1 files changed, 99 insertions, 42 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 3efcb177..0f558a9c 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -85,45 +85,120 @@ This is free software; see the source for copying conditions.\n\
 There is NO WARRANTY, to the extent permitted by law.\n")"
 }
 
+find_config() {
+	# Prints on stdin the values of all the options from the configuration file that
+	# are associated with the first parameter of this function.
+	# The option names are stripped
+	grep -e "^[[:blank:]]*$1[[:blank:]]*=.*" "$CONFIG" | cut -d= -f 2-
+}
+
 reload_keyring() {
 	local PACMAN_SHARE_DIR='@prefix@/share/pacman'
 	local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}"
 
-	# Read-only keyring with keys to be added to the keyring
+	# Variable used for iterating on keyrings
+	local key
+	local key_id
+
+	# Keyring with keys to be added to the keyring
 	local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
 
-	# Read-only list of keys removed from the keyring.
+	# Keyring with keys that were deprecated and will eventually be deleted
+	local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"
+
+	# List of keys removed from the keyring. This file is not a keyring, unlike the others.
+	# It is a textual list of values that gpg recogniezes as identifiers for keys.
 	local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"
 
-	# Add keys from the current set of keys from pacman-keyring package. The web of trust will
-	# be updated automatically.
+	# Verify signatures of related files, if they exist
 	if [[ -r "${ADDED_KEYS}" ]]; then
 		msg "$(gettext "Verifying official keys file signature...")"
-		if ! ${GPG_PACMAN} --quiet --verify "${ADDED_KEYS}.sig" 1>/dev/null; then
+		if ! ${GPG_PACMAN} --quiet --batch --verify "${ADDED_KEYS}.sig" 1>/dev/null; then
 			error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
 			exit 1
 		fi
+	fi
 
-		msg "$(gettext "Appending official keys...")"
-		local add_keys=$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
-		for key in ${add_keys}; do
-			msg "$(gettext "  key id: %s")" "$key"
-			${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key}" | ${GPG_PACMAN} --import
-		done
+	if [[ -r "${DEPRECATED_KEYS}" ]]; then
+		msg "$(gettext "Verifying deprecated keys file signature...")"
+		if ! ${GPG_PACMAN} --quiet --batch --verify "${DEPRECATED_KEYS}.sig" 1>/dev/null; then
+			error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
+			exit 1
+		fi
 	fi
 
-	# Remove the keys from REMOVED_KEYS keyring
 	if [[ -r "${REMOVED_KEYS}" ]]; then
 		msg "$(gettext "Verifying deleted keys file signature...")"
-		if ! ${GPG_PACMAN} --quiet --verify "${REMOVED_KEYS}.sig"; then
+		if ! ${GPG_PACMAN} --quiet --batch --verify "${REMOVED_KEYS}.sig"; then
 			error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
 			exit 1
 		fi
+	fi
+
+	# Read the key ids to an array. The conversion from whatever is inside the file
+	# to key ids is important, because key ids are the only guarantee of identification
+	# for the keys.
+	local -A removed_ids
+	if [[ -r "${REMOVED_KEYS}" ]]; then
+		while read key; do
+			local key_values name
+			key_values=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')
+			if [[ -n $key_values ]]; then
+				# The first word is the key_id
+				key_id=${key_values%% *}
+				# the rest if the name of the owner
+				name=${key_values#* }
+				if [[ -n ${key_id} ]]; then
+					# Mark this key to be deleted
+					removed_ids[$key_id]="$name"
+				fi
+			fi
+		done < "${REMOVED_KEYS}"
+	fi
+
+	# List of keys that must be kept installed, even if in the list of keys to be removed
+	local HOLD_KEYS=$(find_config "HoldKeys")
+
+	# Remove the keys that must be kept from the set of keys that should be removed
+	if [[ -n ${HOLD_KEYS} ]]; then
+		for key in ${HOLD_KEYS}; do
+			key_id=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)
+			if [[ -n "${removed_ids[$key_id]}" ]]; then
+				unset removed_ids[$key_id]
+			fi
+		done
+	fi
+
+	# Add keys from the current set of keys from pacman-keyring package. The web of trust will
+	# be updated automatically.
+	if [[ -r "${ADDED_KEYS}" ]]; then
+		msg "$(gettext "Appending official keys...")"
+		local add_keys=$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+		for key_id in ${add_keys}; do
+			# There is no point in adding a key that will be deleted right after
+			if [[ -z "${removed_ids[$key_id]}" ]]; then
+				${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+			fi
+		done
+	fi
+
+	if [[ -r "${DEPRECATED_KEYS}" ]]; then
+		msg "$(gettext "Appending deprecated keys...")"
+		local add_keys=$(${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+		for key_id in ${add_keys}; do
+			# There is no point in adding a key that will be deleted right after
+			if [[ -z "${removed_ids[$key_id]}" ]]; then
+				${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+			fi
+		done
+	fi
 
+	# Remove the keys not marked to keep
+	if (( ${#removed_ids[@]} > 0 )); then
 		msg "$(gettext "Removing deleted keys from keyring...")"
-		cat "${REMOVED_KEYS}" | while read key; do
-			msg "$(gettext "  key id: %s")" "$key"
-			${GPG_PACMAN} --quiet --batch --yes --delete-key "${key}"
+		for key_id in "${!removed_ids[@]}"; do
+			echo "  removing key $key_id - ${removed_ids[$key_id]}"
+			${GPG_PACMAN} --quiet --batch --yes --delete-key "${key_id}"
 		done
 	fi
 
@@ -169,8 +244,7 @@ fi
 # Read GPGDIR from $CONFIG.
 # The pattern is: any spaces or tabs, GPGDir, any spaces or tabs, equal sign
 # and the rest of the line. The string is splitted after the first occurrence of =
-if [[ GPGDIR=$(grep -e '^[[:blank:]]*GPGDir[[:blank:]]*=.*' "$CONFIG") == 0 ]]; then
-  GPGDIR=${GPGDIR#*=}
+if [[ GPGDIR=$(find_config "GPGDir") == 0 ]]; then
 	PACMAN_KEYRING_DIR="${GPGDIR}"
 fi
 GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR}"
@@ -185,15 +259,8 @@ shift
 
 case "${command}" in
 	-a|--add)
-		if (( $# == 0 )); then
-			error "$(gettext "You need to specify at least one key identifier")"
-			usage
-			exit 1
-		fi
-		while (( $# > 0 )); do
-			${GPG_PACMAN} --quiet --batch --import "$1"
-			shift
-		done
+		# If there is no extra parameter, gpg will read stdin
+		${GPG_PACMAN} --quiet --batch --import "$@"
 		;;
 	-d|--del)
 		if (( $# == 0 )); then
@@ -201,10 +268,7 @@ case "${command}" in
 			usage
 			exit 1
 		fi
-		while (( $# > 0 )); do
-			${GPG_PACMAN} --quiet --batch --delete-key --yes "$1"
-			shift
-		done
+		${GPG_PACMAN} --quiet --batch --delete-key --yes "$@"
 		;;
 	-u|--updatedb)
 		${GPG_PACMAN} --batch --check-trustdb
@@ -213,20 +277,13 @@ case "${command}" in
 		reload_keyring
 		;;
 	-l|--list)
-		${GPG_PACMAN} --batch --list-sigs
+		${GPG_PACMAN} --batch --list-sigs "$@"
 		;;
 	-f|--finger)
 		${GPG_PACMAN} --batch --fingerprint $*
 		;;
 	-e|--export)
-		if (( $# == 0 )); then
-			${GPG_PACMAN} --armor --export
-		else
-			while (( $# > 0 )); do
-				${GPG_PACMAN} --armor --export "$1"
-				shift
-			done
-		fi
+		${GPG_PACMAN} --armor --export "$@"
 		;;
 	-r|--receive)
 		if (( $# < 2 )); then
@@ -236,7 +293,7 @@ case "${command}" in
 		fi
 		keyserver="$1"
 		shift
-		${GPG_PACMAN} --keyserver "${keyserver}" --recv-keys $*
+		${GPG_PACMAN} --keyserver "${keyserver}" --recv-keys "$@"
 		;;
 	-t|--trust)
 		if (( $# == 0 )); then
@@ -257,7 +314,7 @@ case "${command}" in
 		;;
 	--adv)
 		msg "$(gettext "Executing: %s ")$*" "${GPG_PACMAN}"
-		${GPG_PACMAN} $* || ret=$?
+		${GPG_PACMAN} "$@" || ret=$?
 		exit $ret
 		;;
 	--help)