[arch-projects] [dbscripts][PATCH] Prevent master keys signing packages

[Allan McRae]

Signed-off-by: Allan McRae <allan at archlinux.org>
---
 config       |  1 +
 db-functions | 14 ++++++++++++++
 db-update    |  2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/config b/config
index 3df6c95..d1413cc 100644
--- a/config
+++ b/config
@@ -18,6 +18,7 @@ SOURCE_CLEANUP_DRYRUN=false
 SOURCE_CLEANUP_KEEP=14
 
 REQUIRE_SIGNATURE=true
+MASTER_KEYS=('6AC6A4C2' '824B18E8' '4C7EA887' 'FFF979E7' 'CDFD6BB0')
 
 LOCK_DELAY=10
 LOCK_TIMEOUT=300
diff --git a/db-functions b/db-functions
index bb49894..26e6825 100644
--- a/db-functions
+++ b/db-functions
@@ -381,6 +381,20 @@ check_pkgsvn() {
 	return 0
 }
 
+check_signature() {
+	local pkgfile="${1}"
+
+	if ! pacman-key -v "${pkgfile}.sig" >/dev/null 2>&1
+		return 1
+	fi
+
+	for k in ${MASTER_KEYS}; do
+		if pacman-key -v "${pkgfile}.sig" 2>&1 | grep -q "key ID ${k}"
+			return 1
+		fi
+	done
+}
+
 check_splitpkgs() {
 	local repo="${1}"
 	shift
diff --git a/db-update b/db-update
index 576fe2b..087a248 100755
--- a/db-update
+++ b/db-update
@@ -42,7 +42,7 @@ for repo in ${repos[@]}; do
 			if ! check_pkgfile "${pkg}"; then
 				die "Package ${repo}/${pkg##*/} is not consistent with its meta data"
 			fi
-			if ${REQUIRE_SIGNATURE} && ! pacman-key -v "${pkg}.sig" >/dev/null 2>&1; then
+			if ${REQUIRE_SIGNATURE} && ! check_pkgsig ${pkg}; then
 				die "Package ${repo}/${pkg##*/} does not have a valid signature"
 			fi
 			if ! check_pkgsvn "${pkg}" "${repo}"; then
-- 
1.8.4.2