From 879e4665c4ed76376c9e2d9f2c597bb9cdabb79a Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Sat, 9 Aug 2014 16:36:42 +1000 Subject: pacman-key: stricter parsing for -verify Prevents trust being spoofed by using TRUST_FULLY in the signatory's name or in an added notation. Fixes FS#41147. Signed-off-by: Allan McRae --- scripts/pacman-key.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 82340f9f..ba8d02e8 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -482,7 +482,7 @@ verify_sig() { local ret=0 for sig; do msg "Checking %s ..." "$sig" - if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then + if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$'; then error "$(gettext "The signature identified by %s could not be verified.")" "$sig" ret=1 fi -- cgit v1.2.3-70-g09d2