On 19/02/11 11:30, Denis A. AltoƩ Falqueto wrote:
Two new command line options were added:
-n, --sign: forces the generation of a signature for the resulting package, even if not configured in makepkg.conf. The command line has precedence over the option in makepkg.conf. So, even if makepkg.conf has !sign in BUILDENV, passing --sign to makepkg will make it sign the package.
I think we should have a --nosign option to which would negate 'sign' in makepkg.conf. See the --check/--nocheck pair to see how that is achieved.
--signwithkey<key>: there is a possibility of another key being used, instead of the user's default. For exemple, pacman-keyring package could be signed by a master key, because it needs to be trusted explicitly by the user before the installation of that package. So, this parameter will be used to supply an id for a key to be used to sign the package.
Signed-off-by: Denis A. AltoƩ Falqueto<denisfalqueto@gmail.com> --- scripts/makepkg.sh.in | 28 +++++++++++++++++++++++----- 1 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 8381a78..dc71ffd 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -28,7 +28,7 @@ # makepkg uses quite a few external programs during its execution. You # need to have at least the following installed for makepkg to function: # awk, bsdtar (libarchive), bzip2, coreutils, fakeroot, file, find (findutils), -# gettext, grep, gzip, openssl, sed, tput (ncurses), xz +# gettext, gpg, grep, gzip, openssl, sed, tput (ncurses), xz
# gettext initialization export TEXTDOMAIN='pacman' @@ -74,6 +74,8 @@ BUILDFUNC=0 CHECKFUNC=0 PKGFUNC=0 SPLITPKG=0 +SIGN=0 +SIGNKEY="" PKGLIST=()
# Forces the pkgver of the current PKGBUILD. Used by the fakeroot call @@ -1106,7 +1108,7 @@ create_package() { }
create_signature() { - if [[ $(check_buildenv sign) != "y" ]]; then + if [[ $(check_buildenv sign) != "y"&& $SIGN != 1 ]]; then return fi local ret=0 @@ -1116,7 +1118,18 @@ create_signature() { error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" exit 1 # $E_MISSING_PROGRAM fi - gpg --detach-sign --use-agent "$filename" || ret=$? + + # Check if SIGNKEY is valid. + local SIGNWITHKEY="" + if [[ "${SIGNKEY}" ]]; then + if ! gpg --list-key "${SIGNKEY}" 1>/dev/null 2>&1; then + error "$(gettext "The key ${SIGNKEY} doesn\'t exist.")" + exit 1 + fi + SIGNWITHKEY="-u ${SIGNKEY}" + fi
I wonder if this is checked too late. I suppose with a package() function in a PKGBUILD, we can not rebuild by using "makepkg -R" but this still seems quite late to abort.
+ # The signature will be generated directly in ascii-friendly format + gpg --detach-sign --quiet --batch --use-agent ${SIGNWITHKEY} "$filename" 1>/dev/null || ret=$?
--batch is bad here. It forces the use of a gpg-agent.
if (( ! ret )); then msg2 "$(gettext "Created signature file %s.")" "$filename.sig" else @@ -1614,6 +1627,9 @@ usage() { echo "$(gettext " --pkg<list> Only build listed packages from a split package")" echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")" echo "$(gettext " --source Generate a source-only tarball without downloaded sources")" + echo "$(gettext " -n, --sign Sign the resulting package with gpg")" + printf "$(gettext " --signwithkey<key>\n\ + Selects an specific key to use for signing, instead of user's default")" echo echo "$(gettext "These options can be passed to pacman:")" echo @@ -1645,11 +1661,11 @@ fi ARGLIST=("$@")
# Parse Command Line Options. -OPT_SHORT="AcCdefFghiLmop:rRsV" +OPT_SHORT="AcCdefFghiLmnop:rRsV" OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps" OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver" OPT_LONG+=",install,log,nocolor,nobuild,nocheck,pkg:,rmdeps" -OPT_LONG+=",repackage,skipinteg,source,syncdeps,version,config:" +OPT_LONG+=",repackage,sign,signwithkey:,skipinteg,source,syncdeps,version,config:" # Pacman Options OPT_LONG+=",noconfirm,noprogressbar" OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS FAILED')" @@ -1693,6 +1709,8 @@ while true; do -R|--repackage) REPKG=1 ;; --skipinteg) SKIPINTEG=1 ;; --source) SOURCEONLY=1 ;; + --sign) SIGN=1 ;; + --signwithkey) shift; SIGNKEY=$1 ;; -s|--syncdeps) DEP_BIN=1 ;;
-h|--help) usage; exit 0 ;; # E_OK