[pacman-dev] [RFC] makepkg: Introduce acceptkeys array

Allan McRae allan at archlinux.org
Sat Mar 8 01:34:10 EST 2014 

On 07/03/14 05:05, Thomas Bächler wrote:
> If acceptkeys is set in the PKGBUILD, signature checking fails if
> the fingerprint of the key used to create the signature is not listed
> in the array. Failure to verify the signature due to a missing public
> key is also treated as an error instead of a warning.
> ---
>  scripts/makepkg.sh.in | 36 ++++++++++++++++++++++++++----------
>  1 file changed, 26 insertions(+), 10 deletions(-)
> 

Fine.  Small comments below.  Also needs documentation.

Just a small bikeshed...  acceptkeys does not sound right.  How about
sourcepgpkeys?

> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index e230c15..40c5b48 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1250,7 +1250,7 @@ check_pgpsigs() {
>  
>  	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>  
> -	local file pubkey ext decompress found
> +	local file pubkey ext decompress found success
>  	local warning=0
>  	local errors=0
>  	local statusfile=$(mktemp)
> @@ -1296,7 +1296,11 @@ check_pgpsigs() {
>  			printf '%s' "$(gettext "FAILED")" >&2
>  			if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
>  				printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
> -				warnings=1
> +				if (( ${#acceptkeys[@]} > 0 )); then
> +					errors=1
> +				else
> +					warnings=1
> +				fi

This seems strange from a user interface perspective - a missing key in
a keyring can be a warning or error depending on other aspects of the
PKGBUILD.

>  			else
>  				errors=1
>  			fi
> @@ -1306,13 +1310,25 @@ check_pgpsigs() {
>  				printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2
>  				errors=1
>  			else
> -				printf '%s' "$(gettext "Passed")" >&2
> -				if grep -q "EXPSIG" "$statusfile"; then
> -					printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
> -					warnings=1
> -				elif grep -q "EXPKEYSIG" "$statusfile"; then
> -					printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
> -					warnings=1
> +				success=1
> +				if (( ${#acceptkeys[@]} > 0 )); then
> +					pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;' | awk '{print tolower($0)}')

tolower?  I'd expect PGP keys to be given with capital letters.  At
least have acceptkeys run through tolower too.

> +					if ! in_array $pubkey ${acceptkeys[@]}; then

So the PKGBUILD needs to specify the full fingerprint?

This allows acceptkeys to specify shorter values:
grep -f <(printf '%s$\n' "${acceptkeys[@]}") <(printf '%s\n' "$pubkey")

> +						printf '%s' "$(gettext "FAILED")" >&2
> +						printf " ($(gettext 'the fingerprint %s is not accepted.'))" "$pubkey" >&2

Maybe:
sources are not allowed to be signed by the PGP key %s

> +						success=0
> +						errors=1
> +					fi
> +				fi
> +				if (( $success )); then
> +					printf '%s' "$(gettext "Passed")" >&2
> +					if grep -q "EXPSIG" "$statusfile"; then
> +						printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
> +						warnings=1
> +					elif grep -q "EXPKEYSIG" "$statusfile"; then
> +						printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
> +						warnings=1
> +					fi
>  				fi
>  			fi
>  			printf '\n' >&2
> @@ -2809,7 +2825,7 @@ fi
>  
>  unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
>  unset md5sums replaces depends conflicts backup source install changelog build
> -unset makedepends optdepends options noextract
> +unset makedepends optdepends options noextract acceptkeys
>  
>  BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
>  if [[ ! -f $BUILDFILE ]]; then
>

More information about the pacman-dev mailing list