From d1240f67eab6dfa7e3344cd84dd8849b38ce337c Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Mon, 15 Aug 2011 22:51:58 +1000 Subject: pacman-key: rework importing distro/repo provided keyrings The current --reload option, apart from being non-clear in its naming, is very limited in that only one keyring can be provided. A distribution may want to provide multiple keyrings for various subsets of its organisation or custom repo providers may also want to provide a keyring. This patch adds a --populate option that reads keyrings from (by default) /usr/share/pacman/keyrings. A keyring is named foo.gpg, with optional foo-revoked file providing a list of revoked key ids. These files are required to be signed (detached) by a key trusted by pacman-key, in practice probably by the key that signed the package providing these files. The --populate flag either updates the pacman keyring using all keyrings in the directory or individual keyrings can be specified. Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 9dc175cf..f61c2eca 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -80,8 +80,12 @@ Options *-r, \--receive* :: Fetch the specified keyids from the specified key server URL. -*\--reload*:: - Reloads the keys from the keyring package. +*\--populate* []:: + Reload the default keys from the (optionally provided) keyrings in + +{pkgdatadir}/keyrings+. Each keyring is provided in a file foo.gpg that + contains the keys for the foo keyring. Optionally the file foo-revoked + contains a list of revoked key IDs for that keyring. These files are + required to be signed (detached) by a trusted PGP key. *-u, \--updatedb*:: Equivalent to \--check-trustdb in GnuPG. -- cgit v1.2.3-70-g09d2 From 29dede2eb76ab5a139d4e8236be1037a7a86b6e5 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Tue, 23 Aug 2011 15:46:46 +1000 Subject: pacman-key: Improve documentation for --populate Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index f61c2eca..ff8d38df 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -82,10 +82,8 @@ Options *\--populate* []:: Reload the default keys from the (optionally provided) keyrings in - +{pkgdatadir}/keyrings+. Each keyring is provided in a file foo.gpg that - contains the keys for the foo keyring. Optionally the file foo-revoked - contains a list of revoked key IDs for that keyring. These files are - required to be signed (detached) by a trusted PGP key. + +{pkgdatadir}/keyrings+. For more information, see + <> below. *-u, \--updatedb*:: Equivalent to \--check-trustdb in GnuPG. @@ -97,6 +95,19 @@ Options Displays the program version. +Providing a Keyring for Import +------------------------------ +A distribution or other repository provided may want to provide a set of valid +PGP keys used in the signing of its packages and repository databases that can +be readily imported into the pacman keyring. This is achieved by providing a +PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the +directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be +provided containing a list of revoked key IDs for that keyring. These files are +required to be signed (detached) by a trusted PGP key that the user must +manually import to the pacman keyring. This prevents a potentially malicious +repository adding keys to the pacman keyring without the users knowledge. + + See Also -------- linkman:pacman[8], linkman:pacman.conf[5] -- cgit v1.2.3-70-g09d2 From e1b9f7b3005c4d6db9cc84e95a42d4beba6c7e24 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Tue, 23 Aug 2011 16:10:06 +1000 Subject: pacman-key: rework and document holding keys in keyring The HoldKey option was undocumented and was not suited for pacman.conf. Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list of keys not to be removed from the pacman keyring with the --populate option. Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 8 ++++++-- scripts/pacman-key.sh.in | 12 +++++------- 2 files changed, 11 insertions(+), 9 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index ff8d38df..3582b993 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid PGP keys used in the signing of its packages and repository databases that can be readily imported into the pacman keyring. This is achieved by providing a PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the -directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be +directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be provided containing a list of revoked key IDs for that keyring. These files are required to be signed (detached) by a trusted PGP key that the user must -manually import to the pacman keyring. This prevents a potentially malicious +manually import to the pacman keyring. This prevents a potentially malicious repository adding keys to the pacman keyring without the users knowledge. +A key being marked as revoked always takes priority over the key being added to +the pacman keyring, regardless of the keyring it is provided in. To prevent a +key from being revoked when using --populate, its ID can be listed in ++{sysconfdir}/pacman.d/gnupg/holdkeys+. See Also -------- diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 6a350af6..7b9f80ba 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -232,17 +232,15 @@ populate_keyring() { fi done - # List of keys that must be kept installed, even if in the list of keys to be removed - local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")" - - # Remove the keys that must be kept from the set of keys that should be removed - if [[ -n ${HOLD_KEYS} ]]; then - for key in ${HOLD_KEYS}; do + # Read list of keys that must be kept installed and remove them from the list + # of keys to be removed + if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then + while read key; do key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)" if [[ -n "${removed_ids[$key_id]}" ]]; then unset removed_ids[$key_id] fi - done + done < "${PACMAN_KEYRING_DIR}/holdkeys" fi # Remove the keys not marked to keep -- cgit v1.2.3-70-g09d2