On 07/03/14 05:05, Thomas Bächler wrote:
If acceptkeys is set in the PKGBUILD, signature checking fails if the fingerprint of the key used to create the signature is not listed in the array. Failure to verify the signature due to a missing public key is also treated as an error instead of a warning. --- scripts/makepkg.sh.in | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-)
Fine. Small comments below. Also needs documentation. Just a small bikeshed... acceptkeys does not sound right. How about sourcepgpkeys?
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index e230c15..40c5b48 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1250,7 +1250,7 @@ check_pgpsigs() {
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file pubkey ext decompress found + local file pubkey ext decompress found success local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1296,7 +1296,11 @@ check_pgpsigs() { printf '%s' "$(gettext "FAILED")" >&2 if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 - warnings=1 + if (( ${#acceptkeys[@]} > 0 )); then + errors=1 + else + warnings=1 + fi
This seems strange from a user interface perspective - a missing key in a keyring can be a warning or error depending on other aspects of the PKGBUILD.
else errors=1 fi @@ -1306,13 +1310,25 @@ check_pgpsigs() { printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2 errors=1 else - printf '%s' "$(gettext "Passed")" >&2 - if grep -q "EXPSIG" "$statusfile"; then - printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2 - warnings=1 - elif grep -q "EXPKEYSIG" "$statusfile"; then - printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2 - warnings=1 + success=1 + if (( ${#acceptkeys[@]} > 0 )); then + pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;' | awk '{print tolower($0)}')
tolower? I'd expect PGP keys to be given with capital letters. At least have acceptkeys run through tolower too.
+ if ! in_array $pubkey ${acceptkeys[@]}; then
So the PKGBUILD needs to specify the full fingerprint? This allows acceptkeys to specify shorter values: grep -f <(printf '%s$\n' "${acceptkeys[@]}") <(printf '%s\n' "$pubkey")
+ printf '%s' "$(gettext "FAILED")" >&2 + printf " ($(gettext 'the fingerprint %s is not accepted.'))" "$pubkey" >&2
Maybe: sources are not allowed to be signed by the PGP key %s
+ success=0 + errors=1 + fi + fi + if (( $success )); then + printf '%s' "$(gettext "Passed")" >&2 + if grep -q "EXPSIG" "$statusfile"; then + printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2 + warnings=1 + elif grep -q "EXPKEYSIG" "$statusfile"; then + printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2 + warnings=1 + fi fi fi printf '\n' >&2 @@ -2809,7 +2825,7 @@ fi
unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides unset md5sums replaces depends conflicts backup source install changelog build -unset makedepends optdepends options noextract +unset makedepends optdepends options noextract acceptkeys
BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then