Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAllan McRae <allan@archlinux.org>2022-03-29 19:36:16 +1000
committerLevente Polyak <anthraxx@archlinux.org>2022-06-09 20:41:18 +0200
commitd00a28ea0ed981d47634504c3eb67c5b8870bc62 (patch)
tree9109795ee372700d48450a2c49ba3e1501511f77
parent5e98478344fbdecd5f07eb92ef92ee43bc66e1a9 (diff)
Export source PGPs from PKGBUILD on commit
Provide a tool to export keys listed in the PKGBUILDs validpgpkeys to keys/pgp/$fingerprint.asc. The presense of the "keys" directory alongside the PKGBUILD in trunk/ is tested during commitpkg. If the directory is abscent, keys are exported and added to the commit. If the directory is present, a check is made to ensure all valid PGP keys are provided. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
-rw-r--r--.gitignore1
-rw-r--r--Makefile2
-rw-r--r--commitpkg.in18
-rw-r--r--doc/export-pkgbuild-keys.asciidoc25
-rw-r--r--export-pkgbuild-keys.in68
5 files changed, 114 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
index 66e2213..c661fc5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@ bash_completion
checkpkg
commitpkg
diffpkg
+export-pkgbuild-keys
finddeps
lddd
makechrootpkg
diff --git a/Makefile b/Makefile
index 69eabe9..40abda9 100644
--- a/Makefile
+++ b/Makefile
@@ -13,6 +13,7 @@ IN_PROGS = \
commitpkg \
crossrepomove\
diffpkg \
+ export-pkgbuild-keys \
finddeps \
find-libdeps \
lddd \
@@ -74,6 +75,7 @@ BASHCOMPLETION_LINKS = \
MANS = \
doc/archbuild.1 \
doc/arch-nspawn.1 \
+ doc/export-pkgbuild-keys.1 \
doc/makechrootpkg.1 \
doc/lddd.1 \
doc/checkpkg.1 \
diff --git a/commitpkg.in b/commitpkg.in
index 928e638..e0da32d 100644
--- a/commitpkg.in
+++ b/commitpkg.in
@@ -48,6 +48,21 @@ case "$cmd" in
;;
esac
+
+if (( ${#validpgpkeys[@]} != 0 )); then
+ if [[ -d keys ]]; then
+ for key in "${validpgpkeys[@]}"; do
+ if [[ ! -f keys/pgp/$key.asc ]]; then
+ export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
+ fi
+ done
+ else
+ export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
+ fi
+
+ svn add --parents --force keys/pgp/*
+fi
+
# find files which should be under source control
needsversioning=()
for s in "${source[@]}"; do
@@ -60,6 +75,9 @@ for i in 'changelog' 'install'; do
needsversioning+=("$file")
done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
done
+for key in "${validpgpkeys[@]}"; do
+ needsversioning+=("keys/pgp/$key.asc")
+done
# assert that they really are controlled by SVN
if (( ${#needsversioning[*]} )); then
diff --git a/doc/export-pkgbuild-keys.asciidoc b/doc/export-pkgbuild-keys.asciidoc
new file mode 100644
index 0000000..9c47515
--- /dev/null
+++ b/doc/export-pkgbuild-keys.asciidoc
@@ -0,0 +1,25 @@
+export-pkgbuild-keys(1)
+=======================
+
+Name
+----
+export-pkgbuild-keys - Export valid source signing keys from a PKGBUILD
+
+Synopsis
+--------
+export-pkgbuild-keys
+
+Description
+-----------
+
+Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
+subdirectory. Useful for distributing packager validated source signing
+keys alongside PKGBUILDs.
+
+Options
+-------
+
+*-h, --help*::
+ Show a help text.
+
+include::footer.asciidoc[]
diff --git a/export-pkgbuild-keys.in b/export-pkgbuild-keys.in
new file mode 100644
index 0000000..f392f4c
--- /dev/null
+++ b/export-pkgbuild-keys.in
@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+m4_include(lib/common.sh)
+
+usage() {
+ cat <<- _EOF_
+ Usage: ${BASH_SOURCE[0]##*/}
+
+ Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
+ subdirectory. Useful for distributing packager validated source signing
+ keys alongside PKGBUILDs.
+
+ OPTIONS
+ -h, --help Show this help text
+_EOF_
+}
+
+# option checking
+while (( $# )); do
+ case $1 in
+ -h|--help)
+ usage
+ exit 0
+ ;;
+ *)
+ die "invalid argument: %s" "$1"
+ ;;
+ esac
+done
+
+if [[ ! -f PKGBUILD ]]; then
+ die "This must be run a directory containing a PKGBUILD."
+fi
+
+mapfile -t validpgpkeys < <(
+ # shellcheck source=PKGBUILD.proto
+ . ./PKGBUILD
+ printf "%s\n" "${validpgpkeys[@]}"
+)
+
+if (( ${#validpgpkeys[@]} == 0 )); then
+ exit 0
+fi
+
+mkdir -p keys/pgp
+error=0
+
+for key in "${validpgpkeys[@]}"; do
+ gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null
+
+ # gpg does not give a non-zero return value if it fails to export...
+ if [[ -f keys/pgp/$key.asc.tmp ]]; then
+ mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc"
+ else
+ if [[ -f keys/pgp/$key.asc ]]; then
+ warning "Failed to update key: $key"
+ else
+ error "Key unavailable: $key"
+ error=1
+ fi
+ fi
+done
+
+if (( error )); then
+ die "Failed to export all \'validpgpkeys\' entries."
+fi