--- scripts/makepkg.sh.in | 52 +++++++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 50 insertions(+), 2 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 78cd4cf..cc4f152 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -516,7 +516,7 @@ download_sources() { pushd "$SRCDEST" &>/dev/null local netfile - for netfile in "${source[@]}"; do + for netfile in "${source[@]}" "${pgpsigs[@]}"; do local file=$(get_filepath "$netfile" || true) if [[ -n "$file" ]]; then msg2 "$(gettext "Found %s")" "${file##*/}" @@ -680,6 +680,49 @@ check_checksums() { fi } +check_pgpsigs() { + (( ! ${#source[@]} )) && return 0 + (( ! ${#pgpsigs[@]})) && return 0 + + if ! type -p gpg >/dev/null; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + + msg "$(gettext "Validating source files with gpg...")" + + local file + local errors=0 + + for file in "${pgpsigs[@]}"; do + local valid + local found=1 + + file="$(get_filename "$file")" + echo -n " ${file%.sig} ... " >&2 + + if ! file="$(get_filepath "$file")"; then + echo "$(gettext "NOT FOUND")" >&2 + errors=1 + found=0 + fi + + if (( found )); then + if ! gpg --quiet --batch --verify "$file" 2> /dev/null; then + echo "$(gettext "Verification failed")" >&2 + errors=1 + else + echo $(gettext "Verified") >&2 + fi + fi + done + + if (( errors )); then + error "$(gettext "One or more pgp signatures could not be verified!")" + exit 1 + fi +} + extract_sources() { msg "$(gettext "Extracting Sources...")" local netfile @@ -1614,6 +1657,7 @@ usage() { echo "$(gettext " --key <key> Specify a key to use for gpg signing instead of the default")" printf "$(gettext " --nocheck Do not run the check() function in the %s")\n" "$BUILDSCRIPT" echo "$(gettext " --nosign Do not create a signature for the package")" + echo "$(gettext " --pgp Enable verification of source files with pgp signatures")" echo "$(gettext " --pkg <list> Only build listed packages from a split package")" echo "$(gettext " --sign Sign the resulting package with gpg")" echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")" @@ -1651,7 +1695,7 @@ ARGLIST=("$@") # Parse Command Line Options. OPT_SHORT="AcCdefFghiLmop:rRsV" OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps" -OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver" +OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver,pgp" OPT_LONG+=",install,key:,log,nocolor,nobuild,nocheck,nosign,pkg:,rmdeps" OPT_LONG+=",repackage,skipinteg,sign,source,syncdeps,version,config:" # Pacman Options @@ -1694,6 +1738,7 @@ while true; do --nosign) SIGNPKG='n' ;; -o|--nobuild) NOBUILD=1 ;; -p) shift; BUILDFILE=$1 ;; + --pgp) PGPSIGS=1;; --pkg) shift; PKGLIST=($1) ;; -r|--rmdeps) RMDEPS=1 ;; -R|--repackage) REPKG=1 ;; @@ -2129,6 +2174,9 @@ else download_sources if (( ! SKIPINTEG )); then check_checksums + if (( PGPSIGS )); then + check_pgpsigs + fi else warning "$(gettext "Skipping integrity checks.")" fi -- 1.7.5.4