Two new command line options were added: -n, --sign: forces the generation of a signature for the resulting package, even if not configured in makepkg.conf. The command line has precedence over the option in makepkg.conf. So, even if makepkg.conf has !sign in BUILDENV, passing --sign to makepkg will make it sign the package. --signwithkey <key>: there is a possibility of another key being used, instead of the user's default. For exemple, pacman-keyring package could be signed by a master key, because it needs to be trusted explicitly by the user before the installation of that package. So, this parameter will be used to supply an id for a key to be used to sign the package. Signed-off-by: Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> --- scripts/makepkg.sh.in | 28 +++++++++++++++++++++++----- 1 files changed, 23 insertions(+), 5 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 8381a78..dc71ffd 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -28,7 +28,7 @@ # makepkg uses quite a few external programs during its execution. You # need to have at least the following installed for makepkg to function: # awk, bsdtar (libarchive), bzip2, coreutils, fakeroot, file, find (findutils), -# gettext, grep, gzip, openssl, sed, tput (ncurses), xz +# gettext, gpg, grep, gzip, openssl, sed, tput (ncurses), xz # gettext initialization export TEXTDOMAIN='pacman' @@ -74,6 +74,8 @@ BUILDFUNC=0 CHECKFUNC=0 PKGFUNC=0 SPLITPKG=0 +SIGN=0 +SIGNKEY="" PKGLIST=() # Forces the pkgver of the current PKGBUILD. Used by the fakeroot call @@ -1106,7 +1108,7 @@ create_package() { } create_signature() { - if [[ $(check_buildenv sign) != "y" ]]; then + if [[ $(check_buildenv sign) != "y" && $SIGN != 1 ]]; then return fi local ret=0 @@ -1116,7 +1118,18 @@ create_signature() { error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" exit 1 # $E_MISSING_PROGRAM fi - gpg --detach-sign --use-agent "$filename" || ret=$? + + # Check if SIGNKEY is valid. + local SIGNWITHKEY="" + if [[ "${SIGNKEY}" ]]; then + if ! gpg --list-key "${SIGNKEY}" 1>/dev/null 2>&1; then + error "$(gettext "The key ${SIGNKEY} doesn\'t exist.")" + exit 1 + fi + SIGNWITHKEY="-u ${SIGNKEY}" + fi + # The signature will be generated directly in ascii-friendly format + gpg --detach-sign --quiet --batch --use-agent ${SIGNWITHKEY} "$filename" 1>/dev/null || ret=$? if (( ! ret )); then msg2 "$(gettext "Created signature file %s.")" "$filename.sig" else @@ -1614,6 +1627,9 @@ usage() { echo "$(gettext " --pkg <list> Only build listed packages from a split package")" echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")" echo "$(gettext " --source Generate a source-only tarball without downloaded sources")" + echo "$(gettext " -n, --sign Sign the resulting package with gpg")" + printf "$(gettext " --signwithkey <key>\n\ + Selects an specific key to use for signing, instead of user's default")" echo echo "$(gettext "These options can be passed to pacman:")" echo @@ -1645,11 +1661,11 @@ fi ARGLIST=("$@") # Parse Command Line Options. -OPT_SHORT="AcCdefFghiLmop:rRsV" +OPT_SHORT="AcCdefFghiLmnop:rRsV" OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps" OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver" OPT_LONG+=",install,log,nocolor,nobuild,nocheck,pkg:,rmdeps" -OPT_LONG+=",repackage,skipinteg,source,syncdeps,version,config:" +OPT_LONG+=",repackage,sign,signwithkey:,skipinteg,source,syncdeps,version,config:" # Pacman Options OPT_LONG+=",noconfirm,noprogressbar" OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS FAILED')" @@ -1693,6 +1709,8 @@ while true; do -R|--repackage) REPKG=1 ;; --skipinteg) SKIPINTEG=1 ;; --source) SOURCEONLY=1 ;; + --sign) SIGN=1 ;; + --signwithkey) shift; SIGNKEY=$1 ;; -s|--syncdeps) DEP_BIN=1 ;; -h|--help) usage; exit 0 ;; # E_OK -- 1.7.4.1