[PATCH] makepkg: add source signing PGP keys to package if available
Allan McRae
allan at archlinux.org
Wed Jun 1 12:02:55 UTC 2022
On 1/6/22 19:35, Emil Velikov wrote:
> On Tuesday, 31 May 2022, Allan McRae <allan at archlinux.org
> <mailto:allan at archlinux.org>> wrote:
>
> Arch Linux is adding source signing PGP keys to their package source
> tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
> PGP keyserver infrastructure is a mess, this helps other people validate
> sources in a PKGBUILD.
>
> Add the keys to source packages if found alongside the PKGBUILD.
>
> Signed-off-by: Allan McRae <allan at archlinux.org
> <mailto:allan at archlinux.org>>
> ---
>
> I won't be committing this until the relevant Arch devtools patch is
> accepted so that the keys/pgp/ path is finalised.
>
> scripts/makepkg.sh.in <http://makepkg.sh.in> | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/scripts/makepkg.sh.in <http://makepkg.sh.in>
> b/scripts/makepkg.sh.in <http://makepkg.sh.in>
> index 69757d03..bddcbe03 100644
> --- a/scripts/makepkg.sh.in <http://makepkg.sh.in>
> +++ b/scripts/makepkg.sh.in <http://makepkg.sh.in>
> @@ -705,6 +705,16 @@ create_srcpackage() {
> done
> pkgname=(${pkgname_backup[@]})
>
> + # add a copy of source PGP signing public keys if availabe
> in keys/pgp/<fingerprint>.asc
> + local key
> + for key in ${validpgpkeys[@]}; do
> + if [[ -f keys/pgp/$key.asc ]]; then
> + mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
> + ln -s "${startdir}/keys/pgp/$key.asc"
> "${srclinks}/${pkgbase}/keys/pgp/"
> + fi
> + done
> +
>
>
> Thanks for tackling the topic Allan - here and in devtools.
>
> Would it make sense to error out if any key is missing? Be that now or
> in the mid-to-long run.
devtools will, makepkg will not.
> Perhaps we can mandate it when devtools version X is detected, or as
> makepkg.conf toggle Y is set?
I think this is a distro specific policy and not something to be
enforced at the makepkg end.
Allan
More information about the pacman-dev
mailing list