[pacman-dev] [PATCHv2 3/3] makepkg: Introduce validpgpkeys array
Thomas Bächler
thomas at archlinux.org
Sat Mar 8 14:22:43 EST 2014
If validpgpkeys is set in the PKGBUILD, signature checking fails if
the fingerprint of the key used to create the signature is not listed
in the array.
The key's trust value is ignored.
---
doc/PKGBUILD.5.txt | 7 +++++++
scripts/makepkg.sh.in | 17 ++++++++++++++---
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
index 50d8347..7a1e924 100644
--- a/doc/PKGBUILD.5.txt
+++ b/doc/PKGBUILD.5.txt
@@ -128,6 +128,13 @@ Files in the source array with extensions `.sig`, `.sign` or, `.asc` are
recognized by makepkg as PGP signatures and will be automatically used to verify
the integrity of the corresponding source file.
+*validpgpkeys (array)*::
+ An array of PGP fingerprints. If this array is non-empty, makepkg will
+ only accept signatures from the keys listed here and will ignore the
+ trust values from the keyring.
++
+Fingerprints must be uppercase and must not contain whitespace characters.
+
*noextract (array)*::
An array of file names corresponding to those from the source array. Files
listed here will not be extracted with the rest of the source files. This
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index d0e4fb5..d24a2cd 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1283,6 +1283,13 @@ parse_gpg_statusfile() {
status="error"
fi
;;
+ VALIDSIG)
+ if [[ $arg10 ]]; then
+ fingerprint=$arg10
+ else
+ fingerprint=$arg1
+ fi
+ ;;
TRUST_UNDEFINED|TRUST_NEVER)
trusted=0
;;
@@ -1299,7 +1306,7 @@ check_pgpsigs() {
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file ext decompress found pubkey success status trusted
+ local file ext decompress found pubkey success status fingerprint trusted
local warning=0
local errors=0
local statusfile=$(mktemp)
@@ -1345,6 +1352,7 @@ check_pgpsigs() {
success=0
status=
pubkey=
+ fingerprint=
trusted=
parse_gpg_statusfile "$statusfile"
if (( ! $success )); then
@@ -1365,9 +1373,12 @@ check_pgpsigs() {
esac
errors=1
else
- if (( ! $trusted )); then
+ if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then
printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2
errors=1
+ elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then
+ printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")"
+ errors=1
else
printf '%s' "$(gettext "Passed")" >&2
case "$status" in
@@ -2875,7 +2886,7 @@ fi
unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
unset md5sums replaces depends conflicts backup source install changelog build
-unset makedepends optdepends options noextract
+unset makedepends optdepends options noextract validpgpkeys
BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
if [[ ! -f $BUILDFILE ]]; then
--
1.9.0
More information about the pacman-dev
mailing list