From e5a2665a4ce96718ca2308907f16828ae5a3cb98 Mon Sep 17 00:00:00 2001 From: David Runge Date: Sat, 23 Jul 2022 01:02:09 +0200 Subject: [PATCH] Script to refresh existing keys of archlinux-keyring wkd_sync/archlinux-keyring-wkd-sync: Add script to refresh existing keys of archlinux-keyring on user systems based on the state of the distribution's Web Key Directory (WKD). Invalid or revoked keys are ignored. --- wkd_sync/archlinux-keyring-wkd-sync | 63 +++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100755 wkd_sync/archlinux-keyring-wkd-sync diff --git a/wkd_sync/archlinux-keyring-wkd-sync b/wkd_sync/archlinux-keyring-wkd-sync new file mode 100755 index 0000000..da8db6c --- /dev/null +++ b/wkd_sync/archlinux-keyring-wkd-sync @@ -0,0 +1,63 @@ +#!/usr/bin/bash +# +# SPDX-License-Identifier: GPL-3.0-or-later +# +# Update all locally existing PGP keys in pacman's gnupg keyring, that are +# relevant for Arch Linux packaging using the distribution's Web Key Directory +# (WKD). +# This ensures, that new signatures on already existing keys are fetched before +# a new version of archlinux-keyring is installed. Fetching signatures early +# prevents marginal trust issues with packages that are signed by keys which +# only gain full trust when updating to a new version of archlinux-keyring in +# that same system upgrade action. + +set -eu + +readonly main_key_domain_match="@master-key.archlinux.org$" +readonly packager_domain_match="@archlinux.org$" +readonly homedir="$(pacman-conf GPGDir)" + +domain_match="" +uid="" +gpg_locate_external=( + # force update a key using WKD + gpg + --homedir + "$homedir" + --quiet + --no-permission-warning + --auto-key-locate + "clear,nodefault,wkd" + --locate-external-keys +) +# a list of tuples of all keys in the keyring +# e.g.: +# C7E7849466FE2358343588377258734B41C31549 dvzrv@archlinux.org +# 8FC15A064950A99DD1BD14DD39E4B877E62EB915 svenstaro@gmail.com +fingerprint_mboxes="$( + gpg --homedir "$homedir" --no-permission-warning --list-keys --list-options show-only-fpr-mbox +)" + +# a list of of all revoked keys and keys that have no valid main +# key signatures +old_fingerprints="$( + gpg --homedir "$homedir" --no-permission-warning --list-keys --with-colons | + awk -F: '$1 == "pub" && $2 ~ /-|q|r/ { getline; print $10 }' +)" + +if (( EUID != 0 )); then + printf "This script must be run as root.\n" >&2 + exit 1 +fi + +# first update the main signing keys, then the packager keys +for domain_match in "$main_key_domain_match" "$packager_domain_match"; do + while read -ra fpr_email; do + if [[ ${fpr_email[1]} =~ $domain_match && ! "$old_fingerprints" =~ ${fpr_email[0]} ]]; then + printf "Refreshing key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}" + "${gpg_locate_external[@]}" "${fpr_email[1]}" + else + printf "Skipping key %s with UID %s...\n" "${fpr_email[0]}" "${fpr_email[1]}" + fi + done <<< "$fingerprint_mboxes" +done