Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux Pacman Development (http://www.linux-archive.org/archlinux-pacman-development/)
-   -   Add support for verifying pgp signatures to makepkg (http://www.linux-archive.org/archlinux-pacman-development/543204-add-support-verifying-pgp-signatures-makepkg.html)

Wieland Hoffmann 06-23-2011 07:36 AM

Add support for verifying pgp signatures to makepkg
 
Hi,

this adds support for verifying pgp signatures provided by upstream to
makepkg. A new array pgpsigs is defined holding the URLs to all the
signature files.

However, there're still a few quirks:

* You have to manually import the key which signed the source. Actually
that's good, but:

* You don't know why the verification failed. It's either a wrong
signature or the key is simply not known to gnupg. This is really
bad, so I've chosen to make pgp verification optional for now. makepkg
--pgp enables it.

Wieland Hoffmann (2):
Add support for verifying pgp signatures to makepkg
And update the manpages accordingly

doc/PKGBUILD.5.txt | 5 ++++
doc/makepkg.8.txt | 3 ++
scripts/makepkg.sh.in | 52 +++++++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 58 insertions(+), 2 deletions(-)

--
1.7.5.4

Wieland Hoffmann 06-23-2011 07:36 AM

Add support for verifying pgp signatures to makepkg
 
---
scripts/makepkg.sh.in | 52 +++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 78cd4cf..cc4f152 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -516,7 +516,7 @@ download_sources() {
pushd "$SRCDEST" &>/dev/null

local netfile
- for netfile in "${source[@]}"; do
+ for netfile in "${source[@]}" "${pgpsigs[@]}"; do
local file=$(get_filepath "$netfile" || true)
if [[ -n "$file" ]]; then
msg2 "$(gettext "Found %s")" "${file##*/}"
@@ -680,6 +680,49 @@ check_checksums() {
fi
}

+check_pgpsigs() {
+ (( ! ${#source[@]} )) && return 0
+ (( ! ${#pgpsigs[@]})) && return 0
+
+ if ! type -p gpg >/dev/null; then
+ error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+ exit 1 # $E_MISSING_PROGRAM
+ fi
+
+ msg "$(gettext "Validating source files with gpg...")"
+
+ local file
+ local errors=0
+
+ for file in "${pgpsigs[@]}"; do
+ local valid
+ local found=1
+
+ file="$(get_filename "$file")"
+ echo -n " ${file%.sig} ... " >&2
+
+ if ! file="$(get_filepath "$file")"; then
+ echo "$(gettext "NOT FOUND")" >&2
+ errors=1
+ found=0
+ fi
+
+ if (( found )); then
+ if ! gpg --quiet --batch --verify "$file" 2> /dev/null; then
+ echo "$(gettext "Verification failed")" >&2
+ errors=1
+ else
+ echo $(gettext "Verified") >&2
+ fi
+ fi
+ done
+
+ if (( errors )); then
+ error "$(gettext "One or more pgp signatures could not be verified!")"
+ exit 1
+ fi
+}
+
extract_sources() {
msg "$(gettext "Extracting Sources...")"
local netfile
@@ -1614,6 +1657,7 @@ usage() {
echo "$(gettext " --key <key> Specify a key to use for gpg signing instead of the default")"
printf "$(gettext " --nocheck Do not run the check() function in the %s")
" "$BUILDSCRIPT"
echo "$(gettext " --nosign Do not create a signature for the package")"
+ echo "$(gettext " --pgp Enable verification of source files with pgp signatures")"
echo "$(gettext " --pkg <list> Only build listed packages from a split package")"
echo "$(gettext " --sign Sign the resulting package with gpg")"
echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")"
@@ -1651,7 +1695,7 @@ ARGLIST=("$@")
# Parse Command Line Options.
OPT_SHORT="AcCdefFghiLmop:rRsV"
OPT_LONG="allsource,asroot,ignorearch,check,clean, cleancache,nodeps"
-OPT_LONG+=",noextract,force,forcever:,geninteg,hel p,holdver"
+OPT_LONG+=",noextract,force,forcever:,geninteg,he lp,holdver,pgp"
OPT_LONG+=",install,key:,log,nocolor,nobuild,noche ck,nosign,pkg:,rmdeps"
OPT_LONG+=",repackage,skipinteg,sign,source,syncde ps,version,config:"
# Pacman Options
@@ -1694,6 +1738,7 @@ while true; do
--nosign) SIGNPKG='n' ;;
-o|--nobuild) NOBUILD=1 ;;
-p) shift; BUILDFILE=$1 ;;
+ --pgp) PGPSIGS=1;;
--pkg) shift; PKGLIST=($1) ;;
-r|--rmdeps) RMDEPS=1 ;;
-R|--repackage) REPKG=1 ;;
@@ -2129,6 +2174,9 @@ else
download_sources
if (( ! SKIPINTEG )); then
check_checksums
+ if (( PGPSIGS )); then
+ check_pgpsigs
+ fi
else
warning "$(gettext "Skipping integrity checks.")"
fi
--
1.7.5.4


All times are GMT. The time now is 06:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.