Merge branch 'bugfix/no_sha1_sync' into 'master'
wkd_sync: Ignore keys with SHA-1 self-signature Closes #218 See merge request archlinux/archlinux-keyring!216
This commit is contained in:
commit
3034279b13
@ -167,7 +167,6 @@ def create_key_revocation(
|
||||
def decorator(decorated_func: Callable[..., None]) -> Callable[..., Any]:
|
||||
@wraps(decorated_func)
|
||||
def wrapper(working_dir: Path, *args: Any, **kwargs: Any) -> None:
|
||||
|
||||
revocation = test_key_revocation[username][0]
|
||||
|
||||
keyring_root: Path = working_dir / "keyring"
|
||||
@ -199,7 +198,6 @@ def create_signature_revocation(
|
||||
def decorator(decorated_func: Callable[..., None]) -> Callable[..., Any]:
|
||||
@wraps(decorated_func)
|
||||
def wrapper(working_dir: Path, *args: Any, **kwargs: Any) -> None:
|
||||
|
||||
issuer_key: Path = test_keys[issuer][0]
|
||||
keyring_root: Path = working_dir / "keyring"
|
||||
|
||||
|
@ -640,7 +640,6 @@ def test_get_packets_from_path(working_dir: Path, keyring_dir: Path, path_exists
|
||||
@mark.parametrize("path_exists", [(True), (False)])
|
||||
@patch("libkeyringctl.keyring.get_packets_from_path")
|
||||
def test_get_packets_from_listing(get_packets_from_path_mock: Mock, working_dir: Path, path_exists: bool) -> None:
|
||||
|
||||
path = working_dir / "path"
|
||||
if not path_exists:
|
||||
assert keyring.get_packets_from_listing(path=path) == []
|
||||
@ -704,7 +703,6 @@ def test_derive_username_from_fingerprint(
|
||||
keyring_dir: Path,
|
||||
valid_fingerprint: str,
|
||||
) -> None:
|
||||
|
||||
username = "username"
|
||||
other_username = "other_user"
|
||||
|
||||
@ -791,7 +789,6 @@ def test_inspect_keyring(working_dir: Path, keyring_dir: Path) -> None:
|
||||
|
||||
|
||||
def test_get_fingerprints_from_paths(keyring_dir: Path, valid_fingerprint: str, valid_subkey_fingerprint: str) -> None:
|
||||
|
||||
fingerprint_dir = keyring_dir / "type" / "username" / valid_fingerprint
|
||||
fingerprint_dir.mkdir(parents=True)
|
||||
(fingerprint_dir / (fingerprint_dir.name + ".asc")).touch()
|
||||
|
@ -16,9 +16,14 @@ set -eu
|
||||
readonly main_key_domain_match="@master-key.archlinux.org$"
|
||||
readonly packager_domain_match="@archlinux.org$"
|
||||
readonly homedir="$(pacman-conf GPGDir)"
|
||||
# fingerprints of keys with SHA-1 self-signatures (no longer used)
|
||||
readonly invalid_fingerprints=(
|
||||
0F334D8698881578F65D2AE55ED514A45BD5C938 # djgera@archlinux.org
|
||||
F4DDD6DDCEC320B665F502AAE8F18BA1615137BC # ibiru@archlinux.org
|
||||
EA84EA00866F51FB10CD19AE426991CD8406FFF3 # ronald@archlinux.org
|
||||
)
|
||||
|
||||
domain_match=""
|
||||
uid=""
|
||||
gpg_locate_external=(
|
||||
# force update a key using WKD
|
||||
gpg
|
||||
@ -54,7 +59,7 @@ fi
|
||||
# first update the main signing keys, then the packager keys
|
||||
for domain_match in "$main_key_domain_match" "$packager_domain_match"; do
|
||||
while read -ra fpr_email; do
|
||||
if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then
|
||||
if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} && ! "${invalid_fingerprints[*]}" =~ ${fpr_email[0]} ]]; then
|
||||
printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}"
|
||||
"${gpg_locate_external[@]}" "${fpr_email[1]}" || let ++error
|
||||
else
|
||||
|
Loading…
x
Reference in New Issue
Block a user