[pacman-dev] [PATCH] GPG signature support for makepkg:
From: Geoffroy Carrier <geoffroy.carrier@koon.fr> --- This should be the last version I submit here. I should start including support in pacman soon. It will rely directly on the gpg binary, and should work a lot like git. It has a very nice embedded "lib" to launch processes. I might embed parts of it in my pacman branch, as it's generic and seems very well-written. doc/makepkg.conf.5.txt | 3 +++ etc/makepkg.conf.in | 5 +++-- scripts/makepkg.sh.in | 21 +++++++++++++++++++++ 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/doc/makepkg.conf.5.txt b/doc/makepkg.conf.5.txt index 113ad14..b6f4385 100644 --- a/doc/makepkg.conf.5.txt +++ b/doc/makepkg.conf.5.txt @@ -92,6 +92,9 @@ Options previous package must be available in the makepkg cache directory for this to occur. + *sign*;; + Generate a PGP signature file using GnuPG. + **DISTCC_HOSTS=**"host1 ...":: If using DistCC, this is used to specify a space-delimited list of hosts running in the DistCC cluster. In addition, you will want to modify your diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in index 47ed0a4..7d1fbb8 100644 --- a/etc/makepkg.conf.in +++ b/etc/makepkg.conf.in @@ -38,7 +38,7 @@ CXXFLAGS="@CARCHFLAGS@-mtune=generic -O2 -pipe" # BUILD ENVIRONMENT ######################################################################### # -# Defaults: BUILDENV=(fakeroot !distcc color !ccache !xdelta) +# Defaults: BUILDENV=(fakeroot !distcc color !ccache !xdelta !sign) # A negated environment option will do the opposite of the comments below. # #-- fakeroot: Allow building packages as a non-root user @@ -46,8 +46,9 @@ CXXFLAGS="@CARCHFLAGS@-mtune=generic -O2 -pipe" #-- color: Colorize output messages #-- ccache: Use ccache to cache compilation #-- xdelta: Generate delta patch from previous to current package +#-- sign: Generate PGP signature file # -BUILDENV=(fakeroot !distcc color !ccache !xdelta) +BUILDENV=(fakeroot !distcc color !ccache !xdelta !sign) # #-- If using DistCC, your MAKEFLAGS will also need modification. In addition, #-- specify a space-delimited list of hosts running in the DistCC cluster. diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6e2f1ad..c4d8c2e 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -855,6 +855,25 @@ create_package() { fi } +create_signature() { + if [ "$(check_buildenv sign)" != "y" ]; then + return + fi + local ret = 0 + local filename = "$PKGDEST/${pkgname}-${pkgver}-${pkgrel}-${CARCH}${PKGEXT}" + msg "$(gettext "Signing package...")" + if [ ! $(type -p "gpg") ]; then + error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" + exit 1 # $E_MISSING_PROGRAM + fi + gpg --detach-sign $filename || ret = $? + if [ $ret -eq 0 ]; then + msg2 "$(gettext "Created signature file %s.")" $filename.sig + else + warning "$(gettext "Failed to sign package file.")" + fi +} + create_xdelta() { if [ "$(check_buildenv xdelta)" != "y" ]; then return @@ -1494,6 +1513,8 @@ fi msg "$(gettext "Finished making: %s")" "$pkgname $pkgver-$pkgrel $CARCH ($(date))" +create_signature + install_package exit 0 #E_OK -- 1.5.5.3
From: Geoffroy Carrier <geoffroy.carrier@koon.fr> --- Here comes the repo-add work. Pretty simple, as you see. It is pretty straight-forward. The main idea is to use base64, as it can't interfere with the 'desc' fileformat and won't produce too big lines (as signatures are less than 100 bytes, it produces less than 150 characters...). Plus it's in coreutils. I don't know much about *BSD and Mac OS X. scripts/repo-add.sh.in | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index e90f0e8..f35d9b9 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -204,6 +204,9 @@ db_write_entry() msg2 "$(gettext "Computing md5 checksums...")" echo -e "%MD5SUM%\n$(md5sum "$pkgfile" | cut -d ' ' -f 1)\n" >>desc + # add base64'd gpg signature + [ -f "$pkgfile.sig" ] && echo -e "%GPGSIG%\n$(base64 -w 0 "$pkgfile.sig")\n" >>desc + [ -n "$url" ] && echo -e "%URL%\n$url\n" >>desc write_list_entry "LICENSE" "$_licenses" "desc" [ -n "$arch" ] && echo -e "%ARCH%\n$arch\n" >>desc -- 1.5.5.3
On Mon, Jun 2, 2008 at 3:27 AM, <geoffroy.carrier@koon.fr> wrote:
From: Geoffroy Carrier <geoffroy.carrier@koon.fr>
--- This should be the last version I submit here. Usually you jinx yourself when you say something like this, and you forgot any sort of commit message above. I've fixed this locally so we don't constantly submit back and forth, but please check this ahead of time next time. You also didn't include a signoff on your two patches, which is as easy as being willing to signoff on your work and specifying the -s flag to git-commit. I've added a signoff for you locally as well.
I should start including support in pacman soon. It will rely directly on the gpg binary, and should work a lot like git. It has a very nice embedded "lib" to launch processes. I might embed parts of it in my pacman branch, as it's generic and seems very well-written. doc/makepkg.conf.5.txt | 3 +++ etc/makepkg.conf.in | 5 +++-- scripts/makepkg.sh.in | 21 +++++++++++++++++++++ 3 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/doc/makepkg.conf.5.txt b/doc/makepkg.conf.5.txt index 113ad14..b6f4385 100644 --- a/doc/makepkg.conf.5.txt +++ b/doc/makepkg.conf.5.txt @@ -92,6 +92,9 @@ Options You forgot to add !sign to the example BUILDENV array here, but I've done that locally so no need to resubmit.
previous package must be available in the makepkg cache directory for this to occur.
+ *sign*;; + Generate a PGP signature file using GnuPG. + **DISTCC_HOSTS=**"host1 ...":: If using DistCC, this is used to specify a space-delimited list of hosts running in the DistCC cluster. In addition, you will want to modify your
Other than that the patch looks fine, I've started putting these changes in a local branch that will end up in master soon enough. Looking forward to seeing perfect PGP support in pacman/libalpm! -Dan
Am Montag, 2. Juni 2008 13:45:09 schrieb Dan McGee:
Other than that the patch looks fine, I've started putting these changes in a local branch that will end up in master soon enough. Looking forward to seeing perfect PGP support in pacman/libalpm!
Is there any progress about this "behind the scenes"? -- http://www.archlinux.de
On Tue, Jul 15, 2008 at 5:41 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
Am Montag, 2. Juni 2008 13:45:09 schrieb Dan McGee:
Other than that the patch looks fine, I've started putting these changes in a local branch that will end up in master soon enough. Looking forward to seeing perfect PGP support in pacman/libalpm!
Is there any progress about this "behind the scenes"?
http://code.toofishes.net/gitweb.cgi?p=pacman.git;a=shortlog;h=refs/heads/gp... Nope. We're going to try and get a 3.2 release out first before I think about this, although I believe I'm still waiting on a patch resubmit... I guess we once again have zero developers with interest on this? I'm interested but don't have the time/motivation to do it all myself. -Dan
On Tue, Jul 15, 2008 at 12:49, Dan McGee <dpmcgee@gmail.com> wrote:
I guess we once again have zero developers with interest on this? I'm interested but don't have the time/motivation to do it all myself.
I will work on finishing this. I have been pretty busy with politics lately, so I had no time for Archlinux except for my TU (low) activity. Plus git was and still is often painful; however, things are getting better thanks to this screencast: http://excess.org/article/2008/07/ogre-git-tutorial/ BRB within this summer! -- Geoffroy Carrier
participants (4)
-
Dan McGee
-
Geoffroy Carrier
-
geoffroy.carrier@koon.fr
-
Pierre Schmitz