diff options
| author | Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> | 2011-03-26 12:06:06 +1000 |
|---|---|---|
| committer | Dan McGee <dan@archlinux.org> | 2011-03-28 09:03:28 -0500 |
| commit | e8069cfc3def97f564f5e4a4301e43de2a6a9b67 (patch) | |
| tree | 1c3da8d6952ca27d98049c461251a8cbceac2c93 | |
| parent | 4ef664f485559b0764271184a5305808b1a2e911 (diff) | |
| download | pacman-e8069cfc3def97f564f5e4a4301e43de2a6a9b67.tar.gz pacman-e8069cfc3def97f564f5e4a4301e43de2a6a9b67.zip | |
makepkg: command line options for signing packages
Three new command line options were added:
--sign: forces the generation of a signature for the resulting package,
taking precedence over the value in makepkg.conf
--nosign: do not sign the resulting package
--key <key>: use a different key than the user's default for signing
the package.
A check is performed to ensure the user has (provided) a valid gpg key
for signing.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
| -rw-r--r-- | scripts/makepkg.sh.in | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 143d48fc..15cb1844 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -28,7 +28,7 @@ # makepkg uses quite a few external programs during its execution. You # need to have at least the following installed for makepkg to function: # awk, bsdtar (libarchive), bzip2, coreutils, fakeroot, file, find (findutils), -# gettext, grep, gzip, openssl, sed, tput (ncurses), xz +# gettext, gpg, grep, gzip, openssl, sed, tput (ncurses), xz # gettext initialization export TEXTDOMAIN='pacman' @@ -75,6 +75,7 @@ CHECKFUNC=0 PKGFUNC=0 SPLITPKG=0 PKGLIST=() +SIGNPKG='' # Forces the pkgver of the current PKGBUILD. Used by the fakeroot call # when dealing with svn/cvs/etc PKGBUILDs. @@ -1106,7 +1107,7 @@ create_package() { } create_signature() { - if [[ $(check_buildenv sign) != "y" ]]; then + if [[ $SIGNPKG != 'y' ]]; then return fi local ret=0 @@ -1116,7 +1117,15 @@ create_signature() { error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")" exit 1 # $E_MISSING_PROGRAM fi - gpg --detach-sign --use-agent "$filename" || ret=$? + + local SIGNWITHKEY="" + if [[ -n $SIGNKEY ]]; then + SIGNWITHKEY="-u ${SIGNKEY}" + fi + # The signature will be generated directly in ascii-friendly format + gpg --detach-sign --use-agent ${SIGNWITHKEY} "$filename" &>/dev/null || ret=$? + + if (( ! ret )); then msg2 "$(gettext "Created signature file %s.")" "$filename.sig" else @@ -1615,8 +1624,11 @@ usage() { printf "$(gettext " --check Run the check() function in the %s")\n" "$BUILDSCRIPT" printf "$(gettext " --config <file> Use an alternate config file (instead of '%s')")\n" "$confdir/makepkg.conf" printf "$(gettext " --holdver Prevent automatic version bumping for development %ss")\n" "$BUILDSCRIPT" + echo "$(gettext " --key <key> Specify a key to use for gpg signing instead of the default")" printf "$(gettext " --nocheck Do not run the check() function in the %s")\n" "$BUILDSCRIPT" + echo "$(gettext " --nosign Do not create a signature for the package")" echo "$(gettext " --pkg <list> Only build listed packages from a split package")" + echo "$(gettext " --sign Sign the resulting package with gpg")" echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")" echo "$(gettext " --source Generate a source-only tarball without downloaded sources")" echo @@ -1653,8 +1665,8 @@ ARGLIST=("$@") OPT_SHORT="AcCdefFghiLmop:rRsV" OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps" OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver" -OPT_LONG+=",install,log,nocolor,nobuild,nocheck,pkg:,rmdeps" -OPT_LONG+=",repackage,skipinteg,source,syncdeps,version,config:" +OPT_LONG+=",install,key:,log,nocolor,nobuild,nocheck,nosign,pkg:,rmdeps" +OPT_LONG+=",repackage,skipinteg,sign,source,syncdeps,version,config:" # Pacman Options OPT_LONG+=",noconfirm,noprogressbar" OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS FAILED')" @@ -1688,15 +1700,18 @@ while true; do -g|--geninteg) GENINTEG=1 ;; --holdver) HOLDVER=1 ;; -i|--install) INSTALL=1 ;; + --key) shift; SIGNKEY=$1 ;; -L|--log) LOGGING=1 ;; -m|--nocolor) USE_COLOR='n' ;; --nocheck) RUN_CHECK='n' ;; + --nosign) SIGNPKG='n' ;; -o|--nobuild) NOBUILD=1 ;; -p) shift; BUILDFILE=$1 ;; --pkg) shift; PKGLIST=($1) ;; -r|--rmdeps) RMDEPS=1 ;; -R|--repackage) REPKG=1 ;; --skipinteg) SKIPINTEG=1 ;; + --sign) SIGNPKG='y' ;; --source) SOURCEONLY=1 ;; -s|--syncdeps) DEP_BIN=1 ;; @@ -1931,6 +1946,22 @@ if [[ -n "${PKGLIST[@]}" ]]; then pkgname=("${PKGLIST[@]}") fi +# check if gpg signature is to be created and if signing key is valid +if [[ -z "$SIGNPKG" && $(check_buildenv sign) == 'y' ]]; then + SIGNPKG='y' +fi +if [[ $SIGNPKG == 'y' ]]; then + if ! gpg --list-key ${SIGNKEY} &>/dev/null; then + if [[ ! -z $SIGNKEY ]]; then + error "$(gettext "The key ${SIGNKEY} does not exist in your keyring.")" + else + error "$(gettext "There is no key in your keyring.")" + fi + exit 1 + fi +fi + + if (( ! SPLITPKG )); then fullver=$(get_full_version $epoch $pkgver $pkgrel) if [[ -f $PKGDEST/${pkgname}-${fullver}-${CARCH}${PKGEXT} \ |