[pacman-dev] [PATCH 1/6] pacman-key: keyring management tool

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Wed Jul 7 13:43:17 EDT 2010


The script pacman-key will manage pacman's keyring. It imports, exports,
fetches from keyservers, helps in the process of trusting and updates
the trust database.

Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto at gmail.com>
---
 scripts/.gitignore       |    1 +
 scripts/Makefile.am      |    3 +
 scripts/pacman-key.sh.in |  278 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 282 insertions(+), 0 deletions(-)
 create mode 100644 scripts/pacman-key.sh.in

diff --git a/scripts/.gitignore b/scripts/.gitignore
index eafc493..1c662de 100644
--- a/scripts/.gitignore
+++ b/scripts/.gitignore
@@ -4,3 +4,4 @@ rankmirrors
 repo-add
 repo-remove
 pkgdelta
+pacman-key
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 330acb9..d4f96de 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -7,6 +7,7 @@ bin_SCRIPTS = \

 OURSCRIPTS = \
 	makepkg \
+	pacman-key \
 	pacman-optimize \
 	pkgdelta \
 	rankmirrors \
@@ -14,6 +15,7 @@ OURSCRIPTS = \

 EXTRA_DIST = \
 	makepkg.sh.in \
+	pacman-key.sh.in \
 	pacman-optimize.sh.in \
 	pkgdelta.sh.in \
 	rankmirrors.sh.in \
@@ -60,6 +62,7 @@ $(OURSCRIPTS): Makefile
 	@mv $@.tmp $@

 makepkg: $(srcdir)/makepkg.sh.in
+pacman-key: ${srcdir}/pacman-key.sh.in
 pacman-optimize: $(srcdir)/pacman-optimize.sh.in
 pkgdelta: $(srcdir)/pkgdelta.sh.in
 rankmirrors: $(srcdir)/rankmirrors.sh.in
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
new file mode 100644
index 0000000..55ca163
--- /dev/null
+++ b/scripts/pacman-key.sh.in
@@ -0,0 +1,278 @@
+#!/bin/bash -e
+#
+#   pacman-key - manages pacman's keyring
+#   @configure_input@
+#
+#   Copyright (c) 2010 - Denis A. Altoé Falqueto <denisfalqueto at gmail.com>
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# gettext initialization
+export TEXTDOMAIN='pacman'
+export TEXTDOMAINDIR='@localedir@'
+
+# Based on apt-key, from Debian
+# Author: Denis A. Altoé Falqueto <denisfalqueto at gmail dot com>
+
+PACMAN_KEY_VERSION="@PACKAGE_VERSION@"
+
+# According to apt-key, gpg doesn't like to be called without a secret keyring.
+# We will not really need one, because pacman will not sign packages,
just verify
+# their integrities.
+PACMAN_KEYRING_DIR="/etc/pacman.d/gnupg"
+PACMAN_SECRET="secret.gpg"
+PACMAN_TRUSTDB="trustdb.gpg"
+PACMAN_KEYRING="pacman.gpg"
+PACMAN_SHARE_DIR="/usr/share/pacman"
+
+# Default parameters for the command gpg. Some more will be added when needed
+GPG_PROGRAM="gpg2"
+GPG="${GPG_PROGRAM} --ignore-time-conflict --no-options --no-default-keyring"
+GPG_PACMAN="${GPG} --homedir ${PACMAN_KEYRING_DIR} --secret-keyring
${PACMAN_KEYRING_DIR}/${PACMAN_SECRET} \
+    --trustdb-name ${PACMAN_KEYRING_DIR}/${PACMAN_TRUSTDB} --keyring
${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING} \
+    --primary-keyring ${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING}"
+SIG_EXT=".sig"
+
+# Read-only keyring with keys to be added to the keyring
+ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
+
+# Read-only keyring with keys removed from the keyring. They need to
be removed before
+# the keys from the added keyring be really imported
+REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys.gpg"
+
+usage() {
+    echo "pacman-key - Pacman's keyring management utility"
+    echo "Usage: $(basename $0) command [arguments]"
+    echo
+    echo "Manage pacman's list of trusted keys"
+    echo
+    echo "  pacman-key add <file> ...                  - add the key
contained in <file> ('-' for stdin)"
+    echo "  pacman-key del <keyid> ...                 - remove the
key <keyid>"
+    echo "  pacman-key export <keyid> ...              - output the
key <keyid>"
+    echo "  pacman-key exportall                       - output all
trusted keys"
+    echo "  pacman-key receive <keyserver> <keyid> ... - fetch the
keyids from the specified keyserver URL"
+    echo "  pacman-key trust <keyid> ...               - set the
truslevel of the given key"
+    echo "  pacman-key updatedb                        - update the
trustdb of pacman"
+    echo "  pacman-key reload                          - reloads the
keys from the keyring package"
+    echo "  pacman-key list                            - list keys"
+    echo "  pacman-key finger <keyid> ...              - list fingerprints"
+    echo "  pacman-key adv <params>                    - pass
advanced options to gpg"
+    echo "  pacman-key help                            - displays this message"
+    echo "  pacman-key version                         - displays the
current version"
+    echo
+    echo "If no specific keyring file is given the command applies to
the default keyring."
+}
+
+prepare_homedir() {
+    if [[ ! -d ${PACMAN_KEYRING_DIR} ]] ; then
+        mkdir -p "${PACMAN_KEYRING_DIR}"
+        [[ ! -f "${PACMAN_KEYRING_DIR}/${PACMAN_SECRET}" ]] && touch
"${PACMAN_KEYRING_DIR}/${PACMAN_SECRET}"
+        [[ ! -f "${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING}" ]] && touch
"${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING}"
+        chmod 700 "${PACMAN_KEYRING_DIR}"
+        chmod 600 "${PACMAN_KEYRING_DIR}"/*
+    fi
+}
+
+add_key() {
+    ${GPG_PACMAN} --quiet --batch --import "$1"
+}
+
+remove_key() {
+    ${GPG_PACMAN} --quiet --batch --delete-key --yes "$1"
+}
+
+update_trustdb() {
+    ${GPG_PACMAN} --batch --check-trustdb
+}
+
+list_sigs() {
+    ${GPG_PACMAN} --batch --list-sigs
+}
+
+list_fingerprints() {
+    ${GPG_PACMAN} --batch --fingerprint $*
+}
+
+export_key() {
+    ${GPG_PACMAN} --armor --export "$1"
+}
+
+export_all() {
+    ${GPG_PACMAN} --armor --export
+}
+
+trust_key() {
+    # Verify if the key exists in pacman's keyring
+    if ${GPG_PACMAN} --list-key "$1" > /dev/null 2>&1 ; then
+      ${GPG_PACMAN} --fingerprint "$1"
+      ${GPG_PACMAN} --edit-key "$1"
+    else
+      echo "The key identified by $1 doesn't exist"
+      exit 1
+    fi
+}
+
+reload_keyring() {
+    # Verify the signature of removed keys file
+    if [[ -f ${REMOVED_KEYS} ]] && ! ${GPG_PACMAN} --quiet --verify
${REMOVED_KEYS}${SIG_EXT} ; then
+        echo "The signature of file ${REMOVED_KEYS} is not valid."
+        exit 1
+    fi
+
+    # Verify the signature of the added keys file
+    if [[ -f ${ADDED_KEYS} ]] && ! ${GPG_PACMAN} --quiet --verify
${ADDED_KEYS}${SIG_EXT} ; then
+        echo "The signature of file ${ADDED_KEYS} is not valid."
+        exit 1
+    fi
+
+    # Remove the keys from REMOVED_KEYS keyring
+    [[ -r ${REMOVED_KEYS} ]] && cat "${REMOVED_KEYS}" | while read key ; do
+        ${GPG_PACMAN} --quiet --batch --yes --delete-keys ${key}
+    done
+
+    # Add keys from the current set of keys from pacman-keyring
package. The web of trust will
+    # be updated automatically.
+    if [[ -r ${ADDED_KEYS} ]] ; then
+	add_keys=$(${GPG} --keyring ${ADDED_KEYS} --with-colons --list-keys
| grep ^pub | cut -d: -f5)
+	for add_key in $add_keys; do
+            echo "Chave $add_key"
+	    ${GPG} --quiet --batch --keyring $ADDED_KEYS --export $add_key |
${GPG_PACMAN} --import
+	    ADDED=1
+	done
+    fi
+
+    # Update trustdb, just to be sure
+    update_trustdb
+}
+
+receive() {
+    keyserver="$1"
+    shift
+    ${GPG_PACMAN} --keyserver ${keyserver} $*
+}
+
+# PROGRAM START
+
+if ! type gettext &>/dev/null; then
+	gettext() {
+		echo "$@"
+	}
+fi
+
+command="$1"
+if [[ -z "$command" ]]; then
+    usage
+    exit 1
+fi
+shift
+
+if [[ "$command" != "version" && "$command" != "help" ]] && ! which
"${GPG_PROGRAM}" >/dev/null 2>&1; then
+    echo >&2 "Warning: gnupg does not seem to be installed."
+    echo >&2 "Warning: pacman-key requires gnupg for most operations."
+    echo >&2
+fi
+
+prepare_homedir
+
+case "$command" in
+    add)
+        if (( $# == 0 )) ; then
+            echo "You need to specify at least one key identifier"
+            usage
+            exit 1
+        fi
+        while (( $# > 0 )) ; do
+          add_key $1
+          shift
+        done
+        ;;
+    del|rm|remove)
+        if (( $# == 0 )) ; then
+            echo "You need to specify at least one key identifier"
+            usage
+            exit 1
+        fi
+        while (( $# > 0 )) ; do
+            remove_key $1
+            shift
+        done
+        ;;
+    updatedb)
+        update_trustdb
+	;;
+    reload)
+        reload_keyring
+        ;;
+    list)
+        list_sigs
+        ;;
+    finger*)
+        if (( $# == 0 )) ; then
+            echo "You need to specify at least one key identifier"
+            usage
+            exit 1
+        fi
+        list_fingerprints $*
+        ;;
+    export)
+        if (( $# == 0 )) ; then
+            echo "You need to specify at least one key identifier"
+            usage
+            exit 1
+        fi
+        while (( $# > 0 )) ; do
+            export_key $1
+            shift
+        done
+        ;;
+    exportall)
+        export_all
+        ;;
+    receive)
+        if (( $# < 2 )) ; then
+            echo "You need to specify the keyserver and at least one
key identifier"
+            usage
+            exit 1
+        fi
+        receive $*
+        ;;
+    trust)
+        if (( $# == 0 )) ; then
+            echo "You need to specify at least one key identifier"
+            usage
+            exit 1
+        fi
+        while (( $# > 0 )) ; do
+            trust_key $1
+            shift
+        done
+        ;;
+    adv*)
+        echo "Executing: ${GPG_PACMAN} $*"
+        ${GPG_PACMAN} $* || ret=$?
+	exit $ret
+        ;;
+    --help)
+        usage
+        ;;
+    --version)
+        echo "pacman-key v${PACMAN_KEY_VERSION}"
+        echo " This program can be freely distributed under the GPL v2"
+        ;;
+    *)
+        usage
+        exit 1
+        ;;
+esac
-- 
1.7.1


More information about the pacman-dev mailing list