From 879e4665c4ed76376c9e2d9f2c597bb9cdabb79a Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Sat, 9 Aug 2014 16:36:42 +1000
Subject: pacman-key: stricter parsing for -verify

Prevents trust being spoofed by using TRUST_FULLY in the signatory's name
or in an added notation.

Fixes FS#41147.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 scripts/pacman-key.sh.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'scripts')

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 82340f9f..ba8d02e8 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -482,7 +482,7 @@ verify_sig() {
 	local ret=0
 	for sig; do
 		msg "Checking %s ..." "$sig"
-		if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
+		if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$'; then
 			error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
 			ret=1
 		fi
-- 
cgit v1.2.3-70-g09d2