On Thu, Jun 23, 2011 at 2:36 AM, Wieland Hoffmann
--- scripts/makepkg.sh.in | 52 +++++++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 50 insertions(+), 2 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 78cd4cf..cc4f152 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -516,7 +516,7 @@ download_sources() { pushd "$SRCDEST" &>/dev/null
local netfile - for netfile in "${source[@]}"; do + for netfile in "${source[@]}" "${pgpsigs[@]}"; do local file=$(get_filepath "$netfile" || true) if [[ -n "$file" ]]; then msg2 "$(gettext "Found %s")" "${file##*/}" @@ -680,6 +680,49 @@ check_checksums() { fi }
+check_pgpsigs() { + (( ! ${#source[@]} )) && return 0 + (( ! ${#pgpsigs[@]})) && return 0 + + if ! type -p gpg >/dev/null; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi Please see the check_software patch (http://projects.archlinux.org/pacman.git/commit/?id=7468956236), this will need to be updated to work that way instead of how we used to do it.
+ + msg "$(gettext "Validating source files with gpg...")" + + local file + local errors=0 + + for file in "${pgpsigs[@]}"; do + local valid + local found=1 + + file="$(get_filename "$file")" + echo -n " ${file%.sig} ... " >&2 + + if ! file="$(get_filepath "$file")"; then What are you doing here? Assignment or comparison? Do this in two statements rather than trying to be cute, and use an actual [[ -z ]] block please.
+ echo "$(gettext "NOT FOUND")" >&2 + errors=1 + found=0 + fi + + if (( found )); then + if ! gpg --quiet --batch --verify "$file" 2> /dev/null; then + echo "$(gettext "Verification failed")" >&2 Any need to eat stderr? If things only show up in exceptional cases, I'd rather it come through.
+ errors=1 + else + echo $(gettext "Verified") >&2 + fi + fi + done + + if (( errors )); then + error "$(gettext "One or more pgp signatures could not be verified!")" + exit 1 + fi +} + extract_sources() { msg "$(gettext "Extracting Sources...")" local netfile @@ -1614,6 +1657,7 @@ usage() { echo "$(gettext " --key <key> Specify a key to use for gpg signing instead of the default")" printf "$(gettext " --nocheck Do not run the check() function in the %s")\n" "$BUILDSCRIPT" echo "$(gettext " --nosign Do not create a signature for the package")" + echo "$(gettext " --pgp Enable verification of source files with pgp signatures")" I'm not real keen on this option as it isn't clear whether it deals with signing or verification. I think --verify would be better, but I'll leave that up to Allan.
echo "$(gettext " --pkg <list> Only build listed packages from a split package")" echo "$(gettext " --sign Sign the resulting package with gpg")" echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")" @@ -1651,7 +1695,7 @@ ARGLIST=("$@") # Parse Command Line Options. OPT_SHORT="AcCdefFghiLmop:rRsV" OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps" -OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver" +OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver,pgp" OPT_LONG+=",install,key:,log,nocolor,nobuild,nocheck,nosign,pkg:,rmdeps" OPT_LONG+=",repackage,skipinteg,sign,source,syncdeps,version,config:" # Pacman Options @@ -1694,6 +1738,7 @@ while true; do --nosign) SIGNPKG='n' ;; -o|--nobuild) NOBUILD=1 ;; -p) shift; BUILDFILE=$1 ;; + --pgp) PGPSIGS=1;; --pkg) shift; PKGLIST=($1) ;; -r|--rmdeps) RMDEPS=1 ;; -R|--repackage) REPKG=1 ;; @@ -2129,6 +2174,9 @@ else download_sources if (( ! SKIPINTEG )); then check_checksums + if (( PGPSIGS )); then + check_pgpsigs + fi This check should probably match how we do it elsewhere; e.g., check_signature() the first two lines. I'd move it inside check_pgpsigs itself. Also declare it upfront where we set the rest of these.
else warning "$(gettext "Skipping integrity checks.")" fi -- 1.7.5.4