[pacman-dev] [PATCH 1/6] pacman-key: keyring management tool
Denis A. Altoé Falqueto
denisfalqueto at gmail.com
Wed Jul 7 13:43:17 EDT 2010
The script pacman-key will manage pacman's keyring. It imports, exports,
fetches from keyservers, helps in the process of trusting and updates
the trust database.
Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto at gmail.com>
---
scripts/.gitignore | 1 +
scripts/Makefile.am | 3 +
scripts/pacman-key.sh.in | 278 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 282 insertions(+), 0 deletions(-)
create mode 100644 scripts/pacman-key.sh.in
diff --git a/scripts/.gitignore b/scripts/.gitignore
index eafc493..1c662de 100644
--- a/scripts/.gitignore
+++ b/scripts/.gitignore
@@ -4,3 +4,4 @@ rankmirrors
repo-add
repo-remove
pkgdelta
+pacman-key
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 330acb9..d4f96de 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -7,6 +7,7 @@ bin_SCRIPTS = \
OURSCRIPTS = \
makepkg \
+ pacman-key \
pacman-optimize \
pkgdelta \
rankmirrors \
@@ -14,6 +15,7 @@ OURSCRIPTS = \
EXTRA_DIST = \
makepkg.sh.in \
+ pacman-key.sh.in \
pacman-optimize.sh.in \
pkgdelta.sh.in \
rankmirrors.sh.in \
@@ -60,6 +62,7 @@ $(OURSCRIPTS): Makefile
@mv $@.tmp $@
makepkg: $(srcdir)/makepkg.sh.in
+pacman-key: ${srcdir}/pacman-key.sh.in
pacman-optimize: $(srcdir)/pacman-optimize.sh.in
pkgdelta: $(srcdir)/pkgdelta.sh.in
rankmirrors: $(srcdir)/rankmirrors.sh.in
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
new file mode 100644
index 0000000..55ca163
--- /dev/null
+++ b/scripts/pacman-key.sh.in
@@ -0,0 +1,278 @@
+#!/bin/bash -e
+#
+# pacman-key - manages pacman's keyring
+# @configure_input@
+#
+# Copyright (c) 2010 - Denis A. Altoé Falqueto <denisfalqueto at gmail.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# gettext initialization
+export TEXTDOMAIN='pacman'
+export TEXTDOMAINDIR='@localedir@'
+
+# Based on apt-key, from Debian
+# Author: Denis A. Altoé Falqueto <denisfalqueto at gmail dot com>
+
+PACMAN_KEY_VERSION="@PACKAGE_VERSION@"
+
+# According to apt-key, gpg doesn't like to be called without a secret keyring.
+# We will not really need one, because pacman will not sign packages,
just verify
+# their integrities.
+PACMAN_KEYRING_DIR="/etc/pacman.d/gnupg"
+PACMAN_SECRET="secret.gpg"
+PACMAN_TRUSTDB="trustdb.gpg"
+PACMAN_KEYRING="pacman.gpg"
+PACMAN_SHARE_DIR="/usr/share/pacman"
+
+# Default parameters for the command gpg. Some more will be added when needed
+GPG_PROGRAM="gpg2"
+GPG="${GPG_PROGRAM} --ignore-time-conflict --no-options --no-default-keyring"
+GPG_PACMAN="${GPG} --homedir ${PACMAN_KEYRING_DIR} --secret-keyring
${PACMAN_KEYRING_DIR}/${PACMAN_SECRET} \
+ --trustdb-name ${PACMAN_KEYRING_DIR}/${PACMAN_TRUSTDB} --keyring
${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING} \
+ --primary-keyring ${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING}"
+SIG_EXT=".sig"
+
+# Read-only keyring with keys to be added to the keyring
+ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
+
+# Read-only keyring with keys removed from the keyring. They need to
be removed before
+# the keys from the added keyring be really imported
+REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys.gpg"
+
+usage() {
+ echo "pacman-key - Pacman's keyring management utility"
+ echo "Usage: $(basename $0) command [arguments]"
+ echo
+ echo "Manage pacman's list of trusted keys"
+ echo
+ echo " pacman-key add <file> ... - add the key
contained in <file> ('-' for stdin)"
+ echo " pacman-key del <keyid> ... - remove the
key <keyid>"
+ echo " pacman-key export <keyid> ... - output the
key <keyid>"
+ echo " pacman-key exportall - output all
trusted keys"
+ echo " pacman-key receive <keyserver> <keyid> ... - fetch the
keyids from the specified keyserver URL"
+ echo " pacman-key trust <keyid> ... - set the
truslevel of the given key"
+ echo " pacman-key updatedb - update the
trustdb of pacman"
+ echo " pacman-key reload - reloads the
keys from the keyring package"
+ echo " pacman-key list - list keys"
+ echo " pacman-key finger <keyid> ... - list fingerprints"
+ echo " pacman-key adv <params> - pass
advanced options to gpg"
+ echo " pacman-key help - displays this message"
+ echo " pacman-key version - displays the
current version"
+ echo
+ echo "If no specific keyring file is given the command applies to
the default keyring."
+}
+
+prepare_homedir() {
+ if [[ ! -d ${PACMAN_KEYRING_DIR} ]] ; then
+ mkdir -p "${PACMAN_KEYRING_DIR}"
+ [[ ! -f "${PACMAN_KEYRING_DIR}/${PACMAN_SECRET}" ]] && touch
"${PACMAN_KEYRING_DIR}/${PACMAN_SECRET}"
+ [[ ! -f "${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING}" ]] && touch
"${PACMAN_KEYRING_DIR}/${PACMAN_KEYRING}"
+ chmod 700 "${PACMAN_KEYRING_DIR}"
+ chmod 600 "${PACMAN_KEYRING_DIR}"/*
+ fi
+}
+
+add_key() {
+ ${GPG_PACMAN} --quiet --batch --import "$1"
+}
+
+remove_key() {
+ ${GPG_PACMAN} --quiet --batch --delete-key --yes "$1"
+}
+
+update_trustdb() {
+ ${GPG_PACMAN} --batch --check-trustdb
+}
+
+list_sigs() {
+ ${GPG_PACMAN} --batch --list-sigs
+}
+
+list_fingerprints() {
+ ${GPG_PACMAN} --batch --fingerprint $*
+}
+
+export_key() {
+ ${GPG_PACMAN} --armor --export "$1"
+}
+
+export_all() {
+ ${GPG_PACMAN} --armor --export
+}
+
+trust_key() {
+ # Verify if the key exists in pacman's keyring
+ if ${GPG_PACMAN} --list-key "$1" > /dev/null 2>&1 ; then
+ ${GPG_PACMAN} --fingerprint "$1"
+ ${GPG_PACMAN} --edit-key "$1"
+ else
+ echo "The key identified by $1 doesn't exist"
+ exit 1
+ fi
+}
+
+reload_keyring() {
+ # Verify the signature of removed keys file
+ if [[ -f ${REMOVED_KEYS} ]] && ! ${GPG_PACMAN} --quiet --verify
${REMOVED_KEYS}${SIG_EXT} ; then
+ echo "The signature of file ${REMOVED_KEYS} is not valid."
+ exit 1
+ fi
+
+ # Verify the signature of the added keys file
+ if [[ -f ${ADDED_KEYS} ]] && ! ${GPG_PACMAN} --quiet --verify
${ADDED_KEYS}${SIG_EXT} ; then
+ echo "The signature of file ${ADDED_KEYS} is not valid."
+ exit 1
+ fi
+
+ # Remove the keys from REMOVED_KEYS keyring
+ [[ -r ${REMOVED_KEYS} ]] && cat "${REMOVED_KEYS}" | while read key ; do
+ ${GPG_PACMAN} --quiet --batch --yes --delete-keys ${key}
+ done
+
+ # Add keys from the current set of keys from pacman-keyring
package. The web of trust will
+ # be updated automatically.
+ if [[ -r ${ADDED_KEYS} ]] ; then
+ add_keys=$(${GPG} --keyring ${ADDED_KEYS} --with-colons --list-keys
| grep ^pub | cut -d: -f5)
+ for add_key in $add_keys; do
+ echo "Chave $add_key"
+ ${GPG} --quiet --batch --keyring $ADDED_KEYS --export $add_key |
${GPG_PACMAN} --import
+ ADDED=1
+ done
+ fi
+
+ # Update trustdb, just to be sure
+ update_trustdb
+}
+
+receive() {
+ keyserver="$1"
+ shift
+ ${GPG_PACMAN} --keyserver ${keyserver} $*
+}
+
+# PROGRAM START
+
+if ! type gettext &>/dev/null; then
+ gettext() {
+ echo "$@"
+ }
+fi
+
+command="$1"
+if [[ -z "$command" ]]; then
+ usage
+ exit 1
+fi
+shift
+
+if [[ "$command" != "version" && "$command" != "help" ]] && ! which
"${GPG_PROGRAM}" >/dev/null 2>&1; then
+ echo >&2 "Warning: gnupg does not seem to be installed."
+ echo >&2 "Warning: pacman-key requires gnupg for most operations."
+ echo >&2
+fi
+
+prepare_homedir
+
+case "$command" in
+ add)
+ if (( $# == 0 )) ; then
+ echo "You need to specify at least one key identifier"
+ usage
+ exit 1
+ fi
+ while (( $# > 0 )) ; do
+ add_key $1
+ shift
+ done
+ ;;
+ del|rm|remove)
+ if (( $# == 0 )) ; then
+ echo "You need to specify at least one key identifier"
+ usage
+ exit 1
+ fi
+ while (( $# > 0 )) ; do
+ remove_key $1
+ shift
+ done
+ ;;
+ updatedb)
+ update_trustdb
+ ;;
+ reload)
+ reload_keyring
+ ;;
+ list)
+ list_sigs
+ ;;
+ finger*)
+ if (( $# == 0 )) ; then
+ echo "You need to specify at least one key identifier"
+ usage
+ exit 1
+ fi
+ list_fingerprints $*
+ ;;
+ export)
+ if (( $# == 0 )) ; then
+ echo "You need to specify at least one key identifier"
+ usage
+ exit 1
+ fi
+ while (( $# > 0 )) ; do
+ export_key $1
+ shift
+ done
+ ;;
+ exportall)
+ export_all
+ ;;
+ receive)
+ if (( $# < 2 )) ; then
+ echo "You need to specify the keyserver and at least one
key identifier"
+ usage
+ exit 1
+ fi
+ receive $*
+ ;;
+ trust)
+ if (( $# == 0 )) ; then
+ echo "You need to specify at least one key identifier"
+ usage
+ exit 1
+ fi
+ while (( $# > 0 )) ; do
+ trust_key $1
+ shift
+ done
+ ;;
+ adv*)
+ echo "Executing: ${GPG_PACMAN} $*"
+ ${GPG_PACMAN} $* || ret=$?
+ exit $ret
+ ;;
+ --help)
+ usage
+ ;;
+ --version)
+ echo "pacman-key v${PACMAN_KEY_VERSION}"
+ echo " This program can be freely distributed under the GPL v2"
+ ;;
+ *)
+ usage
+ exit 1
+ ;;
+esac
--
1.7.1
More information about the pacman-dev
mailing list