Add function to sign repo database. Enabling signing requires setting SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted from signing package files. Signed-off-by: Allan McRae <allan@archlinux.org> --- config | 3 +++ db-functions | 17 ++++++++++++++++- db-move | 6 ++++++ db-remove | 1 + db-repo-add | 1 + db-repo-remove | 1 + db-update | 1 + testing2x | 2 ++ 8 files changed, 31 insertions(+), 1 deletion(-) diff --git a/config b/config index d1413cc..2069565 100644 --- a/config +++ b/config @@ -20,6 +20,9 @@ SOURCE_CLEANUP_KEEP=14 REQUIRE_SIGNATURE=true MASTER_KEYS=('6AC6A4C2' '824B18E8' '4C7EA887' 'FFF979E7' 'CDFD6BB0') +SIGN_DB=false +DB_KEY='' + LOCK_DELAY=10 LOCK_TIMEOUT=300 diff --git a/db-functions b/db-functions index 26e6825..bbbee25 100644 --- a/db-functions +++ b/db-functions @@ -227,6 +227,21 @@ repo_unlock () { #repo_unlock <repo-name> <arch> fi } +# sign_db <repo-name> <arch> +sign_db() { + local repo=$1 + local arch=$2 + local dbfile="${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT}" + local filesfile="${FTP_BASE}/${repo}/os/${arch}/${repo}${FILESEXT}" + + if ! $SIGN_DB; the + return 0 + fi + + gpg --homedir=/etc/pacman.d/gnupg/ --default-key ${DB_KEY} --detach-sign ${dbfile} + gpg --homedir=/etc/pacman.d/gnupg/ --default-key ${DB_KEY} --detach-sign ${filesfile} +} + # usage: _grep_pkginfo pkgfile pattern _grep_pkginfo() { local _ret @@ -388,7 +403,7 @@ check_signature() { return 1 fi - for k in ${MASTER_KEYS}; do + for k in ${MASTER_KEYS} ${DB_KEY}; do if pacman-key -v "${pkgfile}.sig" 2>&1 | grep -q "key ID ${k}" return 1 fi diff --git a/db-move b/db-move index 1fa44d4..e51ce02 100755 --- a/db-move +++ b/db-move @@ -120,6 +120,12 @@ for tarch in ${ARCHES[@]}; do done for pkgarch in ${ARCHES[@]}; do + sign_db ${repo_from} ${pkgarch} + sign_db ${repo_to} ${pkgarch} +done + + +for pkgarch in ${ARCHES[@]}; do repo_unlock ${repo_from} ${pkgarch} repo_unlock ${repo_to} ${pkgarch} done diff --git a/db-remove b/db-remove index 25cb9a7..8de0b7f 100755 --- a/db-remove +++ b/db-remove @@ -48,5 +48,6 @@ done for tarch in ${tarches[@]}; do arch_repo_remove "${repo}" "${tarch}" ${remove_pkgs[@]} + sign_db $repo $tarch repo_unlock $repo $tarch done diff --git a/db-repo-add b/db-repo-add index 5d5b653..aa79b9f 100755 --- a/db-repo-add +++ b/db-repo-add @@ -37,5 +37,6 @@ for tarch in ${tarches[@]}; do fi done arch_repo_add "${repo}" "${tarch}" ${pkgfiles[@]} + sign_db $repo $tarch repo_unlock $repo $tarch done diff --git a/db-repo-remove b/db-repo-remove index 2a693f4..2f6ccb7 100755 --- a/db-repo-remove +++ b/db-repo-remove @@ -33,5 +33,6 @@ for tarch in ${tarches[@]}; do msg "Removing $pkgname from [$repo]..." done arch_repo_remove "${repo}" "${tarch}" ${pkgnames[@]} + sign_db $repo $tarch repo_unlock $repo $tarch done diff --git a/db-update b/db-update index 087a248..c82017c 100755 --- a/db-update +++ b/db-update @@ -91,6 +91,7 @@ done for repo in ${repos[@]}; do for pkgarch in ${ARCHES[@]}; do + sign_db ${repo} ${pkgarch} repo_unlock ${repo} ${pkgarch} done done diff --git a/testing2x b/testing2x index 369857f..8ce5f2b 100755 --- a/testing2x +++ b/testing2x @@ -47,10 +47,12 @@ for pkgbase in $*; do done for pkgarch in ${ARCHES[@]}; do + sign_db ${TESTING_REPO} ${pkgarch} repo_unlock ${TESTING_REPO} ${pkgarch} done for repo in ${STABLE_REPOS[@]}; do for pkgarch in ${ARCHES[@]}; do + sign_db ${repo} ${pkgarch} repo_unlock ${repo} ${pkgarch} done if [ -n "${pkgs[${repo}]}" ]; then -- 1.8.4.2