From d1240f67eab6dfa7e3344cd84dd8849b38ce337c Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Mon, 15 Aug 2011 22:51:58 +1000
Subject: pacman-key: rework importing distro/repo provided keyrings

The current --reload option, apart from being non-clear in its naming,
is very limited in that only one keyring can be provided.  A distribution
may want to provide multiple keyrings for various subsets of its
organisation or custom repo providers may also want to provide a keyring.

This patch adds a --populate option that reads keyrings from (by default)
/usr/share/pacman/keyrings.  A keyring is named foo.gpg, with optional
foo-revoked file providing a list of revoked key ids.  These files are
required to be signed (detached) by a key trusted by pacman-key, in
practice probably by the key that signed the package providing these
files. The --populate flag either updates the pacman keyring using all
keyrings in the directory or individual keyrings can be specified.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 doc/pacman-key.8.txt | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'doc')

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index 9dc175cf..f61c2eca 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -80,8 +80,12 @@ Options
 *-r, \--receive* <keyserver> <keyid(s)>::
 	Fetch the specified keyids from the specified key server URL.
 
-*\--reload*::
-	Reloads the keys from the keyring package.
+*\--populate* [<keyring(s)>]::
+	Reload the default keys from the (optionally provided) keyrings in
+	+{pkgdatadir}/keyrings+. Each keyring is provided in a file foo.gpg that
+	contains the keys for the foo keyring. Optionally the file foo-revoked
+	contains a list of revoked key IDs for that keyring. These files are
+	required to be signed (detached) by a trusted PGP key.
 
 *-u, \--updatedb*::
 	Equivalent to \--check-trustdb in GnuPG.
-- 
cgit v1.2.3-70-g09d2


From 29dede2eb76ab5a139d4e8236be1037a7a86b6e5 Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Tue, 23 Aug 2011 15:46:46 +1000
Subject: pacman-key: Improve documentation for --populate

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 doc/pacman-key.8.txt | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'doc')

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index f61c2eca..ff8d38df 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -82,10 +82,8 @@ Options
 
 *\--populate* [<keyring(s)>]::
 	Reload the default keys from the (optionally provided) keyrings in
-	+{pkgdatadir}/keyrings+. Each keyring is provided in a file foo.gpg that
-	contains the keys for the foo keyring. Optionally the file foo-revoked
-	contains a list of revoked key IDs for that keyring. These files are
-	required to be signed (detached) by a trusted PGP key.
+	+{pkgdatadir}/keyrings+. For more information, see
+	<<SC,Providing a Keyring for Import>> below.
 
 *-u, \--updatedb*::
 	Equivalent to \--check-trustdb in GnuPG.
@@ -97,6 +95,19 @@ Options
 	Displays the program version.
 
 
+Providing a Keyring for Import
+------------------------------
+A distribution or other repository provided may want to provide a set of valid
+PGP keys used in the signing of its packages and repository databases that can
+be readily imported into the pacman keyring.  This is achieved by providing a
+PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
+directory +{pkgdatadir}/keyrings+.  Optionally the file `foo-revoked` can be
+provided containing a list of revoked key IDs for that keyring. These files are
+required to be signed (detached) by a trusted PGP key that the user must
+manually import to the pacman keyring.  This prevents a potentially malicious
+repository adding keys to the pacman keyring without the users knowledge.
+
+
 See Also
 --------
 linkman:pacman[8], linkman:pacman.conf[5]
-- 
cgit v1.2.3-70-g09d2


From e1b9f7b3005c4d6db9cc84e95a42d4beba6c7e24 Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Tue, 23 Aug 2011 16:10:06 +1000
Subject: pacman-key: rework and document holding keys in keyring

The HoldKey option was undocumented and was not suited for pacman.conf.
Instead use the file "/etc/pacman.d/gnupg/heldkeys" to contain a list
of keys not to be removed from the pacman keyring with the --populate
option.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 doc/pacman-key.8.txt     |  8 ++++++--
 scripts/pacman-key.sh.in | 12 +++++-------
 2 files changed, 11 insertions(+), 9 deletions(-)

(limited to 'doc')

diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
index ff8d38df..3582b993 100644
--- a/doc/pacman-key.8.txt
+++ b/doc/pacman-key.8.txt
@@ -101,12 +101,16 @@ A distribution or other repository provided may want to provide a set of valid
 PGP keys used in the signing of its packages and repository databases that can
 be readily imported into the pacman keyring.  This is achieved by providing a
 PGP keyring file `foo.gpg` that contains the keys for the foo keyring in the
-directory +{pkgdatadir}/keyrings+.  Optionally the file `foo-revoked` can be
+directory +{pkgdatadir}/keyrings+. Optionally the file `foo-revoked` can be
 provided containing a list of revoked key IDs for that keyring. These files are
 required to be signed (detached) by a trusted PGP key that the user must
-manually import to the pacman keyring.  This prevents a potentially malicious
+manually import to the pacman keyring. This prevents a potentially malicious
 repository adding keys to the pacman keyring without the users knowledge.
 
+A key being marked as revoked always takes priority over the key being added to
+the pacman keyring, regardless of the keyring it is provided in. To prevent a
+key from being revoked when using --populate, its ID can be listed in
++{sysconfdir}/pacman.d/gnupg/holdkeys+.
 
 See Also
 --------
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 6a350af6..7b9f80ba 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -232,17 +232,15 @@ populate_keyring() {
 		fi
 	done
 
-	# List of keys that must be kept installed, even if in the list of keys to be removed
-	local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")"
-
-	# Remove the keys that must be kept from the set of keys that should be removed
-	if [[ -n ${HOLD_KEYS} ]]; then
-		for key in ${HOLD_KEYS}; do
+	# Read list of keys that must be kept installed and remove them from the list
+	# of keys to be removed
+	if [[ -f "${PACMAN_KEYRING_DIR}/holdkeys" ]]; then
+		while read key; do
 			key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
 			if [[ -n "${removed_ids[$key_id]}" ]]; then
 				unset removed_ids[$key_id]
 			fi
-		done
+		done < "${PACMAN_KEYRING_DIR}/holdkeys"
 	fi
 
 	# Remove the keys not marked to keep
-- 
cgit v1.2.3-70-g09d2