[pacman-dev] [PATCH] makepkg: add flag 'recvkeys' to retrieve PGP keys from 'validpgpkeys' in PKGBUILDs
This makes automating PGP keys for verifying source file signatures possible. This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs. Signed-off-by: Alli <alzeih@gmail.com> --- doc/makepkg.8.txt | 4 ++++ scripts/libmakepkg/integrity.sh.in | 2 ++ .../libmakepkg/integrity/verify_signature.sh.in | 22 ++++++++++++++++++++++ scripts/makepkg.sh.in | 15 +++++++++++++-- 4 files changed, 41 insertions(+), 2 deletions(-) diff --git a/doc/makepkg.8.txt b/doc/makepkg.8.txt index 2dff1b19..88b709f4 100644 --- a/doc/makepkg.8.txt +++ b/doc/makepkg.8.txt @@ -171,6 +171,10 @@ Options *\--noprepare*:: Do not run the prepare() function in the PKGBUILD. +*\--recvkeys*:: + Retrieve PGP signing keys used in the PKGBUILD for verifying source + integrity into the gpg keyring. + *\--sign*:: Sign the resulting package with gpg, overriding the setting in linkman:makepkg.conf[5]. diff --git a/scripts/libmakepkg/integrity.sh.in b/scripts/libmakepkg/integrity.sh.in index 3a77ef16..3d3d071b 100644 --- a/scripts/libmakepkg/integrity.sh.in +++ b/scripts/libmakepkg/integrity.sh.in @@ -34,11 +34,13 @@ check_source_integrity() { warning "$(gettext "Skipping all source file integrity checks.")" elif (( SKIPCHECKSUMS )); then warning "$(gettext "Skipping verification of source file checksums.")" + get_pgpsigs "$@" check_pgpsigs "$@" elif (( SKIPPGPCHECK )); then warning "$(gettext "Skipping verification of source file PGP signatures.")" check_checksums "$@" else + get_pgpsigs "$@" check_checksums "$@" check_pgpsigs "$@" fi diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index b5577523..e8890932 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -26,6 +26,28 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'} source "$LIBRARY/util/message.sh" source "$LIBRARY/util/pkgbuild.sh" +get_pgpsigs() { + ! source_has_signatures && return 0 + (( ! RECVKEYS )) && return 0 + + msg "$(gettext "Receiving PGP keys for verifying source file signatures with %s...")" "gpg" + + local key + local errors=0 + + for key in "${validpgpkeys[@]}"; do + gpg --recv-keys "$key" + if [ $? != 0 ]; then + errors=1 + fi + done + + if (( errors )); then + error "$(gettext "One or more PGP keys could not be retrieved!")" + exit 1 + fi +} + check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 29408929..1a6ca831 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -78,6 +78,7 @@ NOEXTRACT=0 PKGFUNC=0 PKGVERFUNC=0 PREPAREFUNC=0 +RECVKEYS=0 REPKG=0 RMDEPS=0 SKIPCHECKSUMS=0 @@ -1044,6 +1045,14 @@ check_software() { fi fi + # gpg - receive source verification keys + if (( RECVKEYS )) && source_has_signatures; then + if ! type -p gpg >/dev/null; then + error "$(gettext "Cannot find the %s binary required for receiving keys for verifying source files.")" "gpg" + ret=1 + fi + fi + # checksum operations if (( GENINTEG || ! SKIPCHECKSUMS )); then local integlist @@ -1218,6 +1227,7 @@ usage() { printf -- "$(gettext " --nosign Do not create a signature for the package")\n" printf -- "$(gettext " --packagelist Only list packages that would be produced, without PKGEXT")\n" printf -- "$(gettext " --printsrcinfo Print the generated SRCINFO and exit")\n" + printf -- "$(gettext " --recvkeys Receive PGP Keys used for verifying source integrity")\n" printf -- "$(gettext " --sign Sign the resulting package with %s")\n" "gpg" printf -- "$(gettext " --skipchecksums Do not verify checksums of the source files")\n" printf -- "$(gettext " --skipinteg Do not perform any verification checks on source files")\n" @@ -1263,8 +1273,8 @@ OPT_SHORT="AcCdefFghiLmop:rRsSV" OPT_LONG=('allsource' 'check' 'clean' 'cleanbuild' 'config:' 'force' 'geninteg' 'help' 'holdver' 'ignorearch' 'install' 'key:' 'log' 'noarchive' 'nobuild' 'nocolor' 'nocheck' 'nodeps' 'noextract' 'noprepare' 'nosign' 'packagelist' - 'printsrcinfo' 'repackage' 'rmdeps' 'sign' 'skipchecksums' 'skipinteg' - 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version') + 'printsrcinfo' 'recvkeys' 'repackage' 'rmdeps' 'sign' 'skipchecksums' + 'skipinteg' 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version') # Pacman Options OPT_LONG+=('asdeps' 'noconfirm' 'needed' 'noprogressbar') @@ -1309,6 +1319,7 @@ while true; do -p) shift; BUILDFILE=$1 ;; --packagelist) PACKAGELIST=1 IGNOREARCH=1;; --printsrcinfo) PRINTSRCINFO=1 IGNOREARCH=1;; + --recvkeys) RECVKEYS=1 ;; -r|--rmdeps) RMDEPS=1 ;; -R|--repackage) REPKG=1 ;; --sign) SIGNPKG='y' ;; -- 2.12.1
Hi, Le 03/04/2017 à 18:37, alzeih@gmail.com a écrit :
This makes automating PGP keys for verifying source file signatures possible.
This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Regards, Bruno
On 04/04/17 11:45, Bruno Pagani wrote:
Hi,
Le 03/04/2017 à 18:37, alzeih@gmail.com a écrit :
This makes automating PGP keys for verifying source file signatures possible.
This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow.
Given this feature exists, I will not be adding this option to makepkg. Allan
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow.
Okay, I didn't know about this feature of gnupg, so thanks for that. Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg. It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting. As for automation, the above setting is a couple of extra steps but that's probably fine (with automation). Thanks, Alli
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting.
I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
On 04/04/17 12:43, Bruno Pagani wrote:
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting.
I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
What is there to check? You are not explicitly trusting the key in your keyring - only downloading it. makepkg then confirms the key matches the fingerprint given to determine it is the key "trusted" by the packager. A
Le 03/04/2017 à 19:46, Allan McRae a écrit :
On 04/04/17 12:43, Bruno Pagani wrote:
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting. I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
What is there to check? You are not explicitly trusting the key in your keyring - only downloading it. makepkg then confirms the key matches the fingerprint given to determine it is the key "trusted" by the packager.
A
You might not trust the packager/maintainer. You might want to check this is the right key by looking at the sigs, checking whether you have a path to it, or whatever. I’ve also seen people using --lsign, but not sure why. But my point here is more that you might want to have automatic key retrieval for makepkg but not for other PGP uses for whatever reason. But this is solved by a separated GNUPGHOME. So no reason to discuss it further, since in the end we both agree that there is no reason to bake that into makepkg. Bruno
On Tue, 4 Apr 2017 at 14:41 Bruno Pagani <bruno.n.pagani@gmail.com> wrote: ...
probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
Setting GNUPGHOME allows for a separate keyring if that's wanted. It's required when building as a user without a home directory (eg: nobody). I'm not using an AUR helper so without the above patch I need to make gnupg create the appropriate files ($GNUPGHOME/gpg.conf), edit the config, then run makepkg.
Le 03/04/2017 à 20:03, Alli a écrit :
On Tue, 4 Apr 2017 at 14:41 Bruno Pagani <bruno.n.pagani@gmail.com> wrote: ...
probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
Setting GNUPGHOME allows for a separate keyring if that's wanted.
It's required when building as a user without a home directory (eg: nobody).
I'm not using an AUR helper so without the above patch I need to make gnupg create the appropriate files ($GNUPGHOME/gpg.conf), edit the config, then run makepkg.
Then you only have to set it once, and then just alias makepkg or write a wrapper setting this var. Bruno
participants (4)
-
Allan McRae
-
Alli
-
alzeih@gmail.com
-
Bruno Pagani