Default to pubring.gpg when trustedkeys.gpg is not found in the default key
location, for backward compatibility.
This commit is contained in:
parent
125c2f1dac
commit
ef5812a96d
1 changed files with 39 additions and 12 deletions
51
pgpverify
51
pgpverify
|
@ -2,9 +2,9 @@
|
||||||
# do '@LIBDIR@/innshellvars.pl';
|
# do '@LIBDIR@/innshellvars.pl';
|
||||||
# If running inside INN, uncomment the above and point to innshellvars.pl.
|
# If running inside INN, uncomment the above and point to innshellvars.pl.
|
||||||
#
|
#
|
||||||
# written April 1996, tale@isc.org (David C Lawrence)
|
# Written April 1996, tale@isc.org (David C Lawrence)
|
||||||
# Currently maintained by Russ Allbery <rra@stanford.edu>
|
# Currently maintained by Russ Allbery <rra@stanford.edu>
|
||||||
# Version 1.26, 2005-01-17
|
# Version 1.27, 2005-07-02
|
||||||
#
|
#
|
||||||
# NOTICE TO INN MAINTAINERS: The version that is shipped with INN is the
|
# NOTICE TO INN MAINTAINERS: The version that is shipped with INN is the
|
||||||
# same as the version that I make available to the rest of the world
|
# same as the version that I make available to the rest of the world
|
||||||
|
@ -16,6 +16,10 @@
|
||||||
# me about it; I want to know what old versions of Perl are still used in
|
# me about it; I want to know what old versions of Perl are still used in
|
||||||
# practice.
|
# practice.
|
||||||
#
|
#
|
||||||
|
# Changes from 1.26 -> 1.27
|
||||||
|
# -- Default to pubring.gpg when trustedkeys.gpg is not found in the
|
||||||
|
# default key location, for backward compatibility.
|
||||||
|
#
|
||||||
# Changes from 1.25 -> 1.26
|
# Changes from 1.25 -> 1.26
|
||||||
# -- Return the correct status code when the message isn't verified
|
# -- Return the correct status code when the message isn't verified
|
||||||
# instead of always returning 255.
|
# instead of always returning 255.
|
||||||
|
@ -430,9 +434,23 @@ sub pgp_verify {
|
||||||
# everything out to a file, this is actually fairly simple; all we need
|
# everything out to a file, this is actually fairly simple; all we need
|
||||||
# to do is grab stdout. PGP prints its banner information to stderr, so
|
# to do is grab stdout. PGP prints its banner information to stderr, so
|
||||||
# just ignore stderr. Set PGPPATH if desired.
|
# just ignore stderr. Set PGPPATH if desired.
|
||||||
|
#
|
||||||
|
# For GnuPG, use pubring.gpg if an explicit keyring was configured or
|
||||||
|
# found. Otherwise, use trustedkeys.gpg in the default keyring location
|
||||||
|
# if found and non-zero, or fall back on pubring.gpg. This is
|
||||||
|
# definitely not the logic that I would use if writing this from
|
||||||
|
# scratch, but it has the most backward compatibility.
|
||||||
local $ENV{PGPPATH} = $keyring if ($keyring && $pgpstyle ne 'GPG');
|
local $ENV{PGPPATH} = $keyring if ($keyring && $pgpstyle ne 'GPG');
|
||||||
if ($keyring && $pgpstyle eq 'GPG') {
|
if ($pgpstyle eq 'GPG') {
|
||||||
push (@command, "--keyring=$keyring/pubring.gpg");
|
if ($keyring) {
|
||||||
|
push (@command, "--keyring=$keyring/pubring.gpg");
|
||||||
|
} else {
|
||||||
|
my $home = $ENV{GNUPGHOME} || $ENV{HOME};
|
||||||
|
$home .= '/.gnupg' if $home;
|
||||||
|
if ($home && ! -s "$home/trustedkeys.gpg" && -f "$home/pubring.gpg") {
|
||||||
|
push (@command, "--keyring=pubring.gpg");
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
push (@command, "$filename.asc");
|
push (@command, "$filename.asc");
|
||||||
push (@command, $filename);
|
push (@command, $filename);
|
||||||
|
@ -690,6 +708,15 @@ signatures). If that directory doesn't exist, it will fall back on using
|
||||||
the default key ring, which is in a F<.pgp> or F<.gnupg> subdirectory of
|
the default key ring, which is in a F<.pgp> or F<.gnupg> subdirectory of
|
||||||
the running user's home directory.
|
the running user's home directory.
|
||||||
|
|
||||||
|
INN, when using GnuPG, configures B<pgpverify> to use B<gpgv>, which by
|
||||||
|
default expects keys to be in a keyring named F<trustedkeys.gpg>, since it
|
||||||
|
doesn't implement trust checking directly. B<pgpverify> uses that file if
|
||||||
|
present but falls back to F<pubring.gpg> if it's not found. This bypasses
|
||||||
|
the trust model for checking keys, but is compatible with the way that
|
||||||
|
B<pgpverify> used to behave. Of course, if a keyring is found in
|
||||||
|
I<pathetc>/pgp or configured at the top of the script, that overrides all of
|
||||||
|
this behavior.
|
||||||
|
|
||||||
=head1 OPTIONS
|
=head1 OPTIONS
|
||||||
|
|
||||||
The B<-test> flag causes B<pgpverify> to print out the input that it is
|
The B<-test> flag causes B<pgpverify> to print out the input that it is
|
||||||
|
@ -775,14 +802,6 @@ could forge a validly-signed control message would be by breaking the
|
||||||
public key encryption algorithm, which (at least at this time) is believed
|
public key encryption algorithm, which (at least at this time) is believed
|
||||||
to be prohibitively difficult for PGP keys of a sufficient bit length.
|
to be prohibitively difficult for PGP keys of a sufficient bit length.
|
||||||
|
|
||||||
=head1 SEE ALSO
|
|
||||||
|
|
||||||
gpgv(1), pgp(1)
|
|
||||||
|
|
||||||
L<ftp://ftp.isc.org/pub/pgpcontrol/> is where the most recent versions of
|
|
||||||
B<signcontrol> and B<pgpverify> live, along with PGP public keys used for
|
|
||||||
hierarchy administration.
|
|
||||||
|
|
||||||
=head1 HISTORY
|
=head1 HISTORY
|
||||||
|
|
||||||
B<pgpverify> was written by David C Lawrence <tale@isc.org>. Manual page
|
B<pgpverify> was written by David C Lawrence <tale@isc.org>. Manual page
|
||||||
|
@ -841,6 +860,14 @@ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||||
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||||
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
gpgv(1), pgp(1)
|
||||||
|
|
||||||
|
L<ftp://ftp.isc.org/pub/pgpcontrol/> is where the most recent versions of
|
||||||
|
B<signcontrol> and B<pgpverify> live, along with PGP public keys used for
|
||||||
|
hierarchy administration.
|
||||||
|
|
||||||
=cut
|
=cut
|
||||||
|
|
||||||
# Local variables:
|
# Local variables:
|
||||||
|
|
Loading…
Reference in a new issue