summaryrefslogtreecommitdiff
path: root/scripts/pacman-key.sh.in
diff options
context:
space:
mode:
Diffstat (limited to 'scripts/pacman-key.sh.in')
-rw-r--r--scripts/pacman-key.sh.in29
1 files changed, 28 insertions, 1 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index cb76a403..d0f338f6 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -219,6 +219,11 @@ verify_keyring_input() {
keyfile="${KEYRING_IMPORT_DIR}/${keyring}.gpg"
validate_with_gpg "${keyfile}" || ret=1
+ keyfile="${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+ if [[ -f "${keyfile}" ]]; then
+ validate_with_gpg "${keyfile}" || ret=1
+ fi
+
keyfile="${KEYRING_IMPORT_DIR}/${keyring}-revoked"
if [[ -f "${keyfile}" ]]; then
validate_with_gpg "${keyfile}" || ret=1
@@ -270,9 +275,31 @@ populate_keyring() {
"${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg"
done
- # Read the revoked key IDs to an array. The conversion from whatever is inside the file
+ # Read the trusted key IDs to an array. The conversion from whatever is inside the file
# to key ids is important, because key ids are the only guarantee of identification
# for the keys.
+ local -A trusted_ids
+ for keyring in "${KEYRINGIDS[@]}"; do
+ if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
+ while read key; do
+ key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" 2>/dev/null | grep ^pub | cut -d: -f5)"
+ if [[ -n ${key_id} ]]; then
+ # Mark this key to be lsigned
+ trusted_ids[$key_id]="${keyring}"
+ fi
+ done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
+ fi
+ done
+
+ if (( ${#trusted_ids[@]} > 0 )); then
+ msg "$(gettext "Locally signing trusted keys in keyring...")"
+ for key_id in "${!trusted_ids[@]}"; do
+ msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
+ "${GPG_PACMAN[@]}" --quiet --lsign-key "${key_id}"
+ done
+ fi
+
+ # Read the revoked key IDs to an array.
local -A revoked_ids
for keyring in "${KEYRINGIDS[@]}"; do
if [[ -f "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then