[pacman-dev] [PATCH] makepkg: add flag 'recvkeys' to retrieve PGP keys from 'validpgpkeys' in PKGBUILDs

alzeih at gmail.com alzeih at gmail.com
Tue Apr 4 01:37:25 UTC 2017 

This makes automating PGP keys for verifying source file signatures possible.

This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.

Signed-off-by: Alli <alzeih at gmail.com>
---
 doc/makepkg.8.txt                                  |  4 ++++
 scripts/libmakepkg/integrity.sh.in                 |  2 ++
 .../libmakepkg/integrity/verify_signature.sh.in    | 22 ++++++++++++++++++++++
 scripts/makepkg.sh.in                              | 15 +++++++++++++--
 4 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/doc/makepkg.8.txt b/doc/makepkg.8.txt
index 2dff1b19..88b709f4 100644
--- a/doc/makepkg.8.txt
+++ b/doc/makepkg.8.txt
@@ -171,6 +171,10 @@ Options
 *\--noprepare*::
 	Do not run the prepare() function in the PKGBUILD.
 
+*\--recvkeys*::
+	Retrieve PGP signing keys used in the PKGBUILD for verifying source
+	integrity into the gpg keyring.
+
 *\--sign*::
 	Sign the resulting package with gpg, overriding the setting in
 	linkman:makepkg.conf[5].
diff --git a/scripts/libmakepkg/integrity.sh.in b/scripts/libmakepkg/integrity.sh.in
index 3a77ef16..3d3d071b 100644
--- a/scripts/libmakepkg/integrity.sh.in
+++ b/scripts/libmakepkg/integrity.sh.in
@@ -34,11 +34,13 @@ check_source_integrity() {
 		warning "$(gettext "Skipping all source file integrity checks.")"
 	elif (( SKIPCHECKSUMS )); then
 		warning "$(gettext "Skipping verification of source file checksums.")"
+		get_pgpsigs "$@"
 		check_pgpsigs "$@"
 	elif (( SKIPPGPCHECK )); then
 		warning "$(gettext "Skipping verification of source file PGP signatures.")"
 		check_checksums "$@"
 	else
+		get_pgpsigs "$@"
 		check_checksums "$@"
 		check_pgpsigs "$@"
 	fi
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
index b5577523..e8890932 100644
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -26,6 +26,28 @@ LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
 source "$LIBRARY/util/message.sh"
 source "$LIBRARY/util/pkgbuild.sh"
 
+get_pgpsigs() {
+	! source_has_signatures && return 0
+	(( ! RECVKEYS )) && return 0
+
+	msg "$(gettext "Receiving PGP keys for verifying source file signatures with %s...")" "gpg"
+
+	local key
+	local errors=0
+
+	for key in "${validpgpkeys[@]}"; do
+		gpg --recv-keys "$key"
+		if [ $? != 0 ]; then
+			errors=1
+		fi
+	done
+
+	if (( errors )); then
+		error "$(gettext "One or more PGP keys could not be retrieved!")"
+		exit 1
+	fi
+}
+
 check_pgpsigs() {
 	(( SKIPPGPCHECK )) && return 0
 	! source_has_signatures && return 0
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 29408929..1a6ca831 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -78,6 +78,7 @@ NOEXTRACT=0
 PKGFUNC=0
 PKGVERFUNC=0
 PREPAREFUNC=0
+RECVKEYS=0
 REPKG=0
 RMDEPS=0
 SKIPCHECKSUMS=0
@@ -1044,6 +1045,14 @@ check_software() {
 		fi
 	fi
 
+	# gpg - receive source verification keys
+	if (( RECVKEYS )) && source_has_signatures; then
+		if ! type -p gpg >/dev/null; then
+			error "$(gettext "Cannot find the %s binary required for receiving keys for verifying source files.")" "gpg"
+			ret=1
+		fi
+	fi
+
 	# checksum operations
 	if (( GENINTEG || ! SKIPCHECKSUMS )); then
 		local integlist
@@ -1218,6 +1227,7 @@ usage() {
 	printf -- "$(gettext "  --nosign         Do not create a signature for the package")\n"
 	printf -- "$(gettext "  --packagelist    Only list packages that would be produced, without PKGEXT")\n"
 	printf -- "$(gettext "  --printsrcinfo   Print the generated SRCINFO and exit")\n"
+	printf -- "$(gettext "  --recvkeys       Receive PGP Keys used for verifying source integrity")\n"
 	printf -- "$(gettext "  --sign           Sign the resulting package with %s")\n" "gpg"
 	printf -- "$(gettext "  --skipchecksums  Do not verify checksums of the source files")\n"
 	printf -- "$(gettext "  --skipinteg      Do not perform any verification checks on source files")\n"
@@ -1263,8 +1273,8 @@ OPT_SHORT="AcCdefFghiLmop:rRsSV"
 OPT_LONG=('allsource' 'check' 'clean' 'cleanbuild' 'config:' 'force' 'geninteg'
           'help' 'holdver' 'ignorearch' 'install' 'key:' 'log' 'noarchive' 'nobuild'
           'nocolor' 'nocheck' 'nodeps' 'noextract' 'noprepare' 'nosign' 'packagelist'
-          'printsrcinfo' 'repackage' 'rmdeps' 'sign' 'skipchecksums' 'skipinteg'
-          'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version')
+          'printsrcinfo' 'recvkeys' 'repackage' 'rmdeps' 'sign' 'skipchecksums'
+	  'skipinteg' 'skippgpcheck' 'source' 'syncdeps' 'verifysource' 'version')
 
 # Pacman Options
 OPT_LONG+=('asdeps' 'noconfirm' 'needed' 'noprogressbar')
@@ -1309,6 +1319,7 @@ while true; do
 		-p)               shift; BUILDFILE=$1 ;;
 		--packagelist)    PACKAGELIST=1 IGNOREARCH=1;;
 		--printsrcinfo)   PRINTSRCINFO=1 IGNOREARCH=1;;
+		--recvkeys)       RECVKEYS=1 ;;
 		-r|--rmdeps)      RMDEPS=1 ;;
 		-R|--repackage)   REPKG=1 ;;
 		--sign)           SIGNPKG='y' ;;
-- 
2.12.1

More information about the pacman-dev mailing list