[pacman-dev] [PATCH 2/2] repo-add: add option to specify a different key to sign
There may be some situations when one needs to specify a different key from user's default. The option -k or --signwithkey accepts a key identifier and uses that in the signing command. Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto@gmail.com> --- There was a different version of this patch sent some time ago. For some reason, just the part for makepkg was merged. So, now I'm sending a little better version for repo-add/remove. scripts/repo-add.sh.in | 36 ++++++++++++++++++++++++++++-------- 1 files changed, 28 insertions(+), 8 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index cb545f3..7b9e85f 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -66,7 +66,8 @@ usage() { cmd="$(basename $0)" printf "%s (pacman) %s\n\n" "$cmd" "$myver" if [[ $cmd == "repo-add" ]] ; then - printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> ...\n")" + printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s [-k|--signwithkey key]]\n")" + printf "$(gettext " [-v] <path-to-db> <package|delta> ...\n")" printf "$(gettext "\ repo-add will update a package database by reading a package file.\n\ Multiple packages to add can be specified on the command line.\n\n")" @@ -74,16 +75,18 @@ Multiple packages to add can be specified on the command line.\n\n")" printf "$(gettext " -d, --delta generate and add delta for package update\n")" printf "$(gettext " -f, --files update database's file list\n")" elif [[ $cmd == "repo-remove" ]] ; then - printf "$(gettext "Usage: repo-remove [-q] [-s] [-v] <path-to-db> <packagename|delta> ...\n\n")" + printf "$(gettext "Usage: repo-remove [-q] [-s [-k|--signwithkey key]]\n")" + printf "$(gettext " [-v] <path-to-db> <packagename|delta> ...\n\n")" printf "$(gettext "\ repo-remove will update a package database by removing the package name\n\ specified on the command line from the given repo database. Multiple\n\ packages to remove can be specified on the command line.\n\n")" printf "$(gettext "Options:\n")" fi - printf "$(gettext " -q, --quiet minimize output\n")" - printf "$(gettext " -s, --sign sign database with GnuPG after update\n")" - printf "$(gettext " -v, --verify verify database's signature before update\n")" + printf "$(gettext " -q, --quiet minimize output\n")" + printf "$(gettext " -s, --sign sign database with GnuPG after update\n")" + printf "$(gettext " -k, --signwithkey <key> use the specified key to sign the repository\n")" + printf "$(gettext " -v, --verify verify database's signature before update\n")" printf "$(gettext "\n\ See %s(8) for more details and descriptions of the available options.\n\n")" $cmd if [[ $cmd == "repo-add" ]] ; then @@ -204,7 +207,13 @@ create_signature() { error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" exit 1 # $E_MISSING_PROGRAM fi - gpg --detach-sign --use-agent "$dbfile" || ret=$? + + # Check if SIGNKEY is valid. + local SIGNWITHKEY="" + if [[ "${SIGNKEY}" ]]; then + SIGNWITHKEY="-u ${SIGNKEY}" + fi + gpg --detach-sign ${SIGNWITHKEY} "$dbfile" || ret=$? if (( ! ret )); then msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig" else @@ -226,7 +235,7 @@ verify_signature() { warning "$(gettext "No existing signature found, skipping verification.")" return fi - gpg --verify "$dbfile.sig" || ret=$? + gpg --verify "$dbfile.sig" &>/dev/null || ret=$? if (( ! ret )); then msg2 "$(gettext "Database signature file verified.")" else @@ -542,12 +551,22 @@ trap 'trap_exit "$(gettext "An unknown error has occured. Exiting...")"' ERR success=0 # parse arguments -for arg in "$@"; do +while [[ $# > 0 ]]; do + arg="$1" case "$arg" in -q|--quiet) QUIET=1;; -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; -s|--sign) SIGN=1;; + -k|--signwithkey) + shift + SIGNKEY="$1" + # Check if key exists, to stop as early as possible + if ! gpg --list-key "${SIGNKEY}" &>/dev/null; then + error "$(gettext "The key ${SIGNKEY} doesnn't exist.")" + exit 1 + fi + ;; -v|--verify) VERIFY=1;; *) if [[ -z $REPO_DB_FILE ]]; then @@ -562,6 +581,7 @@ for arg in "$@"; do fi ;; esac + shift done # if at least one operation was a success, re-zip database -- 1.7.4.2
On 02/04/11 10:37, Denis A. Altoé Falqueto wrote:
There may be some situations when one needs to specify a different key from user's default. The option -k or --signwithkey accepts a key identifier and uses that in the signing command.
Signed-off-by: Denis A. Altoé Falqueto<denisfalqueto@gmail.com> ---
There was a different version of this patch sent some time ago. For some reason, just the part for makepkg was merged. So, now I'm sending a little better version for repo-add/remove.
Hi Denis, I had the rest of the patch on my pull list. I split it up as it is easier to deal with one tool at a time to get this finished. A slightly modified version will be in the repo-add patch series that I am about to send. I mainly adjusted the --signwithkey flag to be --key and used the GPGKEY variable name so that it is consistent with makepkg. Allan
On Sun, Apr 24, 2011 at 8:25 AM, Allan McRae <allan@archlinux.org> wrote:
Hi Denis,
I had the rest of the patch on my pull list. I split it up as it is easier to deal with one tool at a time to get this finished.
A slightly modified version will be in the repo-add patch series that I am about to send. I mainly adjusted the --signwithkey flag to be --key and used the GPGKEY variable name so that it is consistent with makepkg.
Ok, feel free to do whatever you find appropriate with it. I'm very excited to see the signature feature moving forward, even though I can't help very much right now. -- A: Because it obfuscates the reading. Q: Why is top posting so bad? ------------------------------------------- Denis A. Altoe Falqueto Linux user #524555 -------------------------------------------
participants (2)
-
Allan McRae
-
Denis A. Altoé Falqueto