[pacman-dev] [PATCH 2/2] repo-add: add option to specify a different key to sign

Denis A. Altoé Falqueto denisfalqueto at gmail.com
Fri Apr 1 20:37:48 EDT 2011 

There may be some situations when one needs to specify
a different key from user's default. The option -k or
--signwithkey accepts a key identifier and uses that
in the signing command.

Signed-off-by: Denis A. Altoé Falqueto <denisfalqueto at gmail.com>
---

There was a different version of this patch sent some time ago.
For some reason, just the part for makepkg was merged. So, now
I'm sending a little better version for repo-add/remove.

 scripts/repo-add.sh.in |   36 ++++++++++++++++++++++++++++--------
 1 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
index cb545f3..7b9e85f 100644
--- a/scripts/repo-add.sh.in
+++ b/scripts/repo-add.sh.in
@@ -66,7 +66,8 @@ usage() {
 	cmd="$(basename $0)"
 	printf "%s (pacman) %s\n\n" "$cmd" "$myver"
 	if [[ $cmd == "repo-add" ]] ; then
-		printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> ...\n")"
+		printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s [-k|--signwithkey key]]\n")"
+		printf "$(gettext "       [-v] <path-to-db> <package|delta> ...\n")"
 		printf "$(gettext "\
 repo-add will update a package database by reading a package file.\n\
 Multiple packages to add can be specified on the command line.\n\n")"
@@ -74,16 +75,18 @@ Multiple packages to add can be specified on the command line.\n\n")"
 		printf "$(gettext "  -d, --delta   generate and add delta for package update\n")"
 		printf "$(gettext "  -f, --files   update database's file list\n")"
 	elif [[ $cmd == "repo-remove" ]] ; then
-		printf "$(gettext "Usage: repo-remove [-q] [-s] [-v] <path-to-db> <packagename|delta> ...\n\n")"
+		printf "$(gettext "Usage: repo-remove [-q] [-s [-k|--signwithkey key]]\n")"
+		printf "$(gettext "       [-v] <path-to-db> <packagename|delta> ...\n\n")"
 		printf "$(gettext "\
 repo-remove will update a package database by removing the package name\n\
 specified on the command line from the given repo database. Multiple\n\
 packages to remove can be specified on the command line.\n\n")"
 		printf "$(gettext "Options:\n")"
 	fi
-	printf "$(gettext "  -q, --quiet   minimize output\n")"
-	printf "$(gettext "  -s, --sign    sign database with GnuPG after update\n")"
-	printf "$(gettext "  -v, --verify  verify database's signature before update\n")"
+	printf "$(gettext "  -q, --quiet              minimize output\n")"
+	printf "$(gettext "  -s, --sign               sign database with GnuPG after update\n")"
+	printf "$(gettext "  -k, --signwithkey <key>  use the specified key to sign the repository\n")"
+	printf "$(gettext "  -v, --verify             verify database's signature before update\n")"
 	printf "$(gettext "\n\
 See %s(8) for more details and descriptions of the available options.\n\n")" $cmd
 	if [[ $cmd == "repo-add" ]] ; then
@@ -204,7 +207,13 @@ create_signature() {
 		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
 		exit 1 # $E_MISSING_PROGRAM
 	fi
-	gpg --detach-sign --use-agent "$dbfile" || ret=$?
+
+	# Check if SIGNKEY is valid.
+	local SIGNWITHKEY=""
+	if [[ "${SIGNKEY}" ]]; then
+		SIGNWITHKEY="-u ${SIGNKEY}"
+	fi
+	gpg --detach-sign ${SIGNWITHKEY} "$dbfile" || ret=$?
 	if (( ! ret )); then
 		msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig"
 	else
@@ -226,7 +235,7 @@ verify_signature() {
 		warning "$(gettext "No existing signature found, skipping verification.")"
 		return
 	fi
-	gpg --verify "$dbfile.sig" || ret=$?
+	gpg --verify "$dbfile.sig" &>/dev/null || ret=$?
 	if (( ! ret )); then
 		msg2 "$(gettext "Database signature file verified.")"
 	else
@@ -542,12 +551,22 @@ trap 'trap_exit "$(gettext "An unknown error has occured. Exiting...")"' ERR
 
 success=0
 # parse arguments
-for arg in "$@"; do
+while [[ $# > 0 ]]; do
+	arg="$1"
 	case "$arg" in
 		-q|--quiet) QUIET=1;;
 		-d|--delta) DELTA=1;;
 		-f|--files) WITHFILES=1;;
 		-s|--sign) SIGN=1;;
+		-k|--signwithkey)
+			shift
+			SIGNKEY="$1"
+			# Check if key exists, to stop as early as possible
+			if ! gpg --list-key "${SIGNKEY}" &>/dev/null; then
+				error "$(gettext "The key ${SIGNKEY} doesnn't exist.")"
+				exit 1
+			fi
+			;;
 		-v|--verify) VERIFY=1;;
 		*)
 			if [[ -z $REPO_DB_FILE ]]; then
@@ -562,6 +581,7 @@ for arg in "$@"; do
 			fi
 			;;
 	esac
+	shift
 done
 
 # if at least one operation was a success, re-zip database
-- 
1.7.4.2

More information about the pacman-dev mailing list