From 0fba63571c3efa4535969c6970a90f1719b4cd43 Mon Sep 17 00:00:00 2001
From: nevaforget <dom@moonarch.de>
Date: Mon, 6 Apr 2026 23:08:01 +0200
Subject: [PATCH] fix: harden GPG key import with fingerprint verification and
 cleanup

The registry signing key was imported without verifying its fingerprint,
allowing a MITM or compromised server to inject a rogue key. Now checks
the downloaded key against a pinned fingerprint before import. Also adds
trap EXIT for tempfile cleanup and rejects empty curl responses.
---
 scripts/post-install.sh | 12 ++++++++++++
 scripts/transform.sh    | 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/scripts/post-install.sh b/scripts/post-install.sh
index df0756e..44c2871 100755
--- a/scripts/post-install.sh
+++ b/scripts/post-install.sh
@@ -36,8 +36,19 @@ else
 fi
 
 log "Importing Moonarch registry signing key..."
+EXPECTED_FINGERPRINT="9B02C596A4652C40CA768E75B90C8B82EA30A131"
 KEY_FILE=$(mktemp)
+trap 'rm -f "$KEY_FILE"' EXIT
 curl -sf https://gitea.moonarch.de/api/packages/nevaforget/arch/repository.key -o "$KEY_FILE"
+if [[ ! -s "$KEY_FILE" ]]; then
+    err "Failed to download registry key (empty response)."
+    exit 1
+fi
+KEY_FPR=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^fpr/{print $10; exit}')
+if [[ "$KEY_FPR" != "$EXPECTED_FINGERPRINT" ]]; then
+    err "Registry key fingerprint mismatch! Expected $EXPECTED_FINGERPRINT, got ${KEY_FPR:-<empty>}"
+    exit 1
+fi
 KEY_ID=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^pub/{print $5}')
 if [[ -n "$KEY_ID" ]] && ! sudo pacman-key --list-keys "$KEY_ID" &>/dev/null; then
     sudo pacman-key --add "$KEY_FILE"
@@ -47,6 +58,7 @@ else
     log "  ~ Registry key already imported."
 fi
 rm -f "$KEY_FILE"
+trap - EXIT
 
 # --- Set up Moonarch custom paru repo ---
 
diff --git a/scripts/transform.sh b/scripts/transform.sh
index b74cc29..2e3ef96 100755
--- a/scripts/transform.sh
+++ b/scripts/transform.sh
@@ -221,8 +221,19 @@ else
 fi
 
 log "Importing Moonarch registry signing key..."
+EXPECTED_FINGERPRINT="9B02C596A4652C40CA768E75B90C8B82EA30A131"
 KEY_FILE=$(mktemp)
+trap 'rm -f "$KEY_FILE"' EXIT
 curl -sf https://gitea.moonarch.de/api/packages/nevaforget/arch/repository.key -o "$KEY_FILE"
+if [[ ! -s "$KEY_FILE" ]]; then
+    err "Failed to download registry key (empty response)."
+    exit 1
+fi
+KEY_FPR=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^fpr/{print $10; exit}')
+if [[ "$KEY_FPR" != "$EXPECTED_FINGERPRINT" ]]; then
+    err "Registry key fingerprint mismatch! Expected $EXPECTED_FINGERPRINT, got ${KEY_FPR:-<empty>}"
+    exit 1
+fi
 KEY_ID=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^pub/{print $5}')
 if [[ -n "$KEY_ID" ]] && ! sudo pacman-key --list-keys "$KEY_ID" &>/dev/null; then
     sudo pacman-key --add "$KEY_FILE"
@@ -232,6 +243,7 @@ else
     log "  ~ Registry key already imported."
 fi
 rm -f "$KEY_FILE"
+trap - EXIT
 
 # Moonarch custom paru repo
 log "Setting up Moonarch paru repo..."