then import trustdbs
+ for importdir in "${IMPORT_DIRS[@]}"; do
+ if [[ -f "${importdir}/pubring.gpg" ]]; then
+ ${GPG_PACMAN} --quiet --batch --import "${importdir}/pubring.gpg"
+ fi
+ done
+
+ import_trustdb
+}
+
# PROGRAM START
if ! type gettext &>/dev/null; then
gettext() {
@@ -287,7 +321,8 @@ fi

OPT_SHORT="a::d:e:f::hlr:uv:V"
OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
-OPT_LONG+=",help,init,list,receive:,reload,updated b,verify:,version"
+OPT_LONG+=",help,import:,import-trustdb:,init,list,receive:,reload,updatedb"
+OPT_LONG+=",verify:,version"
if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
echo; usage; exit 1 # E_INVALID_OPTION;
fi
@@ -308,6 +343,8 @@ while true; do
-e|--export) EXPORT=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
-f|--finger) FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
--gpgdir) shift; PACMAN_KEYRING_DIR=$1 ;;
+ --import) IMPORT=1; shift; IMPORT_DIRS=($1) ;;
+ --import-trustdb) IMPORT_TRUSTDB=1; shift; IMPORT_DIRS=($1) ;;
--init) INIT=1 ;;
-l|--list) LIST=1 ;;
-r|--receive) RECEIVE=1; shift; KEYSERVER="${1[0]}"; KEYIDS=("${1[@]:1}") ;;
@@ -330,7 +367,7 @@ if ! type -p gpg >/dev/null; then
exit 1
fi

-if (( (ADD || DELETE || EDITKEY || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then
+if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then
error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
exit 1
fi
@@ -348,7 +385,7 @@ PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" || echo "
GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning"

# check only a single operation has been given
-numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + INIT + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY ))
+numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB + INIT + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY ))

if (( ! numopt )); then
error "$(gettext "No operations specified")"
@@ -370,6 +407,8 @@ fi
(( EDITKEY )) && edit_keys
(( EXPORT )) && ${GPG_PACMAN} --armor --export "${KEYIDS[@]}"
(( FINGER )) && ${GPG_PACMAN} --batch --fingerprint "${KEYIDS[@]}"
+(( IMPORT )) && import
+(( IMPORT_TRUSTDB)) && import_trustdb
(( INIT )) && initialize
(( LIST )) && ${GPG_PACMAN} --batch --list-sigs "${KEYIDS[@]}"
(( RECEIVE )) && receive_keys
--
1.7.6.178.g55272
 
Old 07-19-2011, 01:14 PM
Allan McRae
 
Default pacman-key: Add --import and --import-trustdb

On 19/07/11 22:52, Pang Yan Han wrote:

Currently, pacman-key allows the user to import their keys using the --add
option. However, no similar functionality exists for importing ownertrust
values.

The --import-trustdb option takes a list of directories and imports ownertrust
values if the directories have a trustdb.gpg database.

The --import option takes a list of directories and imports keys from
pubring.gpg and ownertrust values from trustdb.gpg. Think of it as a combination
of --add and --import-trustdb

Signed-off-by: Pang Yan Han<pangyanhan@gmail.com>
---


Great to have this working now. Looks almost good to go apart from:

<snip>


+# Globals
+TMP_TRUSTDB='tmp_trustdb.gpg'
+


Yuck! Lets kill that....

<snip>



+import_trustdb() {
+ local importdir


local trustdb=$(mktemp)

and then replacing ${TMP_TRUSTDB} with ${trustdb} thoughtout here.


+ ${GPG_PACMAN} --export-ownertrust> ${TMP_TRUSTDB}
+
+ for importdir in "${IMPORT_DIRS[@]}"; do
+ if [[ -f "${importdir}/trustdb.gpg" ]]; then
+ gpg --homedir "${importdir}" --export-ownertrust>> ${TMP_TRUSTDB}
+ fi
+ done
+
+ ${GPG_PACMAN} --import-ownertrust ${TMP_TRUSTDB}
+ rm -f ${TMP_TRUSTDB}
+}



I can make that change as I pull this to my working branch later this week.

Allan
 
Old 07-19-2011, 04:34 PM
Pang Yan Han
 
Default pacman-key: Add --import and --import-trustdb

On Tue, Jul 19, 2011 at 9:14 PM, Allan McRae <allan@archlinux.org> wrote:

> On 19/07/11 22:52, Pang Yan Han wrote:
>
>> Currently, pacman-key allows the user to import their keys using the --add
>> option. However, no similar functionality exists for importing ownertrust
>> values.
>>
>> The --import-trustdb option takes a list of directories and imports
>> ownertrust
>> values if the directories have a trustdb.gpg database.
>>
>> The --import option takes a list of directories and imports keys from
>> pubring.gpg and ownertrust values from trustdb.gpg. Think of it as a
>> combination
>> of --add and --import-trustdb
>>
>> Signed-off-by: Pang Yan Han<pangyanhan@gmail.com>
>> ---
>>
>
> Great to have this working now. Looks almost good to go apart from:
>
> <snip>
>
>
> +# Globals
>> +TMP_TRUSTDB='tmp_trustdb.gpg'
>> +
>>
>
> Yuck! Lets kill that....
>
> <snip>
>
>
>> +import_trustdb() {
>> + local importdir
>>
>
> local trustdb=$(mktemp)
>
> and then replacing ${TMP_TRUSTDB} with ${trustdb} thoughtout here.
>
> + ${GPG_PACMAN} --export-ownertrust> ${TMP_TRUSTDB}
>>
>> +
>> + for importdir in "${IMPORT_DIRS[@]}"; do
>> + if [[ -f "${importdir}/trustdb.gpg" ]]; then
>> + gpg --homedir "${importdir}" --export-ownertrust>>
>> ${TMP_TRUSTDB}
>> + fi
>> + done
>> +
>> + ${GPG_PACMAN} --import-ownertrust ${TMP_TRUSTDB}
>> + rm -f ${TMP_TRUSTDB}
>> +}
>>
>
>
> I can make that change as I pull this to my working branch later this week.
>
> Allan
>

Thanks for helping me figure out how to solve this =)
 

Thread Tools




All times are GMT. The time now is 09:57 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org