[pacman-dev] [PATCH 1/2] Add support for verifying pgp signatures to makepkg

Thu Jun 23 03:36:56 EDT 2011

---
 scripts/makepkg.sh.in |   52 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 78cd4cf..cc4f152 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -516,7 +516,7 @@ download_sources() {
 	pushd "$SRCDEST" &>/dev/null
 
 	local netfile
-	for netfile in "${source[@]}"; do
+	for netfile in "${source[@]}" "${pgpsigs[@]}"; do
 		local file=$(get_filepath "$netfile" || true)
 		if [[ -n "$file" ]]; then
 			msg2 "$(gettext "Found %s")" "${file##*/}"
@@ -680,6 +680,49 @@ check_checksums() {
 	fi
 }
 
+check_pgpsigs() {
+	(( ! ${#source[@]} )) && return 0
+	(( ! ${#pgpsigs[@]})) && return 0
+
+	if ! type -p gpg >/dev/null; then
+		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+		exit 1 # $E_MISSING_PROGRAM
+	fi
+
+	msg "$(gettext "Validating source files with gpg...")"
+
+	local file
+	local errors=0
+
+	for file in "${pgpsigs[@]}"; do
+		local valid
+		local found=1
+
+		file="$(get_filename "$file")"
+		echo -n "    ${file%.sig} ... " >&2
+
+		if ! file="$(get_filepath "$file")"; then
+			echo "$(gettext "NOT FOUND")" >&2
+			errors=1
+			found=0
+		fi
+
+		if (( found )); then
+			if ! gpg --quiet --batch --verify "$file" 2> /dev/null; then
+				echo "$(gettext "Verification failed")" >&2
+				errors=1
+			else
+				echo $(gettext "Verified") >&2
+			fi
+		fi
+	done
+
+	if (( errors )); then
+		error "$(gettext "One or more pgp signatures could not be verified!")"
+		exit 1
+	fi
+}
+
 extract_sources() {
 	msg "$(gettext "Extracting Sources...")"
 	local netfile
@@ -1614,6 +1657,7 @@ usage() {
 	echo "$(gettext "  --key <key>      Specify a key to use for gpg signing instead of the default")"
 	printf "$(gettext "  --nocheck        Do not run the check() function in the %s")\n" "$BUILDSCRIPT"
 	echo "$(gettext "  --nosign         Do not create a signature for the package")"
+	echo "$(gettext "  --pgp            Enable verification of source files with pgp signatures")"
 	echo "$(gettext "  --pkg <list>     Only build listed packages from a split package")"
 	echo "$(gettext "  --sign           Sign the resulting package with gpg")"
 	echo "$(gettext "  --skipinteg      Do not fail when integrity checks are missing")"
@@ -1651,7 +1695,7 @@ ARGLIST=("$@")
 # Parse Command Line Options.
 OPT_SHORT="AcCdefFghiLmop:rRsV"
 OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps"
-OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver"
+OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver,pgp"
 OPT_LONG+=",install,key:,log,nocolor,nobuild,nocheck,nosign,pkg:,rmdeps"
 OPT_LONG+=",repackage,skipinteg,sign,source,syncdeps,version,config:"
 # Pacman Options
@@ -1694,6 +1738,7 @@ while true; do
 		--nosign)         SIGNPKG='n' ;;
 		-o|--nobuild)     NOBUILD=1 ;;
 		-p)               shift; BUILDFILE=$1 ;;
+		--pgp)            PGPSIGS=1;;
 		--pkg)            shift; PKGLIST=($1) ;;
 		-r|--rmdeps)      RMDEPS=1 ;;
 		-R|--repackage)   REPKG=1 ;;
@@ -2129,6 +2174,9 @@ else
 	download_sources
 	if (( ! SKIPINTEG )); then
 		check_checksums
+		if (( PGPSIGS )); then
+			check_pgpsigs
+		fi
 	else
 		warning "$(gettext "Skipping integrity checks.")"
 	fi
-- 
1.7.5.4

