[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases

Sat Nov 2 21:19:40 EDT 2013

Add function to sign repo database.  Enabling signing requires setting
SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted
from signing package files.

Signed-off-by: Allan McRae <allan at archlinux.org>
---
 config         |  3 +++
 db-functions   | 17 ++++++++++++++++-
 db-move        |  6 ++++++
 db-remove      |  1 +
 db-repo-add    |  1 +
 db-repo-remove |  1 +
 db-update      |  1 +
 testing2x      |  2 ++
 8 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/config b/config
index d1413cc..2069565 100644
--- a/config
+++ b/config
@@ -20,6 +20,9 @@ SOURCE_CLEANUP_KEEP=14
 REQUIRE_SIGNATURE=true
 MASTER_KEYS=('6AC6A4C2' '824B18E8' '4C7EA887' 'FFF979E7' 'CDFD6BB0')
 
+SIGN_DB=false
+DB_KEY=''
+
 LOCK_DELAY=10
 LOCK_TIMEOUT=300
 
diff --git a/db-functions b/db-functions
index 26e6825..bbbee25 100644
--- a/db-functions
+++ b/db-functions
@@ -227,6 +227,21 @@ repo_unlock () { #repo_unlock <repo-name> <arch>
 	fi
 }
 
+# sign_db <repo-name> <arch>
+sign_db() {
+	local repo=$1
+	local arch=$2
+	local dbfile="${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT}"
+	local filesfile="${FTP_BASE}/${repo}/os/${arch}/${repo}${FILESEXT}"
+
+	if ! $SIGN_DB; the
+		return 0
+	fi
+
+	gpg --homedir=/etc/pacman.d/gnupg/ --default-key ${DB_KEY} --detach-sign ${dbfile}
+	gpg --homedir=/etc/pacman.d/gnupg/ --default-key ${DB_KEY} --detach-sign ${filesfile}
+}
+
 # usage: _grep_pkginfo pkgfile pattern
 _grep_pkginfo() {
 	local _ret
@@ -388,7 +403,7 @@ check_signature() {
 		return 1
 	fi
 
-	for k in ${MASTER_KEYS}; do
+	for k in ${MASTER_KEYS} ${DB_KEY}; do
 		if pacman-key -v "${pkgfile}.sig" 2>&1 | grep -q "key ID ${k}"
 			return 1
 		fi
diff --git a/db-move b/db-move
index 1fa44d4..e51ce02 100755
--- a/db-move
+++ b/db-move
@@ -120,6 +120,12 @@ for tarch in ${ARCHES[@]}; do
 done
 
 for pkgarch in ${ARCHES[@]}; do
+	sign_db ${repo_from} ${pkgarch}
+	sign_db ${repo_to} ${pkgarch}
+done
+
+
+for pkgarch in ${ARCHES[@]}; do
 	repo_unlock ${repo_from} ${pkgarch}
 	repo_unlock ${repo_to} ${pkgarch}
 done
diff --git a/db-remove b/db-remove
index 25cb9a7..8de0b7f 100755
--- a/db-remove
+++ b/db-remove
@@ -48,5 +48,6 @@ done
 
 for tarch in ${tarches[@]}; do
 	arch_repo_remove "${repo}" "${tarch}" ${remove_pkgs[@]}
+	sign_db $repo $tarch
 	repo_unlock $repo $tarch
 done
diff --git a/db-repo-add b/db-repo-add
index 5d5b653..aa79b9f 100755
--- a/db-repo-add
+++ b/db-repo-add
@@ -37,5 +37,6 @@ for tarch in ${tarches[@]}; do
 		fi
 	done
 	arch_repo_add "${repo}" "${tarch}" ${pkgfiles[@]}
+	sign_db $repo $tarch
 	repo_unlock $repo $tarch
 done
diff --git a/db-repo-remove b/db-repo-remove
index 2a693f4..2f6ccb7 100755
--- a/db-repo-remove
+++ b/db-repo-remove
@@ -33,5 +33,6 @@ for tarch in ${tarches[@]}; do
 		msg "Removing $pkgname from [$repo]..."
 	done
 	arch_repo_remove "${repo}" "${tarch}" ${pkgnames[@]}
+	sign_db $repo $tarch
 	repo_unlock $repo $tarch
 done
diff --git a/db-update b/db-update
index 087a248..c82017c 100755
--- a/db-update
+++ b/db-update
@@ -91,6 +91,7 @@ done
 
 for repo in ${repos[@]}; do
 	for pkgarch in ${ARCHES[@]}; do
+		sign_db ${repo} ${pkgarch}
 		repo_unlock ${repo} ${pkgarch}
 	done
 done
diff --git a/testing2x b/testing2x
index 369857f..8ce5f2b 100755
--- a/testing2x
+++ b/testing2x
@@ -47,10 +47,12 @@ for pkgbase in $*; do
 done
 
 for pkgarch in ${ARCHES[@]}; do
+	sign_db ${TESTING_REPO} ${pkgarch}
 	repo_unlock ${TESTING_REPO} ${pkgarch}
 done
 for repo in  ${STABLE_REPOS[@]}; do
 	for pkgarch in ${ARCHES[@]}; do
+		sign_db ${repo} ${pkgarch}
 		repo_unlock ${repo} ${pkgarch}
 	done
 	if [ -n "${pkgs[${repo}]}" ]; then
-- 
1.8.4.2

