diff options
| author | Dave Reisner <dreisner@archlinux.org> | 2014-10-02 13:00:55 -0400 |
|---|---|---|
| committer | Allan McRae <allan@archlinux.org> | 2014-10-13 12:54:09 +1000 |
| commit | 926d998a750413399ca7abbe422a65ccbf09306e (patch) | |
| tree | 714a5065beb5881795ec66fdb5772f2ffa29339b | |
| parent | faf0246437b47fb67f6adc3f2d039f6d787be1a0 (diff) | |
| download | pacman-926d998a750413399ca7abbe422a65ccbf09306e.tar.xz | |
Revert "makepkg: allow less than the full fingerprint in validpgpkeys"
This reverts commit 50296576d006d433fbfd4a6c57d5f95a942f7833.
Signed-off-by: Allan McRae <allan@archlinux.org>
| -rw-r--r-- | doc/PKGBUILD.5.txt | 4 | ||||
| -rw-r--r-- | scripts/makepkg.sh.in | 21 |
2 files changed, 2 insertions, 23 deletions
diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index 8a43bae6..74aea322 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -138,9 +138,7 @@ the integrity of the corresponding source file. trust values from the keyring. If the source file was signed with a subkey, makepkg will still use the primary key for comparison. + -Fingerprints must be uppercase and must not contain whitespace characters. They -must be either the full fingerprint or match at least 16 characters of the full -fingerprint, starting from the end of the fingerprint. +Fingerprints must be uppercase and must not contain whitespace characters. *noextract (array)*:: An array of file names corresponding to those from the source array. Files diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 9d3ba2cd..f9494037 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1410,25 +1410,6 @@ parse_gpg_statusfile() { done < "$1" } -is_known_valid_pgp_key() { - local fprint subject=$1 validfprints=("${@:2}") - - for fprint in "${validfprints[@]}"; do - # we always honor full fingerprint matches - if [[ "$subject" = "$fprint" ]]; then - return 0 - fi - - # we'll also honor a suffix match, assuming that the fprint is long enough - # to be worthy. - if (( ${#fprint} >= 16 )) && [[ $subject = *"$fprint" ]]; then - return 0 - fi - done - - return 1 -} - check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 @@ -1515,7 +1496,7 @@ check_pgpsigs() { if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2 errors=1 - elif ! is_known_valid_pgp_key "$fingerprint" "${validpgpkeys[@]}"; then + elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")" errors=1 else |