[pacman-dev] [PATCH] GPG signature option in makepkg
From: Geoffroy Carrier <geoffroy.carrier@koon.fr> --- scripts/makepkg.sh.in | 24 ++++++++++++++++++------ 1 files changed, 18 insertions(+), 6 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6e2f1ad..1314a51 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -54,6 +54,7 @@ INFAKEROOT=0 GENINTEG=0 INSTALL=0 NOBUILD=0 +SIGN=0 NODEPS=0 NOEXTRACT=0 RMDEPS=0 @@ -855,6 +856,19 @@ create_package() { fi } +create_signature() { + [ "$SIGN" = "0" ] && return + msg "$(gettext "Signing package...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + if ! gpg --detach-sign "$PKGDEST/${pkgname}-${pkgver}-${pkgrel}-${CARCH}${PKGEXT}"; then + error "$(gettext "Failed to sign package file.")" + # exit 1 # It's easy to sign manually, so doesn't seem a big failure to gcarrier. + fi +} + create_xdelta() { if [ "$(check_buildenv xdelta)" != "y" ]; then return @@ -1127,7 +1141,7 @@ SRCDEST=${SRCDEST:-$startdir} #default to $startdir if undefined # Parse Command Line Options. OPT_SHORT="AbcCdefFghiLmop:rRsSV" OPT_LONG="ignorearch,asroot,builddeps,clean,cleancache,nodeps,noextract,force,forcever:,geninteg,help,holdver" -OPT_LONG="$OPT_LONG,install,log,nocolor,nobuild,rmdeps,repackage,source,syncdeps,usesudo,version" +OPT_LONG="$OPT_LONG,install,log,nocolor,nobuild,rmdeps,repackage,source,syncdeps,sign,version" # Pacman Options OPT_LONG="$OPT_LONG,noconfirm,noprogressbar" OPT_TEMP="$(getopt -o "$OPT_SHORT" -l "$OPT_LONG" -n "$(basename "$0")" -- "$@" || echo 'GETOPT GO BANG!')" @@ -1166,11 +1180,7 @@ while true; do -R|--repackage) REPKG=1 ;; --source) SOURCEONLY=1 ;; -s|--syncdeps) DEP_BIN=1 ;; - - # BEGIN DEPRECATED - -S|--usesudo) - warning "$(gettext "Sudo is used by default now. The --usesudo option is deprecated!")" ;; - # END DEPRECATED + -S|--sign) SIGN=1 ;; -h|--help) usage; exit 0 ;; # E_OK -V|--version) version; exit 0 ;; # E_OK @@ -1494,6 +1504,8 @@ fi msg "$(gettext "Finished making: %s")" "$pkgname $pkgver-$pkgrel $CARCH ($(date))" +create_signature + install_package exit 0 #E_OK -- 1.5.5.3
Excerpts from Geoffroy Carrier's message of Mon Jun 02 03:04:40 +0200 2008:
From: Geoffroy Carrier <geoffroy.carrier@koon.fr>
And this guy could explain what he does... Sorry, I'm still learning git. Dozens of thanks to toofishes: without him, this patch might still be in my computer, or not, but never here. My idea is that devs could sign packages in the main repos. Those signatures would be embedded into the db file. [core] could include some 'archlinux-keyring', which would provide /etc/pacman.d/archlinux-keyring. Adapt this to any other distribution, BTW. For pacman's options, at least 3 choices are possible: - An option to disable signatures checks or specificy the keyring - The same thing, repository-based (you can use a different keyring for each repository) - An option to enable/disable signatures checks, and then pacman interactively prompts the user whether he trusts or not the packager. It could automatically get the key when it doesn't have it, and use gnupg's web of trust. Then archlinux-keyring would be useless. It's theorically the best solution, but I prefer the first two ones. -- Geoffroy Carrier http://gcarrier.koon.fr/
On Sun, Jun 1, 2008 at 8:04 PM, <geoffroy.carrier@koon.fr> wrote:
From: Geoffroy Carrier <geoffroy.carrier@koon.fr>
--- scripts/makepkg.sh.in | 24 ++++++++++++++++++------ 1 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6e2f1ad..1314a51 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -54,6 +54,7 @@ INFAKEROOT=0 GENINTEG=0 INSTALL=0 NOBUILD=0 +SIGN=0 NODEPS=0 NOEXTRACT=0 RMDEPS=0 @@ -855,6 +856,19 @@ create_package() { fi }
+create_signature() { + [ "$SIGN" = "0" ] && return + msg "$(gettext "Signing package...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM Hmm, maybe a warning rather than an error here as the package build itself did not fail? This is similar to the patch we just added so
Please add at least a line or two of comments for your next submit, but you already let me know you just forgot here. :) that failure to uninstall deps does not result in a failure code being returned.
+ fi + if ! gpg --detach-sign "$PKGDEST/${pkgname}-${pkgver}-${pkgrel}-${CARCH}${PKGEXT}"; then Minor issue, but we tend to use this format around makepkg: local ret = 0 gpg ..... || ret=$? if [ $ret -eq 0 ]; then # success else #failure fi
That way we can also have a: msg2 "$(gettext "Created signature file %s.")" $filename.sig I can't believe we don't have a variable for that file name, hmm. We use it an awful lot.
+ error "$(gettext "Failed to sign package file.")" + # exit 1 # It's easy to sign manually, so doesn't seem a big failure to gcarrier. Yeah, I'd drop this to a warning. I think it will be more clear in a second.
+ fi +} + create_xdelta() { if [ "$(check_buildenv xdelta)" != "y" ]; then return @@ -1127,7 +1141,7 @@ SRCDEST=${SRCDEST:-$startdir} #default to $startdir if undefined # Parse Command Line Options. OPT_SHORT="AbcCdefFghiLmop:rRsSV" OPT_LONG="ignorearch,asroot,builddeps,clean,cleancache,nodeps,noextract,force,forcever:,geninteg,help,holdver" -OPT_LONG="$OPT_LONG,install,log,nocolor,nobuild,rmdeps,repackage,source,syncdeps,usesudo,version" +OPT_LONG="$OPT_LONG,install,log,nocolor,nobuild,rmdeps,repackage,source,syncdeps,sign,version" # Pacman Options OPT_LONG="$OPT_LONG,noconfirm,noprogressbar" OPT_TEMP="$(getopt -o "$OPT_SHORT" -l "$OPT_LONG" -n "$(basename "$0")" -- "$@" || echo 'GETOPT GO BANG!')" @@ -1166,11 +1180,7 @@ while true; do -R|--repackage) REPKG=1 ;; --source) SOURCEONLY=1 ;; -s|--syncdeps) DEP_BIN=1 ;; - - # BEGIN DEPRECATED - -S|--usesudo) - warning "$(gettext "Sudo is used by default now. The --usesudo option is deprecated!")" ;; - # END DEPRECATED + -S|--sign) SIGN=1 ;; Rather than do this as an option, why don't we add it as a buildenv option so we don't have to manually specify -S every time? This is how xdelta, distcc, ccache, etc. work now and I think it would be the best way to go. That way a developer could easily enable or disable the signing of all packages in one place.
-h|--help) usage; exit 0 ;; # E_OK -V|--version) version; exit 0 ;; # E_OK @@ -1494,6 +1504,8 @@ fi
msg "$(gettext "Finished making: %s")" "$pkgname $pkgver-$pkgrel $CARCH ($(date))"
+create_signature + install_package
exit 0 #E_OK --
Thanks for starting the whole signed packages thing. We have to do it one step at a time, and this is definitely the best place to start. -Dan
From: Geoffroy Carrier <geoffroy.carrier@koon.fr> Now uses a BUILDENV option instead of a command line option, deprecated --usesudo is back in place. Of course, this patch applies on master, so please forget about the previous patch. For your $filename remark, i might write a biiig patch when I get enough motivation. If someone else want to do it, please do :) --- etc/makepkg.conf.in | 5 +++-- scripts/makepkg.sh.in | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in index 47ed0a4..7d1fbb8 100644 --- a/etc/makepkg.conf.in +++ b/etc/makepkg.conf.in @@ -38,7 +38,7 @@ CXXFLAGS="@CARCHFLAGS@-mtune=generic -O2 -pipe" # BUILD ENVIRONMENT ######################################################################### # -# Defaults: BUILDENV=(fakeroot !distcc color !ccache !xdelta) +# Defaults: BUILDENV=(fakeroot !distcc color !ccache !xdelta !sign) # A negated environment option will do the opposite of the comments below. # #-- fakeroot: Allow building packages as a non-root user @@ -46,8 +46,9 @@ CXXFLAGS="@CARCHFLAGS@-mtune=generic -O2 -pipe" #-- color: Colorize output messages #-- ccache: Use ccache to cache compilation #-- xdelta: Generate delta patch from previous to current package +#-- sign: Generate PGP signature file # -BUILDENV=(fakeroot !distcc color !ccache !xdelta) +BUILDENV=(fakeroot !distcc color !ccache !xdelta !sign) # #-- If using DistCC, your MAKEFLAGS will also need modification. In addition, #-- specify a space-delimited list of hosts running in the DistCC cluster. diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6e2f1ad..409cae5 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -855,6 +855,26 @@ create_package() { fi } +create_signature() { + if [ "$(check_buildenv sign)" != "y" ]; then + return + fi + [ "$SIGN" = "0" ] && return + local ret = 0 + local filename = "$PKGDEST/${pkgname}-${pkgver}-${pkgrel}-${CARCH}${PKGEXT}" + msg "$(gettext "Signing package...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + gpg --detach-sign $filename || ret = $? + if [ $ret -eq 0 ]; then + msg2 "$(gettext "Created signature file %s.")" $filename.sig + else + warning "$(gettext "Failed to sign package file.")" + fi +} + create_xdelta() { if [ "$(check_buildenv xdelta)" != "y" ]; then return @@ -1494,6 +1514,8 @@ fi msg "$(gettext "Finished making: %s")" "$pkgname $pkgver-$pkgrel $CARCH ($(date))" +create_signature + install_package exit 0 #E_OK -- 1.5.5.3
Excerpts from Geoffroy Carrier's message of Mon Jun 02 05:32:02 +0200 2008:
+ [ "$SIGN" = "0" ] && return How @#$%^&* I am. Forget about this, btw.
-- Geoffroy Carrier http://gcarrier.koon.fr/
From: Geoffroy Carrier <geoffroy.carrier@koon.fr>
Now uses a BUILDENV option instead of a command line option, deprecated --usesudo is back in place. Of course, this patch applies on master, so please forget about the previous patch. For your $filename remark, i might write a biiig patch when I get enough motivation. If someone else want to do it, please do :)
--- So FYI, any comments you include here in a patch (below the triple dash and before the first 'diff --git') won't be included when someone actually goes to apply the patch. So things like the $filename remark should probably go here as they aren't relevant to the actual patch being proposed, but is useful information on the mailing list. In addition, putting my name in the Subject will also cause me to have to manually edit your commit message, so please refrain from that in the future and make that comment here. :) I'm not trying to come across as
On Sun, Jun 1, 2008 at 10:32 PM, <geoffroy.carrier@koon.fr> wrote: the patch asshole here, I'm just trying to make it easier for me to get these applied ASAP once everyone likes the content. With that said, this patch is exactly what I was thinking, and I like it. My only other request would be that thing called documentation, namely makepkg.conf.5. It should be an easy addition, and I won't make you resubmit if there is a grammar issue, I'll just fix it. Thanks!
etc/makepkg.conf.in | 5 +++-- scripts/makepkg.sh.in | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in index 47ed0a4..7d1fbb8 100644 --- a/etc/makepkg.conf.in +++ b/etc/makepkg.conf.in @@ -38,7 +38,7 @@ CXXFLAGS="@CARCHFLAGS@-mtune=generic -O2 -pipe" # BUILD ENVIRONMENT ######################################################################### # -# Defaults: BUILDENV=(fakeroot !distcc color !ccache !xdelta) +# Defaults: BUILDENV=(fakeroot !distcc color !ccache !xdelta !sign) # A negated environment option will do the opposite of the comments below. # #-- fakeroot: Allow building packages as a non-root user @@ -46,8 +46,9 @@ CXXFLAGS="@CARCHFLAGS@-mtune=generic -O2 -pipe" #-- color: Colorize output messages #-- ccache: Use ccache to cache compilation #-- xdelta: Generate delta patch from previous to current package +#-- sign: Generate PGP signature file with default key? I'm just trying to think if there is any ambiguity here.
# -BUILDENV=(fakeroot !distcc color !ccache !xdelta) +BUILDENV=(fakeroot !distcc color !ccache !xdelta !sign) # #-- If using DistCC, your MAKEFLAGS will also need modification. In addition, #-- specify a space-delimited list of hosts running in the DistCC cluster. diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6e2f1ad..409cae5 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -855,6 +855,26 @@ create_package() { fi }
+create_signature() { + if [ "$(check_buildenv sign)" != "y" ]; then + return + fi + [ "$SIGN" = "0" ] && return You already called yourself out here, so make sure you don't mess up twice and fix this before the resubmit.
+ local ret = 0 + local filename = "$PKGDEST/${pkgname}-${pkgver}-${pkgrel}-${CARCH}${PKGEXT}" + msg "$(gettext "Signing package...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + gpg --detach-sign $filename || ret = $? + if [ $ret -eq 0 ]; then + msg2 "$(gettext "Created signature file %s.")" $filename.sig + else + warning "$(gettext "Failed to sign package file.")" + fi +} Looks great now, awesome.
+ create_xdelta() { if [ "$(check_buildenv xdelta)" != "y" ]; then return @@ -1494,6 +1514,8 @@ fi
msg "$(gettext "Finished making: %s")" "$pkgname $pkgver-$pkgrel $CARCH ($(date))"
+create_signature + install_package
exit 0 #E_OK -- 1.5.5.3
participants (3)
-
Dan McGee
-
Geoffroy Carrier
-
geoffroy.carrier@koon.fr