fix: harden GPG key import with fingerprint verification and cleanup

The registry signing key was imported without verifying its fingerprint, allowing a MITM or compromised server to inject a rogue key. Now checks the downloaded key against a pinned fingerprint before import. Also adds trap EXIT for tempfile cleanup and rejects empty curl responses.
2026-04-06 23:08:01 +02:00 · 2026-04-06 23:08:01 +02:00 · 0fba63571c
commit 0fba63571c
parent 23a14e95d5
2 changed files with 24 additions and 0 deletions
--- a/scripts/post-install.sh
+++ b/scripts/post-install.sh
@ -36,8 +36,19 @@ else
 fi
 log "Importing Moonarch registry signing key..."
 EXPECTED_FINGERPRINT="9B02C596A4652C40CA768E75B90C8B82EA30A131"
 KEY_FILE=$(mktemp)
 trap 'rm -f "$KEY_FILE"' EXIT
 curl -sf https://gitea.moonarch.de/api/packages/nevaforget/arch/repository.key -o "$KEY_FILE"
 if [[ ! -s "$KEY_FILE" ]]; then
    err "Failed to download registry key (empty response)."
    exit 1
 fi
 KEY_FPR=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^fpr/{print $10; exit}')
 if [[ "$KEY_FPR" != "$EXPECTED_FINGERPRINT" ]]; then
    err "Registry key fingerprint mismatch! Expected $EXPECTED_FINGERPRINT, got ${KEY_FPR:-<empty>}"
    exit 1
 fi
 KEY_ID=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^pub/{print $5}')
 if [[ -n "$KEY_ID" ]] && ! sudo pacman-key --list-keys "$KEY_ID" &>/dev/null; then
    sudo pacman-key --add "$KEY_FILE"
@ -47,6 +58,7 @@ else
    log "  ~ Registry key already imported."
 fi
 rm -f "$KEY_FILE"
 trap - EXIT
 # --- Set up Moonarch custom paru repo ---
--- a/scripts/transform.sh
+++ b/scripts/transform.sh
@ -221,8 +221,19 @@ else
 fi
 log "Importing Moonarch registry signing key..."
 EXPECTED_FINGERPRINT="9B02C596A4652C40CA768E75B90C8B82EA30A131"
 KEY_FILE=$(mktemp)
 trap 'rm -f "$KEY_FILE"' EXIT
 curl -sf https://gitea.moonarch.de/api/packages/nevaforget/arch/repository.key -o "$KEY_FILE"
 if [[ ! -s "$KEY_FILE" ]]; then
    err "Failed to download registry key (empty response)."
    exit 1
 fi
 KEY_FPR=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^fpr/{print $10; exit}')
 if [[ "$KEY_FPR" != "$EXPECTED_FINGERPRINT" ]]; then
    err "Registry key fingerprint mismatch! Expected $EXPECTED_FINGERPRINT, got ${KEY_FPR:-<empty>}"
    exit 1
 fi
 KEY_ID=$(gpg --show-keys --with-colons "$KEY_FILE" 2>/dev/null | awk -F: '/^pub/{print $5}')
 if [[ -n "$KEY_ID" ]] && ! sudo pacman-key --list-keys "$KEY_ID" &>/dev/null; then
    sudo pacman-key --add "$KEY_FILE"
@ -232,6 +243,7 @@ else
    log "  ~ Registry key already imported."
 fi
 rm -f "$KEY_FILE"
 trap - EXIT
 # Moonarch custom paru repo
 log "Setting up Moonarch paru repo..."