Pacman

Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
Tasklist

FS#49241 - [pacman-key] Spurious fail on verifying signatures

Attached to Project: Pacman
Opened by Leonid Isaev (lisaev) - Saturday, 07 May 2016, 01:20 GMT
Last edited by Allan McRae (Allan) - Wednesday, 18 May 2016, 10:14 GMT
Task Type Bug Report
Category Scripts & Tools
Status Closed
Assigned To Allan McRae (Allan)
Architecture All
Severity Medium
Priority Normal
Reported Version 5.0.1
Due in Version 5.0.2
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

gnupg 2.1.12 (currently in [core]) changed the was key trust is displayed. Namely:
----------
$ gpg --status-fd 1 --homedir /etc/pacman.d/gnupg/ --verify /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig
gpg: WARNING: unsafe ownership on homedir '/etc/pacman.d/gnupg/'
gpg: assuming signed data in '/tmp/glibc-2.23-1-x86_64.pkg.tar.xz'
[GNUPG:] NEWSIG
gpg: Signature made Fri 19 Feb 2016 05:54:29 PM MST using RSA key ID EAE999BD
[GNUPG:] SIG_ID oU8xcebVo4xViJtX73T2vNKh+Tk 2016-02-20 1455929669
gpg: Note: trustdb not writable
[GNUPG:] GOODSIG F99FFE0FEAE999BD Allan McRae <me@allanmcrae.com>
gpg: Good signature from "Allan McRae <me@allanmcrae.com>" [full]
gpg: aka "Allan McRae (Developer) <allan@archlinux.org>" [full]
[GNUPG:] VALIDSIG 6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD 2016-02-20 1455929669 0 4 0 1 8 00 6645B0A8C7005E78DB1D7864F99FFE0FEAE999BD
[GNUPG:] TRUST_FULLY 0 pgp
----------
The last line now contains "0 pgp" which breaks pacman-key:

----------
$ pacman-key -v /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig
==> Checking /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig...
gpg: assuming signed data in '/tmp/glibc-2.23-1-x86_64.pkg.tar.xz'
gpg: Signature made Fri 19 Feb 2016 05:54:29 PM MST using RSA key ID EAE999BD
gpg: Note: trustdb not writable
gpg: Good signature from "Allan McRae <me@allanmcrae.com>" [full]
gpg: aka "Allan McRae (Developer) <allan@archlinux.org>" [full]
==> ERROR: The signature identified by /tmp/glibc-2.23-1-x86_64.pkg.tar.xz.sig could not be verified.
$ echo $?
1
----------
This is because in pacman-key:655 the output of gpg is piped to grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE)$' which never matches. This can be fixed by changing regexp to '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$' to avoid future breakages.

Thanks!
This task depends upon

Closed by  Allan McRae (Allan)
Wednesday, 18 May 2016, 10:14 GMT
Reason for closing:  Fixed
Additional comments about closing:  git commit 892a1076
Comment by Leonid Isaev (lisaev) - Sunday, 08 May 2016, 00:21 GMT
A trivial patch...
   pacman-key.patch (1.2 KiB)
Comment by Allan McRae (Allan) - Sunday, 08 May 2016, 03:43 GMT
What is the point of adding ".*$" at the end of the grep?
Comment by Olivier Brunel (jjacky) - Sunday, 08 May 2016, 09:23 GMT
The dollar sign was already there actually, only ".*" is being added before it.

You could also remove the dollar sign instead, both should match similarly (i.e. regardless of whether or not there's something else on the line).
Comment by Leonid Isaev (lisaev) - Sunday, 08 May 2016, 20:00 GMT
Yeah, good point. It was stupid of me :) However, are there any subtle regexp parsing flaws associated with special characters, which can be triggered by just matching the TRUST_... pattern (without $ or .*)?

Loading...