[PATCH] makepkg: add source signing PGP keys to package if available

Allan McRae allan at archlinux.org
Tue May 31 09:40:36 UTC 2022

Arch Linux is adding source signing PGP keys to their package source
tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
PGP keyserver infrastructure is a mess, this helps other people validate
sources in a PKGBUILD.

Add the keys to source packages if found alongside the PKGBUILD.

Signed-off-by: Allan McRae <allan at archlinux.org>

I won't be committing this until the relevant Arch devtools patch is
accepted so that the keys/pgp/ path is finalised.

 scripts/makepkg.sh.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 69757d03..bddcbe03 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -705,6 +705,16 @@ create_srcpackage() {
+	# add a copy of source PGP signing public keys if availabe in keys/pgp/<fingerprint>.asc
+	local key
+	for key in ${validpgpkeys[@]}; do
+		if [[ -f keys/pgp/$key.asc ]]; then
+			mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
+			ln -s "${startdir}/keys/pgp/$key.asc" "${srclinks}/${pkgbase}/keys/pgp/"
+		fi
+	done
 	local fullver=$(get_full_version)
 	local pkg_file="$SRCPKGDEST/${pkgbase}-${fullver}${SRCEXT}"

More information about the pacman-dev mailing list