This makes automating PGP keys for verifying source file signatures possible. This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs. Signed-off-by: Alli <alzeih@gmail.com> --- doc/makepkg.8.txt | 4 ++++ scripts/libmakepkg/integrity.sh.in | 2 ++ .../libmakepkg/integrity/verify_signature.sh.in | 22 ++++++++++++++++++++++ scripts/makepkg.sh.in | 15 +++++++++++++-- 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/doc/makepkg.8.txt b/doc/makepkg.8.txt index 2dff1b19..88b709f4 100644 --- a/doc/makepkg.8.txt +++ b/doc/makepkg.8.txt @@ -171,6 +171,10 @@ Options *\--noprepare*:: Do not run the prepare() function in the PKGBUILD. +*\--recvkeys*:: + Retrieve PGP signing keys used in the PKGBUILD for verifying source + integrity into the gpg keyring. + *\--sign*:: Sign the resulting package with gpg, overriding the setting in linkman:makepkg.conf[5]. diff --git a/scripts/libmakepkg/integrity.sh.in b/scripts/libmakepkg/integrity.sh.in index 3a77ef16..3d3d071b 100644 --- a/scripts/libmakepkg/integrity.sh.in +++ b/scripts/libmakepkg/integrity.sh.in @@ -34,11 +34,13 @@ check_source_integrity() { warning "$(gettext "Skipping all source file integrity checks.")" elif (( SKIPCHECKSUMS )); then warning "$(gettext "Skipping verification of source file checksums.")" + get_pgpsigs "$@" check_pgpsigs "$@" elif (( SKIPPGPCHECK )); then warning "$(gettext "Skipping verification of source file PGP signatures.")" check_checksums "$@" else + get_pgpsigs "$@" check_checksums "$@" check_pgpsigs "$@" fi diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index b5577523..e8890932 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -26,6 +26,28 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'} source "$LIBRARY/util/message.sh" source "$LIBRARY/util/pkgbuild.sh" +get_pgpsigs() { + ! source_has_signatures && return 0 + (( ! RECVKEYS )) && return 0 + + msg "$(gettext "Receiving PGP keys for verifying source file signatures with %s...")" "gpg" + + local key + local errors=0 + + for key in "${validpgpkeys[@]}"; do + gpg --recv-keys "$key" + if [ $? != 0 ]; then + errors=1 + fi + done + + if (( errors )); then + error "$(gettext "One or more PGP keys could not be retrieved!")" + exit 1 + fi +} + check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 29408929..1a6ca831 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -78,6 +78,7 @@ NOEXTRACT=0 PKGFUNC=0 PKGVERFUNC=0 PREPAREFUNC=0 +RECVKEYS=0 REPKG=0 RMDEPS=0 SKIPCHECKSUMS=0 @@ -1044,6 +1045,14 @@ check_software() { fi fi + # gpg - receive source verification keys + if (( RECVKEYS )) && source_has_signatures; then + if ! type -p gpg >/dev/null; then + error "$(gettext "Cannot find the %s binary required for receiving keys for verifying source files.")" "gpg" + ret=1 + fi + fi + # checksum operations if (( GENINTEG || ! SKIPCHECKSUMS )); then local integlist @@ -1218,6 +1227,7 @@ usage() { printf -- "$(gettext " --nosign Do not create a signature for the package")\n" printf -- "$(gettext " --packagelist Only list packages that would be produced, without PKGEXT")\n" printf -- "$(gettext " --printsrcinfo Print the generated SRCINFO and exit")\n" + printf -- "$(gettext " --recvkeys Receive PGP Keys used for verifying source integrity")\n" printf -- "$(gettext " --sign Sign the resulting package with %s")\n" "gpg" printf -- "$(gettext " --skipchecksums Do not verify checksums of the source files")\n" printf -- "$(gettext " --skipinteg Do not perform any verification checks on source files")\n" @@ -1263,8 +1273,8 @@ OPT_SHORT="AcCdefFghiLmop:rRsSV" OPT_LONG=('allsource' 'check' 'clean' 'cleanbuild' 'config:' 'force' 'geninteg' 'help' 'holdver' 'ignorearch' 'install' 'key:' 'log' 'noarchive' 'nobuild' 'nocolor' 'nocheck' 'nodeps' 'noextract' 'noprepare' 'nosign' 'packagelist' - 'printsrcinfo' 'repackage' 'rmdeps' 'sign' 'skipchecksums' 'skipinteg' - 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version') + 'printsrcinfo' 'recvkeys' 'repackage' 'rmdeps' 'sign' 'skipchecksums' + 'skipinteg' 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version') # Pacman Options OPT_LONG+=('asdeps' 'noconfirm' 'needed' 'noprogressbar') @@ -1309,6 +1319,7 @@ while true; do -p) shift; BUILDFILE=$1 ;; --packagelist) PACKAGELIST=1 IGNOREARCH=1;; --printsrcinfo) PRINTSRCINFO=1 IGNOREARCH=1;; + --recvkeys) RECVKEYS=1 ;; -r|--rmdeps) RMDEPS=1 ;; -R|--repackage) REPKG=1 ;; --sign) SIGNPKG='y' ;; -- 2.12.1