This makes automating PGP keys for verifying source file signatures possible.
This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.
Signed-off-by: Alli
---
doc/makepkg.8.txt | 4 ++++
scripts/libmakepkg/integrity.sh.in | 2 ++
.../libmakepkg/integrity/verify_signature.sh.in | 22 ++++++++++++++++++++++
scripts/makepkg.sh.in | 15 +++++++++++++--
4 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/doc/makepkg.8.txt b/doc/makepkg.8.txt
index 2dff1b19..88b709f4 100644
--- a/doc/makepkg.8.txt
+++ b/doc/makepkg.8.txt
@@ -171,6 +171,10 @@ Options
*\--noprepare*::
Do not run the prepare() function in the PKGBUILD.
+*\--recvkeys*::
+ Retrieve PGP signing keys used in the PKGBUILD for verifying source
+ integrity into the gpg keyring.
+
*\--sign*::
Sign the resulting package with gpg, overriding the setting in
linkman:makepkg.conf[5].
diff --git a/scripts/libmakepkg/integrity.sh.in b/scripts/libmakepkg/integrity.sh.in
index 3a77ef16..3d3d071b 100644
--- a/scripts/libmakepkg/integrity.sh.in
+++ b/scripts/libmakepkg/integrity.sh.in
@@ -34,11 +34,13 @@ check_source_integrity() {
warning "$(gettext "Skipping all source file integrity checks.")"
elif (( SKIPCHECKSUMS )); then
warning "$(gettext "Skipping verification of source file checksums.")"
+ get_pgpsigs "$@"
check_pgpsigs "$@"
elif (( SKIPPGPCHECK )); then
warning "$(gettext "Skipping verification of source file PGP signatures.")"
check_checksums "$@"
else
+ get_pgpsigs "$@"
check_checksums "$@"
check_pgpsigs "$@"
fi
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
index b5577523..e8890932 100644
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -26,6 +26,28 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
source "$LIBRARY/util/message.sh"
source "$LIBRARY/util/pkgbuild.sh"
+get_pgpsigs() {
+ ! source_has_signatures && return 0
+ (( ! RECVKEYS )) && return 0
+
+ msg "$(gettext "Receiving PGP keys for verifying source file signatures with %s...")" "gpg"
+
+ local key
+ local errors=0
+
+ for key in "${validpgpkeys[@]}"; do
+ gpg --recv-keys "$key"
+ if [ $? != 0 ]; then
+ errors=1
+ fi
+ done
+
+ if (( errors )); then
+ error "$(gettext "One or more PGP keys could not be retrieved!")"
+ exit 1
+ fi
+}
+
check_pgpsigs() {
(( SKIPPGPCHECK )) && return 0
! source_has_signatures && return 0
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 29408929..1a6ca831 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -78,6 +78,7 @@ NOEXTRACT=0
PKGFUNC=0
PKGVERFUNC=0
PREPAREFUNC=0
+RECVKEYS=0
REPKG=0
RMDEPS=0
SKIPCHECKSUMS=0
@@ -1044,6 +1045,14 @@ check_software() {
fi
fi
+ # gpg - receive source verification keys
+ if (( RECVKEYS )) && source_has_signatures; then
+ if ! type -p gpg >/dev/null; then
+ error "$(gettext "Cannot find the %s binary required for receiving keys for verifying source files.")" "gpg"
+ ret=1
+ fi
+ fi
+
# checksum operations
if (( GENINTEG || ! SKIPCHECKSUMS )); then
local integlist
@@ -1218,6 +1227,7 @@ usage() {
printf -- "$(gettext " --nosign Do not create a signature for the package")\n"
printf -- "$(gettext " --packagelist Only list packages that would be produced, without PKGEXT")\n"
printf -- "$(gettext " --printsrcinfo Print the generated SRCINFO and exit")\n"
+ printf -- "$(gettext " --recvkeys Receive PGP Keys used for verifying source integrity")\n"
printf -- "$(gettext " --sign Sign the resulting package with %s")\n" "gpg"
printf -- "$(gettext " --skipchecksums Do not verify checksums of the source files")\n"
printf -- "$(gettext " --skipinteg Do not perform any verification checks on source files")\n"
@@ -1263,8 +1273,8 @@ OPT_SHORT="AcCdefFghiLmop:rRsSV"
OPT_LONG=('allsource' 'check' 'clean' 'cleanbuild' 'config:' 'force' 'geninteg'
'help' 'holdver' 'ignorearch' 'install' 'key:' 'log' 'noarchive' 'nobuild'
'nocolor' 'nocheck' 'nodeps' 'noextract' 'noprepare' 'nosign' 'packagelist'
- 'printsrcinfo' 'repackage' 'rmdeps' 'sign' 'skipchecksums' 'skipinteg'
- 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version')
+ 'printsrcinfo' 'recvkeys' 'repackage' 'rmdeps' 'sign' 'skipchecksums'
+ 'skipinteg' 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version')
# Pacman Options
OPT_LONG+=('asdeps' 'noconfirm' 'needed' 'noprogressbar')
@@ -1309,6 +1319,7 @@ while true; do
-p) shift; BUILDFILE=$1 ;;
--packagelist) PACKAGELIST=1 IGNOREARCH=1;;
--printsrcinfo) PRINTSRCINFO=1 IGNOREARCH=1;;
+ --recvkeys) RECVKEYS=1 ;;
-r|--rmdeps) RMDEPS=1 ;;
-R|--repackage) REPKG=1 ;;
--sign) SIGNPKG='y' ;;
--
2.12.1