FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Pacman Development

 
 
LinkBack Thread Tools
 
Old 03-04-2012, 11:25 AM
Pierre Schmitz
 
Default pacman-key: Remove useless signature verification in --populate command

Verifing the keyring at this point is useless as a malicious package is already
installed and as such has several options to bypass this check anyway.

Signed-off-by: Pierre Schmitz <pierre@archlinux.de>
---
doc/pacman-key.8.txt | 5 -----
scripts/pacman-key.sh.in | 39 ---------------------------------------
2 files changed, 44 deletions(-)

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index 1582a3c..3631ec8 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -129,11 +129,6 @@ any signing", so should be used with prudence. A key being marked as revoked
will be disabled in the keyring and no longer treated as valid, so this always
takes priority over it's trusted state in any other keyring.

-All files are required to be signed (detached) by a trusted PGP key that the
-user must manually import to the pacman keyring. This prevents a potentially
-malicious repository adding keys to the pacman keyring without the users
-knowledge.
-

See Also
--------
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index c393370..482b56d 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -214,43 +214,6 @@ check_keyring() {
fi
}

-validate_with_gpg() {
- msg2 "$(gettext "Verifying %s...")" "$1"
- if [[ ! -f "$1.sig" ]]; then
- error "$(gettext "File %s is unsigned, cannot continue.")" "$1"
- return 1
- elif ! "${GPG_PACMAN[@]}" --verify "$1.sig"; then
- error "$(gettext "The signature of file %s is not valid.")" "$1"
- return 1
- fi
- return 0
-}
-
-verify_keyring_input() {
- local ret=0;
- local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
-
- # Verify signatures of keyring files and trusted/revoked files if they exist
- msg "$(gettext "Verifying keyring file signatures...")"
- local keyring keyfile
- for keyring in "${KEYRINGIDS[@]}"; do
- keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
- validate_with_gpg "${keyfile}" || ret=1
-
- keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
- if [[ -f "${keyfile}" ]]; then
- validate_with_gpg "${keyfile}" || ret=1
- fi
-
- keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
- if [[ -f "${keyfile}" ]]; then
- validate_with_gpg "${keyfile}" || ret=1
- fi
- done
-
- return $ret
-}
-
populate_keyring() {
local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'

@@ -281,8 +244,6 @@ populate_keyring() {
exit 1
fi

- verify_keyring_input || exit 1
-
# Variable used for iterating on keyrings
local keys key_id

--
1.7.9.2
 

Thread Tools




All times are GMT. The time now is 06:24 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org