[pacman-dev] [PATCH 0/6] repo-add: complete package signing work

newer
[pacman-dev] [GIT] The official...

older
[pacman-dev] [PATCH 1/4] be_sync:...

Allan McRae

24 Apr 2011 24 Apr '11

1:26 p.m.

With these patches, I beleive the package signing work for repo-add is feature complete and all documentation provided. Allan McRae (5): repo-add: simplify usage message repo-add: check for valid key when signing is requested repo-add: check for gpg early repo-add: document -k option repo-add: update copyright message Denis A. Altoé Falqueto (1): repo-add: add option to specify a different key to sign with doc/repo-add.8.txt | 9 ++++- scripts/repo-add.sh.in | 83 ++++++++++++++++++++++++++++++++--------------- 2 files changed, 63 insertions(+), 29 deletions(-) -- 1.7.4.4

Show replies by date

Allan McRae

24 Apr 24 Apr

1:26 p.m.

New subject: [pacman-dev] [PATCH 1/6] repo-add: simplify usage message

Listing every option on the usage line becomes unweildly as more options get added so simplify it. Also, provide a standard package name in the repo-add example. Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/repo-add.sh.in | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index cb545f3..df9442b 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -66,7 +66,7 @@ usage() { cmd="$(basename $0)" printf "%s (pacman) %s\n\n" "$cmd" "$myver" if [[ $cmd == "repo-add" ]] ; then - printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> ...\n")" + printf "$(gettext "Usage: repo-add [option(s)] <path-to-db> <package|delta> ...\n")" printf "$(gettext "\ repo-add will update a package database by reading a package file.\n\ Multiple packages to add can be specified on the command line.\n\n")" @@ -74,7 +74,7 @@ Multiple packages to add can be specified on the command line.\n\n")" printf "$(gettext " -d, --delta generate and add delta for package update\n")" printf "$(gettext " -f, --files update database's file list\n")" elif [[ $cmd == "repo-remove" ]] ; then - printf "$(gettext "Usage: repo-remove [-q] [-s] [-v] <path-to-db> <packagename|delta> ...\n\n")" + printf "$(gettext "Usage: repo-remove [option(s)] <path-to-db> <packagename|delta> ...\n\n")" printf "$(gettext "\ repo-remove will update a package database by removing the package name\n\ specified on the command line from the given repo database. Multiple\n\ @@ -87,7 +87,7 @@ packages to remove can be specified on the command line.\n\n")" printf "$(gettext "\n\ See %s(8) for more details and descriptions of the available options.\n\n")" $cmd if [[ $cmd == "repo-add" ]] ; then - echo "$(gettext "Example: repo-add /path/to/repo.db.tar.gz pacman-3.0.0.pkg.tar.gz")" + echo "$(gettext "Example: repo-add /path/to/repo.db.tar.gz pacman-3.0.0-1-i686.pkg.tar.gz")" elif [[ $cmd == "repo-remove" ]] ; then echo "$(gettext "Example: repo-remove /path/to/repo.db.tar.gz kernel26")" fi -- 1.7.4.4

Allan McRae

1:26 p.m.

New subject: [pacman-dev] [PATCH 2/6] repo-add: add option to specify a different key to sign with

From: Denis A. Altoé Falqueto <denisfalqueto@gmail.com> Add -k/--key option to specify a non-default key for signing a package database. Original-patch-by: Denis A. Altoé Falqueto <denisfalqueto@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/repo-add.sh.in | 38 +++++++++++++++++++++++++++----------- 1 files changed, 27 insertions(+), 11 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index df9442b..4f8ba2b 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -71,8 +71,8 @@ usage() { repo-add will update a package database by reading a package file.\n\ Multiple packages to add can be specified on the command line.\n\n")" printf "$(gettext "Options:\n")" - printf "$(gettext " -d, --delta generate and add delta for package update\n")" - printf "$(gettext " -f, --files update database's file list\n")" + printf "$(gettext " -d, --delta generate and add delta for package update\n")" + printf "$(gettext " -f, --files update database's file list\n")" elif [[ $cmd == "repo-remove" ]] ; then printf "$(gettext "Usage: repo-remove [option(s)] <path-to-db> <packagename|delta> ...\n\n")" printf "$(gettext "\ @@ -81,9 +81,10 @@ specified on the command line from the given repo database. Multiple\n\ packages to remove can be specified on the command line.\n\n")" printf "$(gettext "Options:\n")" fi - printf "$(gettext " -q, --quiet minimize output\n")" - printf "$(gettext " -s, --sign sign database with GnuPG after update\n")" - printf "$(gettext " -v, --verify verify database's signature before update\n")" + printf "$(gettext " -q, --quiet minimize output\n")" + printf "$(gettext " -s, --sign sign database with GnuPG after update\n")" + printf "$(gettext " -k, --key <key> use the specified key to sign the database\n")" + printf "$(gettext " -v, --verify verify database's signature before update\n")" printf "$(gettext "\n\ See %s(8) for more details and descriptions of the available options.\n\n")" $cmd if [[ $cmd == "repo-add" ]] ; then @@ -204,7 +205,13 @@ create_signature() { error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" exit 1 # $E_MISSING_PROGRAM fi - gpg --detach-sign --use-agent "$dbfile" || ret=$? + + local SIGNWITHKEY="" + if [[ -n $GPGKEY ]]; then + SIGNWITHKEY="-u ${GPGKEY}" + fi + gpg --detach-sign --use-agent ${SIGNWITHKEY} "$dbfile" &>/dev/null || ret=$? + if (( ! ret )); then msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig" else @@ -542,26 +549,35 @@ trap 'trap_exit "$(gettext "An unknown error has occured. Exiting...")"' ERR success=0 # parse arguments -for arg in "$@"; do - case "$arg" in +while [[ $# > 0 ]]; do + case "$1" in -q|--quiet) QUIET=1;; -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; -s|--sign) SIGN=1;; + -k|--key) + shift + GPGKEY="$1" + if ! gpg --list-key ${GPGKEY} &>/dev/null; then + error "$(gettext "The key ${GPGKEY} does not exist in your keyring.")" + exit 1 + fi + ;; -v|--verify) VERIFY=1;; *) if [[ -z $REPO_DB_FILE ]]; then - REPO_DB_FILE="$arg" + REPO_DB_FILE="$1" LOCKFILE="$REPO_DB_FILE.lck" check_repo_db else case "$cmd" in - repo-add) add $arg && success=1 ;; - repo-remove) remove $arg && success=1 ;; + repo-add) add $1 && success=1 ;; + repo-remove) remove $1 && success=1 ;; esac fi ;; esac + shift done # if at least one operation was a success, re-zip database -- 1.7.4.4

Allan McRae

1:26 p.m.

New subject: [pacman-dev] [PATCH 3/6] repo-add: check for valid key when signing is requested

Follow the example of makepkg Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/repo-add.sh.in | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 4f8ba2b..fade1e6 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -554,7 +554,17 @@ while [[ $# > 0 ]]; do -q|--quiet) QUIET=1;; -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; - -s|--sign) SIGN=1;; + -s|--sign) + SIGN=1 + if ! gpg --list-key ${GPGKEY} &>/dev/null; then + if [[ ! -z $GPGKEY ]]; then + error "$(gettext "The key ${GPGKEY} does not exist in your keyring.")" + else + error "$(gettext "There is no key in your keyring.")" + fi + exit 1 + fi + ;; -k|--key) shift GPGKEY="$1" -- 1.7.4.4

Allan McRae

1:26 p.m.

New subject: [pacman-dev] [PATCH 4/6] repo-add: check for gpg early

Check for the presence of gpg as soon as we know we need it. Signed-off-by: Allan McRae <allan@archlinux.org> --- scripts/repo-add.sh.in | 23 ++++++++++++++--------- 1 files changed, 14 insertions(+), 9 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index fade1e6..94f4e15 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -195,16 +195,19 @@ db_remove_delta() return 1 } # end db_remove_delta +check_gpg() { + if ! type -p gpg >/dev/null; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi +} + # sign the package database once repackaged create_signature() { (( ! SIGN )) && return local dbfile="$1" local ret=0 msg "$(gettext "Signing database...")" - if ! type -p gpg; then - error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" - exit 1 # $E_MISSING_PROGRAM - fi local SIGNWITHKEY="" if [[ -n $GPGKEY ]]; then @@ -225,10 +228,7 @@ verify_signature() { local dbfile="$1" local ret=0 msg "$(gettext "Verifying database signature...")" - if ! type -p gpg; then - error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" - exit 1 # $E_MISSING_PROGRAM - fi + if [[ ! -f $dbfile.sig ]]; then warning "$(gettext "No existing signature found, skipping verification.")" return @@ -555,6 +555,7 @@ while [[ $# > 0 ]]; do -d|--delta) DELTA=1;; -f|--files) WITHFILES=1;; -s|--sign) + check_gpg SIGN=1 if ! gpg --list-key ${GPGKEY} &>/dev/null; then if [[ ! -z $GPGKEY ]]; then @@ -566,6 +567,7 @@ while [[ $# > 0 ]]; do fi ;; -k|--key) + check_gpg shift GPGKEY="$1" if ! gpg --list-key ${GPGKEY} &>/dev/null; then @@ -573,7 +575,10 @@ while [[ $# > 0 ]]; do exit 1 fi ;; - -v|--verify) VERIFY=1;; + -v|--verify) + check_gpg + VERIFY=1 + ;; *) if [[ -z $REPO_DB_FILE ]]; then REPO_DB_FILE="$1" -- 1.7.4.4

Allan McRae

1:26 p.m.

New subject: [pacman-dev] [PATCH 5/6] repo-add: document -k option

Also unify the usage output with that given by repo-add itself. Signed-off-by: Allan McRae <allan@archlinux.org> --- doc/repo-add.8.txt | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt index 24e2fe6..b1c24f5 100644 --- a/doc/repo-add.8.txt +++ b/doc/repo-add.8.txt @@ -10,9 +10,9 @@ repo-add - package database maintenance utility Synopsis -------- -'repo-add' [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> [<package|delta> ...] +'repo-add' [option(s)] <path-to-db> <package|delta> [<package|delta> ...] -'repo-remove' [-q] [-s] [-v] <path-to-db> <packagename|delta> [<packagename|delta> ...] +'repo-remove' [option(s)] <path-to-db> <packagename|delta> [<packagename|delta> ...] Description @@ -42,6 +42,11 @@ Common Options signature file, using the GPG agent if it is available. The signature file will be the entire filename of the database with a ``.sig'' extension. +*-k, \--key* <key>:: + Specify a key to use when signing packages. Can also be specified using + the GPGKEY environmental variable. If not specified in either location, the + default key from the keyring will be used. + *-v, \--verify*:: Verify the PGP signature of the database before updating the database. If the signature is invalid, an error is produced and the update does not -- 1.7.4.4

Dan McGee

5:47 p.m.

New subject: [pacman-dev] [PATCH 5/6] repo-add: document -k option

On Sun, Apr 24, 2011 at 6:26 AM, Allan McRae <allan@archlinux.org> wrote:

...

Also unify the usage output with that given by repo-add itself.

Signed-off-by: Allan McRae <allan@archlinux.org> --- doc/repo-add.8.txt | 9 +++++++-- 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt index 24e2fe6..b1c24f5 100644 --- a/doc/repo-add.8.txt +++ b/doc/repo-add.8.txt @@ -10,9 +10,9 @@ repo-add - package database maintenance utility

Synopsis -------- -'repo-add' [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> [<package|delta> ...] +'repo-add' [option(s)] <path-to-db> <package|delta> [<package|delta> ...]

-'repo-remove' [-q] [-s] [-v] <path-to-db> <packagename|delta> [<packagename|delta> ...] +'repo-remove' [option(s)] <path-to-db> <packagename|delta> [<packagename|delta> ...]

You'll see my comments in the final patch on master, but I changed this to 'options' rather than 'option(s)' to be consistent with everywhere else, as well as most other manpages. -Dan

Allan McRae

1:26 p.m.

New subject: [pacman-dev] [PATCH 6/6] repo-add: update copyright message

Signed-off-by: Allan McRae <allan@archlinux.org> --- @Dan: I assume you will be alright with this change as we have made similar changes elsewhere in the codebase. Should I leave Aaron on there as the original author? scripts/repo-add.sh.in | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 94f4e15..cf0887b 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -4,8 +4,7 @@ # repo-remove - remove a package entry from a given repo database file # @configure_input@ # -# Copyright (c) 2006-2008 Aaron Griffin <aaron@archlinux.org> -# Copyright (c) 2007-2008 Dan McGee <dan@archlinux.org> +# Copyright (c) 2006-2011 Pacman Development Team <pacman-dev@archlinux.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -98,8 +97,7 @@ version() { cmd="$(basename $0)" printf "%s (pacman) %s\n\n" "$cmd" "$myver" printf "$(gettext "\ -Copyright (C) 2006-2008 Aaron Griffin <aaron@archlinux.org>.\n\ -Copyright (c) 2007-2008 Dan McGee <dan@archlinux.org>.\n\n\ +Copyright (c) 2006-2011 Pacman Development Team <pacman-dev@archlinux.org>\n\n\ This is free software; see the source for copying conditions.\n\ There is NO WARRANTY, to the extent permitted by law.\n")" } -- 1.7.4.4

Dan McGee

5:46 p.m.

New subject: [pacman-dev] [PATCH 6/6] repo-add: update copyright message

On Sun, Apr 24, 2011 at 6:26 AM, Allan McRae <allan@archlinux.org> wrote:

...

Signed-off-by: Allan McRae <allan@archlinux.org> ---

@Dan: I assume you will be alright with this change as we have made similar changes elsewhere in the codebase. Should I leave Aaron on there as the original author?

I'm sure he's fine with this; I don't have a problem either. -Dan

4892

Age (days ago)

4892

Last active (days ago)

List overview

Download

8 comments

2 participants

participants (2)

Allan McRae
Dan McGee

[pacman-dev] [PATCH 0/6] repo-add: complete package signing work

tags

participants (2)