[pacman-dev] [RFC] makepkg: Introduce acceptkeys array

[Thomas Bächler]

If acceptkeys is set in the PKGBUILD, signature checking fails if
the fingerprint of the key used to create the signature is not listed
in the array. Failure to verify the signature due to a missing public
key is also treated as an error instead of a warning.
---
 scripts/makepkg.sh.in | 36 ++++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index e230c15..40c5b48 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1250,7 +1250,7 @@ check_pgpsigs() {
 
 	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
 
-	local file pubkey ext decompress found
+	local file pubkey ext decompress found success
 	local warning=0
 	local errors=0
 	local statusfile=$(mktemp)
@@ -1296,7 +1296,11 @@ check_pgpsigs() {
 			printf '%s' "$(gettext "FAILED")" >&2
 			if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
 				printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
-				warnings=1
+				if (( ${#acceptkeys[@]} > 0 )); then
+					errors=1
+				else
+					warnings=1
+				fi
 			else
 				errors=1
 			fi
@@ -1306,13 +1310,25 @@ check_pgpsigs() {
 				printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2
 				errors=1
 			else
-				printf '%s' "$(gettext "Passed")" >&2
-				if grep -q "EXPSIG" "$statusfile"; then
-					printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
-					warnings=1
-				elif grep -q "EXPKEYSIG" "$statusfile"; then
-					printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
-					warnings=1
+				success=1
+				if (( ${#acceptkeys[@]} > 0 )); then
+					pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;' | awk '{print tolower($0)}')
+					if ! in_array $pubkey ${acceptkeys[@]}; then
+						printf '%s' "$(gettext "FAILED")" >&2
+						printf " ($(gettext 'the fingerprint %s is not accepted.'))" "$pubkey" >&2
+						success=0
+						errors=1
+					fi
+				fi
+				if (( $success )); then
+					printf '%s' "$(gettext "Passed")" >&2
+					if grep -q "EXPSIG" "$statusfile"; then
+						printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
+						warnings=1
+					elif grep -q "EXPKEYSIG" "$statusfile"; then
+						printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
+						warnings=1
+					fi
 				fi
 			fi
 			printf '\n' >&2
@@ -2809,7 +2825,7 @@ fi
 
 unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
 unset md5sums replaces depends conflicts backup source install changelog build
-unset makedepends optdepends options noextract
+unset makedepends optdepends options noextract acceptkeys
 
 BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
 if [[ ! -f $BUILDFILE ]]; then
-- 
1.9.0