[pacman-dev] [PATCH 2/3] makepkg: command line options for signing packages

Allan McRae allan at archlinux.org
Sat Feb 19 09:51:22 EST 2011 

On 19/02/11 11:30, Denis A. Altoé Falqueto wrote:
> Two new command line options were added:
>
> -n, --sign: forces the generation of a signature for
> the resulting package, even if not configured in makepkg.conf.
> The command line has precedence over the option in
> makepkg.conf. So, even if makepkg.conf has !sign in
> BUILDENV, passing --sign to makepkg will make it
> sign the package.

I think we should have a --nosign option to which would negate 'sign' in 
makepkg.conf.  See the --check/--nocheck pair to see how that is achieved.

> --signwithkey<key>: there is a possibility of another key
> being used, instead of the user's default. For exemple,
> pacman-keyring package could be signed by a master key,
> because it needs to be trusted explicitly by the user
> before the installation of that package. So, this parameter
> will be used to supply an id for a key to be used to sign
> the package.
>
> Signed-off-by: Denis A. Altoé Falqueto<denisfalqueto at gmail.com>
> ---
>   scripts/makepkg.sh.in |   28 +++++++++++++++++++++++-----
>   1 files changed, 23 insertions(+), 5 deletions(-)
>
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 8381a78..dc71ffd 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -28,7 +28,7 @@
>   # makepkg uses quite a few external programs during its execution. You
>   # need to have at least the following installed for makepkg to function:
>   #   awk, bsdtar (libarchive), bzip2, coreutils, fakeroot, file, find (findutils),
> -#   gettext, grep, gzip, openssl, sed, tput (ncurses), xz
> +#   gettext, gpg, grep, gzip, openssl, sed, tput (ncurses), xz
>
>   # gettext initialization
>   export TEXTDOMAIN='pacman'
> @@ -74,6 +74,8 @@ BUILDFUNC=0
>   CHECKFUNC=0
>   PKGFUNC=0
>   SPLITPKG=0
> +SIGN=0
> +SIGNKEY=""
>   PKGLIST=()
>
>   # Forces the pkgver of the current PKGBUILD. Used by the fakeroot call
> @@ -1106,7 +1108,7 @@ create_package() {
>   }
>
>   create_signature() {
> -	if [[ $(check_buildenv sign) != "y" ]]; then
> +	if [[ $(check_buildenv sign) != "y"&&  $SIGN != 1 ]]; then
>   		return
>   	fi
>   	local ret=0
> @@ -1116,7 +1118,18 @@ create_signature() {
>   		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
>   		exit 1 # $E_MISSING_PROGRAM
>   	fi
> -	gpg --detach-sign --use-agent "$filename" || ret=$?
> +
> +	# Check if SIGNKEY is valid.
> +	local SIGNWITHKEY=""
> +	if [[ "${SIGNKEY}" ]]; then
> +		if ! gpg --list-key "${SIGNKEY}" 1>/dev/null 2>&1; then
> +			error "$(gettext "The key ${SIGNKEY} doesn\'t exist.")"
> +			exit 1
> +		fi
> +		SIGNWITHKEY="-u ${SIGNKEY}"
> +	fi

I wonder if this is checked too late.  I suppose with a package() 
function in a PKGBUILD, we can not rebuild by using "makepkg -R" but 
this still seems quite late to abort.

> +	# The signature will be generated directly in ascii-friendly format
> +	gpg --detach-sign --quiet --batch --use-agent ${SIGNWITHKEY} "$filename" 1>/dev/null || ret=$?

--batch is bad here.  It forces the use of a gpg-agent.


>   	if (( ! ret )); then
>   		msg2 "$(gettext "Created signature file %s.")" "$filename.sig"
>   	else
> @@ -1614,6 +1627,9 @@ usage() {
>   	echo "$(gettext "  --pkg<list>      Only build listed packages from a split package")"
>   	echo "$(gettext "  --skipinteg      Do not fail when integrity checks are missing")"
>   	echo "$(gettext "  --source         Generate a source-only tarball without downloaded sources")"
> +	echo "$(gettext "  -n, --sign       Sign the resulting package with gpg")"
> +	printf "$(gettext "  --signwithkey<key>\n\
> +                   Selects an specific key to use for signing, instead of user's default")"
>   	echo
>   	echo "$(gettext "These options can be passed to pacman:")"
>   	echo
> @@ -1645,11 +1661,11 @@ fi
>   ARGLIST=("$@")
>
>   # Parse Command Line Options.
> -OPT_SHORT="AcCdefFghiLmop:rRsV"
> +OPT_SHORT="AcCdefFghiLmnop:rRsV"
>   OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps"
>   OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver"
>   OPT_LONG+=",install,log,nocolor,nobuild,nocheck,pkg:,rmdeps"
> -OPT_LONG+=",repackage,skipinteg,source,syncdeps,version,config:"
> +OPT_LONG+=",repackage,sign,signwithkey:,skipinteg,source,syncdeps,version,config:"
>   # Pacman Options
>   OPT_LONG+=",noconfirm,noprogressbar"
>   OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS FAILED')"
> @@ -1693,6 +1709,8 @@ while true; do
>   		-R|--repackage)   REPKG=1 ;;
>   		--skipinteg)      SKIPINTEG=1 ;;
>   		--source)         SOURCEONLY=1 ;;
> +		--sign)           SIGN=1 ;;
> +		--signwithkey)    shift; SIGNKEY=$1 ;;
>   		-s|--syncdeps)    DEP_BIN=1 ;;
>
>   		-h|--help)        usage; exit 0 ;; # E_OK

More information about the pacman-dev mailing list