[pacman-dev] [PATCH 3/3] Changed makepkg and repo-add to use -S/--sign for signing. Added --gpgdir option to repo-add to allow GnuPG home directory configuration. Signed-off-by: Kerrick Staley <mail at kerrickstaley.com>

Dan McGee dpmcgee at gmail.com
Wed Jun 1 16:21:31 EDT 2011 

^^^ You deleted the blank line between the patch subject and the
summary text, which makes it do what it did. You'll want to put that
back.

On Wed, Jun 1, 2011 at 3:03 PM, Kerrick Staley <mail at kerrickstaley.com> wrote:

I'm not against either of these two things, but it probably should be
two patches. The first should add -S to both repo-add and makepkg (and
update the documentation appropriately).

The other should implement --gpgdir (as well as document it). Here is
what I notice at quick glance- to the casual user, it isn't very clear
why only one gpg invocation was changed. Your comment is unfortunately
hidden away in the code, but is very helpful: "unlike signing,
verification of old database is done with pacman's keyring." The usage
string should reflect this accordingly, and it needs to be documented
in the manpages as well this way.

-Dan

> ---
>  scripts/makepkg.sh.in  |    6 +++---
>  scripts/repo-add.sh.in |   23 ++++++++++++++++++++---
>  2 files changed, 23 insertions(+), 6 deletions(-)
>
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index b0d0c23..95f541f 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1625,7 +1625,7 @@ usage() {
>        printf "$(gettext "  --nocheck        Do not run the check() function in the %s")\n" "$BUILDSCRIPT"
>        echo "$(gettext "  --nosign         Do not create a signature for the package")"
>        echo "$(gettext "  --pkg <list>     Only build listed packages from a split package")"
> -       echo "$(gettext "  --sign           Sign the resulting package with gpg")"
> +       echo "$(gettext "  -S, --sign           Sign the resulting package with gpg")"
>        echo "$(gettext "  --skipinteg      Do not fail when integrity checks are missing")"
>        echo "$(gettext "  --source         Generate a source-only tarball without downloaded sources")"
>        echo
> @@ -1659,7 +1659,7 @@ fi
>  ARGLIST=("$@")
>
>  # Parse Command Line Options.
> -OPT_SHORT="AcCdefFghiLmop:rRsV"
> +OPT_SHORT="AcCdefFghiLmop:rRsSV"
>  OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps"
>  OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver"
>  OPT_LONG+=",install,key:,log,nocolor,nobuild,nocheck,nosign,pkg:,rmdeps"
> @@ -1708,7 +1708,7 @@ while true; do
>                -r|--rmdeps)      RMDEPS=1 ;;
>                -R|--repackage)   REPKG=1 ;;
>                --skipinteg)      SKIPINTEG=1 ;;
> -               --sign)           SIGNPKG='y' ;;
> +               -S|--sign)        SIGNPKG='y' ;;
>                --source)         SOURCEONLY=1 ;;
>                -s|--syncdeps)    DEP_BIN=1 ;;
>
> diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
> index 820db36..f00b519 100644
> --- a/scripts/repo-add.sh.in
> +++ b/scripts/repo-add.sh.in
> @@ -26,6 +26,8 @@ export TEXTDOMAINDIR='@localedir@'
>  myver='@PACKAGE_VERSION@'
>  confdir='@sysconfdir@'
>
> +GPGDIR='@sysconfdir@/pacman.d/gnupg'
> +
>  QUIET=0
>  DELTA=0
>  WITHFILES=0
> @@ -80,8 +82,9 @@ specified on the command line from the given repo database. Multiple\n\
>  packages to remove can be specified on the command line.\n\n")"
>                printf "$(gettext "Options:\n")"
>        fi
> +       printf "$(gettext "  --gpgdir <dir>    use the specified GnuPG home directory\n")"
>        printf "$(gettext "  -q, --quiet       minimize output\n")"
> -       printf "$(gettext "  -s, --sign        sign database with GnuPG after update\n")"
> +       printf "$(gettext "  -S, --sign        sign database with GnuPG after update\n")"
>        printf "$(gettext "  -k, --key <key>   use the specified key to sign the database\n")"
>        printf "$(gettext "  -v, --verify      verify database's signature before update\n")"
>        printf "$(gettext "\n\
> @@ -231,7 +234,12 @@ verify_signature() {
>                warning "$(gettext "No existing signature found, skipping verification.")"
>                return
>        fi
> -       gpg --verify "$dbfile.sig" || ret=$?
> +       # unlike signing, verification of old database is done with pacman's keyring
> +       if ! gpg --homedir "$GPGDIR" --list-keys &>/dev/null; then
> +               error "$(gettext "${GPGDIR} is not a properly initialized GnuPG home directory.")"
> +               exit 1
> +       fi
> +       gpg --homedir "$GPGDIR" --verify "$dbfile.sig" || ret=$?
>        if (( ! ret )); then
>                msg2 "$(gettext "Database signature file verified.")"
>        else
> @@ -552,7 +560,16 @@ while [[ $# > 0 ]]; do
>                -q|--quiet) QUIET=1;;
>                -d|--delta) DELTA=1;;
>                -f|--files) WITHFILES=1;;
> -               -s|--sign)
> +               --gpgdir)
> +                       check_gpg
> +                       shift
> +                       GPGDIR="$1"
> +                       if ! gpg --homedir "$GPGDIR" --list-keys &>/dev/null; then
> +                               error "$(gettext "${GPGDIR} is not a properly initialized GnuPG home directory.")"
> +                               exit 1
> +                       fi
> +                       ;;
> +               -S|--sign)
>                        check_gpg
>                        SIGN=1
>                        if ! gpg --list-key ${GPGKEY} &>/dev/null; then
> --
> 1.7.5.2
>
>
>

More information about the pacman-dev mailing list