Merge branch 'bugfix/no_sha1_sync' into 'master'

wkd_sync: Ignore keys with SHA-1 self-signature

Closes #218

See merge request archlinux/archlinux-keyring!216
This commit is contained in:
David Runge 2023-02-25 16:34:36 +00:00
commit 3034279b13
3 changed files with 7 additions and 7 deletions

View File

@ -167,7 +167,6 @@ def create_key_revocation(
def decorator(decorated_func: Callable[..., None]) -> Callable[..., Any]:
@wraps(decorated_func)
def wrapper(working_dir: Path, *args: Any, **kwargs: Any) -> None:
revocation = test_key_revocation[username][0]
keyring_root: Path = working_dir / "keyring"
@ -199,7 +198,6 @@ def create_signature_revocation(
def decorator(decorated_func: Callable[..., None]) -> Callable[..., Any]:
@wraps(decorated_func)
def wrapper(working_dir: Path, *args: Any, **kwargs: Any) -> None:
issuer_key: Path = test_keys[issuer][0]
keyring_root: Path = working_dir / "keyring"

View File

@ -640,7 +640,6 @@ def test_get_packets_from_path(working_dir: Path, keyring_dir: Path, path_exists
@mark.parametrize("path_exists", [(True), (False)])
@patch("libkeyringctl.keyring.get_packets_from_path")
def test_get_packets_from_listing(get_packets_from_path_mock: Mock, working_dir: Path, path_exists: bool) -> None:
path = working_dir / "path"
if not path_exists:
assert keyring.get_packets_from_listing(path=path) == []
@ -704,7 +703,6 @@ def test_derive_username_from_fingerprint(
keyring_dir: Path,
valid_fingerprint: str,
) -> None:
username = "username"
other_username = "other_user"
@ -791,7 +789,6 @@ def test_inspect_keyring(working_dir: Path, keyring_dir: Path) -> None:
def test_get_fingerprints_from_paths(keyring_dir: Path, valid_fingerprint: str, valid_subkey_fingerprint: str) -> None:
fingerprint_dir = keyring_dir / "type" / "username" / valid_fingerprint
fingerprint_dir.mkdir(parents=True)
(fingerprint_dir / (fingerprint_dir.name + ".asc")).touch()

View File

@ -16,9 +16,14 @@ set -eu
readonly main_key_domain_match="@master-key.archlinux.org$"
readonly packager_domain_match="@archlinux.org$"
readonly homedir="$(pacman-conf GPGDir)"
# fingerprints of keys with SHA-1 self-signatures (no longer used)
readonly invalid_fingerprints=(
0F334D8698881578F65D2AE55ED514A45BD5C938 # djgera@archlinux.org
F4DDD6DDCEC320B665F502AAE8F18BA1615137BC # ibiru@archlinux.org
EA84EA00866F51FB10CD19AE426991CD8406FFF3 # ronald@archlinux.org
)
domain_match=""
uid=""
gpg_locate_external=(
# force update a key using WKD
gpg
@ -54,7 +59,7 @@ fi
# first update the main signing keys, then the packager keys
for domain_match in "$main_key_domain_match" "$packager_domain_match"; do
while read -ra fpr_email; do
if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then
if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} && ! "${invalid_fingerprints[*]}" =~ ${fpr_email[0]} ]]; then
printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
"${gpg_locate_external[@]}" "${fpr_email[1]}" || let ++error
else