On Sun, Jun 1, 2008 at 8:04 PM, <geoffroy.carrier@koon.fr> wrote:
From: Geoffroy Carrier <geoffroy.carrier@koon.fr>
--- scripts/makepkg.sh.in | 24 ++++++++++++++++++------ 1 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6e2f1ad..1314a51 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -54,6 +54,7 @@ INFAKEROOT=0 GENINTEG=0 INSTALL=0 NOBUILD=0 +SIGN=0 NODEPS=0 NOEXTRACT=0 RMDEPS=0 @@ -855,6 +856,19 @@ create_package() { fi }
+create_signature() { + [ "$SIGN" = "0" ] && return + msg "$(gettext "Signing package...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM Hmm, maybe a warning rather than an error here as the package build itself did not fail? This is similar to the patch we just added so
Please add at least a line or two of comments for your next submit, but you already let me know you just forgot here. :) that failure to uninstall deps does not result in a failure code being returned.
+ fi + if ! gpg --detach-sign "$PKGDEST/${pkgname}-${pkgver}-${pkgrel}-${CARCH}${PKGEXT}"; then Minor issue, but we tend to use this format around makepkg: local ret = 0 gpg ..... || ret=$? if [ $ret -eq 0 ]; then # success else #failure fi
That way we can also have a: msg2 "$(gettext "Created signature file %s.")" $filename.sig I can't believe we don't have a variable for that file name, hmm. We use it an awful lot.
+ error "$(gettext "Failed to sign package file.")" + # exit 1 # It's easy to sign manually, so doesn't seem a big failure to gcarrier. Yeah, I'd drop this to a warning. I think it will be more clear in a second.
+ fi +} + create_xdelta() { if [ "$(check_buildenv xdelta)" != "y" ]; then return @@ -1127,7 +1141,7 @@ SRCDEST=${SRCDEST:-$startdir} #default to $startdir if undefined # Parse Command Line Options. OPT_SHORT="AbcCdefFghiLmop:rRsSV" OPT_LONG="ignorearch,asroot,builddeps,clean,cleancache,nodeps,noextract,force,forcever:,geninteg,help,holdver" -OPT_LONG="$OPT_LONG,install,log,nocolor,nobuild,rmdeps,repackage,source,syncdeps,usesudo,version" +OPT_LONG="$OPT_LONG,install,log,nocolor,nobuild,rmdeps,repackage,source,syncdeps,sign,version" # Pacman Options OPT_LONG="$OPT_LONG,noconfirm,noprogressbar" OPT_TEMP="$(getopt -o "$OPT_SHORT" -l "$OPT_LONG" -n "$(basename "$0")" -- "$@" || echo 'GETOPT GO BANG!')" @@ -1166,11 +1180,7 @@ while true; do -R|--repackage) REPKG=1 ;; --source) SOURCEONLY=1 ;; -s|--syncdeps) DEP_BIN=1 ;; - - # BEGIN DEPRECATED - -S|--usesudo) - warning "$(gettext "Sudo is used by default now. The --usesudo option is deprecated!")" ;; - # END DEPRECATED + -S|--sign) SIGN=1 ;; Rather than do this as an option, why don't we add it as a buildenv option so we don't have to manually specify -S every time? This is how xdelta, distcc, ccache, etc. work now and I think it would be the best way to go. That way a developer could easily enable or disable the signing of all packages in one place.
-h|--help) usage; exit 0 ;; # E_OK -V|--version) version; exit 0 ;; # E_OK @@ -1494,6 +1504,8 @@ fi
msg "$(gettext "Finished making: %s")" "$pkgname $pkgver-$pkgrel $CARCH ($(date))"
+create_signature + install_package
exit 0 #E_OK --
Thanks for starting the whole signed packages thing. We have to do it one step at a time, and this is definitely the best place to start. -Dan