Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
path: root/bin/nit-picker
diff options
context:
space:
mode:
Diffstat (limited to 'bin/nit-picker')
-rwxr-xr-xbin/nit-picker58
1 files changed, 57 insertions, 1 deletions
diff --git a/bin/nit-picker b/bin/nit-picker
index 2b92b84..0094a01 100755
--- a/bin/nit-picker
+++ b/bin/nit-picker
@@ -148,6 +148,21 @@ while pgrep -x ii >/dev/null \
printf ';\n'
if "${do_once_a_day_checks}"; then
+ printf 'SELECT DISTINCT'
+ printf ' "keyring",'
+ mysql_package_name_query
+ printf ' FROM `binary_packages`'
+ mysql_join_binary_packages_architectures
+ printf ' LEFT'
+ mysql_join_binary_packages_compressions
+ mysql_join_binary_packages_binary_packages_in_repositories
+ mysql_join_binary_packages_in_repositories_repositories
+ printf ' WHERE `repositories`.`is_on_master_mirror`'
+ printf ' AND `binary_packages`.`pkgname` IN ('
+ printf '"archlinux32-keyring",'
+ printf '"archlinux32-keyring-transition"'
+ printf ');\n'
+
printf 'SELECT'
printf ' "build-duration",'
printf '`build_slaves`.`name`'
@@ -322,7 +337,6 @@ while pgrep -x ii >/dev/null \
"${tmp_dir}/pkg-deps"
;;
'binary-signature')
-# TODO: check signature against keyring from package, not against installed keyring
if ! ${master_mirror_rsync_command} \
"${master_mirror_rsync_directory}/pool/${parameters}" \
"${master_mirror_rsync_directory}/pool/${parameters}.sig" \
@@ -450,6 +464,48 @@ while pgrep -x ii >/dev/null \
sleep 60
fi
;;
+ 'keyring')
+ if ! ${master_mirror_rsync_command} \
+ "${master_mirror_rsync_directory}/pool/${parameters}" \
+ "${tmp_dir}/"; then
+ rm -f "${tmp_dir}/${parameters}"
+ continue
+ fi
+ mkdir "${tmp_dir}/pkg" "${tmp_dir}/gpg-home"
+ bsdtar -C "${tmp_dir}/pkg" -xf "${tmp_dir}/${parameters}" --strip-components=4 'usr/share/pacman/keyrings'
+
+ gpg --no-permission-warning --quiet --homedir "${tmp_dir}/gpg-home" --import \
+ < "${tmp_dir}/pkg/archlinux32.gpg"
+ cut -d: -f1 "${tmp_dir}/pkg/archlinux32-trusted" \
+ | while read -r gpg_key; do
+ gpg --no-permission-warning --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \
+ | grep '^pub:\|^sub:' \
+ | cut -d: -f7 \
+ | grep -vxF '' \
+ | sort -u \
+ | while read -r expiration; do
+ expiration_days=$(((expiration - $(date +%s))/24/60/60))
+ if [ ${expiration_days} -lt 100 ]; then
+ printf 'key %s (from %s) in package %s expires on %s (in %s < 100 days).\n' \
+ "${gpg_key}" \
+ "$(
+ gpg --batch --homedir "${tmp_dir}/gpg-home" --with-colons --list-keys "0x${gpg_key}" \
+ 2>/dev/null \
+ | grep '^\(uid\):' \
+ | cut -d: -f10
+ )" \
+ "${parameters}" \
+ "$(date -I -d@"${expiration}")" \
+ "${expiration_days}" \
+ | local_irc_say
+ fi
+ done
+ done
+
+ rm "${tmp_dir}/${parameters}"
+ rm -rf --one-file-system "${tmp_dir}/gpg-home" "${tmp_dir}/pkg"
+ :
+ ;;
*)
>&2 printf 'action "%s" is not yet implemented ...\n' "${action}"
;;