[PATCH] makepkg: add source signing PGP keys to package if available
Emil Velikov
emil.l.velikov at gmail.com
Wed Jun 1 09:35:39 UTC 2022
On Tuesday, 31 May 2022, Allan McRae <allan at archlinux.org> wrote:
> Arch Linux is adding source signing PGP keys to their package source
> tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
> PGP keyserver infrastructure is a mess, this helps other people validate
> sources in a PKGBUILD.
>
> Add the keys to source packages if found alongside the PKGBUILD.
>
> Signed-off-by: Allan McRae <allan at archlinux.org>
> ---
>
> I won't be committing this until the relevant Arch devtools patch is
> accepted so that the keys/pgp/ path is finalised.
>
> scripts/makepkg.sh.in | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 69757d03..bddcbe03 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -705,6 +705,16 @@ create_srcpackage() {
> done
> pkgname=(${pkgname_backup[@]})
>
> + # add a copy of source PGP signing public keys if availabe in
> keys/pgp/<fingerprint>.asc
> + local key
> + for key in ${validpgpkeys[@]}; do
> + if [[ -f keys/pgp/$key.asc ]]; then
> + mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
> + ln -s "${startdir}/keys/pgp/$key.asc"
> "${srclinks}/${pkgbase}/keys/pgp/"
> + fi
> + done
> +
Thanks for tackling the topic Allan - here and in devtools.
Would it make sense to error out if any key is missing? Be that now or in
the mid-to-long run.
Perhaps we can mandate it when devtools version X is detected, or as
makepkg.conf toggle Y is set?
-Emil
More information about the pacman-dev
mailing list