1 files changed, 421 insertions, 0 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
new file mode 100644
index 00000000..74ecfcf1
--- /dev/null
+++ b/scripts/pacman-key.sh.in
@@ -0,0 +1,421 @@
+#!/bin/bash -e
+#
+#   pacman-key - manages pacman's keyring
+#                Based on apt-key, from Debian
+#   @configure_input@
+#
+#   Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# gettext initialization
+export TEXTDOMAIN='pacman-scripts'
+export TEXTDOMAINDIR='@localedir@'
+
+myver="@PACKAGE_VERSION@"
+
+# Options
+ADD=0
+DELETE=0
+EDITKEY=0
+EXPORT=0
+FINGER=0
+IMPORT=0
+IMPORT_TRUSTDB=0
+INIT=0
+LISTKEYS=0
+LISTSIGS=0
+RECEIVE=0
+RELOAD=0
+UPDATEDB=0
+VERIFY=0
+
+m4_include(library/output_format.sh)
+
+m4_include(library/parse_options.sh)
+
+usage() {
+	printf "pacman-key (pacman) %s\n" ${myver}
+	echo
+	printf "$(gettext "Usage: %s [options]")\n" $(basename $0)
+	echo
+	printf "$(gettext "Manage pacman\'s list of trusted keys")\n"
+	echo
+	echo "$(gettext "Options:")"
+	echo "$(gettext "  -a, --add [<file(s)>]     Add the specified keys (empty for stdin)")"
+	echo "$(gettext "  -d, --delete <keyid(s)>   Remove the specified keyids")"
+	echo "$(gettext "  -e, --export [<keyid(s)>] Export the specified or all keyids")"
+	echo "$(gettext "  -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")"
+	echo "$(gettext "  -h, --help                Show this help message and exit")"
+	echo "$(gettext "  -l, --list-keys [<keyid(s)>] List the specified or all keys")"
+	echo "$(gettext "  -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")"
+	echo "$(gettext "  -u, --updatedb            Update the trustdb of pacman")"
+	echo "$(gettext "  -v, --verify <signature>  Verify the file specified by the signature")"
+	echo "$(gettext "  -V, --version             Show program version")"
+	printf "$(gettext "  --config <file>           Use an alternate config file (instead of\n\
+                            '%s')")\n" "@sysconfdir@/pacman.conf"
+	echo "$(gettext "  --edit-key <keyid(s)>     Present a menu for key management task on keyids")"
+	printf "$(gettext "  --gpgdir <dir>            Set an alternate directory for GnuPG (instead\n\
+                            of '%s')")\n" "@sysconfdir@/pacman.d/gnupg"
+	echo "$(gettext "  --import <dir(s)>         Imports pubring.gpg and trustdb.gpg from dir(s)")"
+	echo "$(gettext "  --import-trustdb <dir(s)> Imports ownertrust values from trustdb.gpg in dir(s)")"
+	echo "$(gettext "  --init                    Ensure the keyring is properly initialized")"
+	echo "$(gettext "  --list-sigs [<keyid(s)>]  List keys and their signatures")"
+	echo "$(gettext "  --reload                  Reload the default keys")"
+}
+
+version() {
+	printf "pacman-key (pacman) %s\n" "${myver}"
+	printf "$(gettext "\
+Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>.\n\
+This is free software; see the source for copying conditions.\n\
+There is NO WARRANTY, to the extent permitted by law.\n")"
+}
+
+# read the config file "$1" which has key=value pairs, and return the key which
+# matches "$2". the equals sign between pairs may be surrounded by any amount
+# of whitespace.
+get_from() {
+	while IFS='=' read -r key value; do
+		[[ -z $key || ${key:0:1} = '#' ]] && continue
+
+		if [[ ${key%% *} = "$2" && -n ${value##* } ]]; then
+			echo "${value##* }"
+			return 0
+		fi
+	done < "$1"
+	return 1
+}
+
+initialize() {
+	# Check for simple existence rather than for a directory as someone
+	# may want to use a symlink here
+	[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}"
+
+	# keyring files
+	[[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg
+	[[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg
+	[[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || "${GPG_PACMAN[@]}" --update-trustdb
+	chmod 644 ${PACMAN_KEYRING_DIR}/{{pub,sec}ring,trustdb}.gpg
+
+	# gpg.conf
+	[[ -f ${PACMAN_KEYRING_DIR}/gpg.conf ]] || touch  ${PACMAN_KEYRING_DIR}/gpg.conf
+	chmod 644 ${PACMAN_KEYRING_DIR}/gpg.conf
+	if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
+		echo "lock-never" >> ${PACMAN_KEYRING_DIR}/gpg.conf
+	fi
+}
+
+check_keyring() {
+	if [[ ! -r ${PACMAN_KEYRING_DIR}/pubring.gpg || \
+			! -r ${PACMAN_KEYRING_DIR}/secring.gpg || \
+			! -r ${PACMAN_KEYRING_DIR}/trustdb.gpg ]]; then
+		error "$(gettext "You do not have sufficient permissions to read the %s keyring...")" "pacman"
+		msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
+		exit 1
+	fi
+
+	if (( (EXPORT || FINGER || LIST || VERIFY) && EUID != 0 )); then
+		if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
+			error "$(gettext "You do not have sufficient permissions to run this command...")"
+			msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
+			exit 1
+		fi
+	fi
+
+}
+
+verify_keyring_input() {
+	local ret=0;
+
+	# Verify signatures of related files, if they exist
+	if [[ -r "${ADDED_KEYS}" ]]; then
+		msg "$(gettext "Verifying official keys file signature...")"
+		if ! "${GPG_PACMAN[@]}" --verify "${ADDED_KEYS}.sig" &>/dev/null; then
+			error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
+			ret=1
+		fi
+	fi
+
+	if [[ -r "${DEPRECATED_KEYS}" ]]; then
+		msg "$(gettext "Verifying deprecated keys file signature...")"
+		if ! "${GPG_PACMAN[@]}" --verify "${DEPRECATED_KEYS}.sig" &>/dev/null; then
+			error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
+			ret=1
+		fi
+	fi
+
+	if [[ -r "${REMOVED_KEYS}" ]]; then
+		msg "$(gettext "Verifying deleted keys file signature...")"
+		if ! "${GPG_PACMAN[@]}" --verify "${REMOVED_KEYS}.sig" &>/dev/null; then
+			error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
+			ret=1
+		fi
+	fi
+
+	return $ret
+}
+
+reload_keyring() {
+	local PACMAN_SHARE_DIR='@prefix@/share/pacman'
+	local GPG_NOKEYRING=(gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR})
+
+	# Variable used for iterating on keyrings
+	local key
+	local key_id
+
+	# Keyring with keys to be added to the keyring
+	local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
+
+	# Keyring with keys that were deprecated and will eventually be deleted
+	local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"
+
+	# List of keys removed from the keyring. This file is not a keyring, unlike the others.
+	# It is a textual list of values that gpg recogniezes as identifiers for keys.
+	local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"
+
+	verify_keyring_input || exit 1
+
+	# Read the key ids to an array. The conversion from whatever is inside the file
+	# to key ids is important, because key ids are the only guarantee of identification
+	# for the keys.
+	local -A removed_ids
+	if [[ -r "${REMOVED_KEYS}" ]]; then
+		while read key; do
+			local key_values name
+			key_values="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')"
+			if [[ -n $key_values ]]; then
+				# The first word is the key_id
+				key_id="${key_values%% *}"
+				# the rest if the name of the owner
+				name="${key_values#* }"
+				if [[ -n ${key_id} ]]; then
+					# Mark this key to be deleted
+					removed_ids[$key_id]="$name"
+				fi
+			fi
+		done < "${REMOVED_KEYS}"
+	fi
+
+	# List of keys that must be kept installed, even if in the list of keys to be removed
+	local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")"
+
+	# Remove the keys that must be kept from the set of keys that should be removed
+	if [[ -n ${HOLD_KEYS} ]]; then
+		for key in ${HOLD_KEYS}; do
+			key_id="$("${GPG_PACMAN[@]}" --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
+			if [[ -n "${removed_ids[$key_id]}" ]]; then
+				unset removed_ids[$key_id]
+			fi
+		done
+	fi
+
+	# Add keys from the current set of keys from pacman-keyring package. The web of trust will
+	# be updated automatically.
+	if [[ -r "${ADDED_KEYS}" ]]; then
+		msg "$(gettext "Appending official keys...")"
+		local add_keys="$("${GPG_NOKEYRING[@]}" --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)"
+		for key_id in ${add_keys}; do
+			# There is no point in adding a key that will be deleted right after
+			if [[ -z "${removed_ids[$key_id]}" ]]; then
+				"${GPG_NOKEYRING[@]}" --keyring "${ADDED_KEYS}" --export "${key_id}" | "${GPG_PACMAN[@]}" --import
+			fi
+		done
+	fi
+
+	if [[ -r "${DEPRECATED_KEYS}" ]]; then
+		msg "$(gettext "Appending deprecated keys...")"
+		local add_keys="$("${GPG_NOKEYRING[@]}" --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)"
+		for key_id in ${add_keys}; do
+			# There is no point in adding a key that will be deleted right after
+			if [[ -z "${removed_ids[$key_id]}" ]]; then
+				"${GPG_NOKEYRING[@]}" --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | "${GPG_PACMAN[@]}" --import
+			fi
+		done
+	fi
+
+	# Remove the keys not marked to keep
+	if (( ${#removed_ids[@]} > 0 )); then
+		msg "$(gettext "Removing deleted keys from keyring...")"
+		for key_id in "${!removed_ids[@]}"; do
+			echo "  removing key $key_id - ${removed_ids[$key_id]}"
+			"${GPG_PACMAN[@]}" --quiet --batch --yes --delete-key "${key_id}"
+		done
+	fi
+
+	# Update trustdb, just to be sure
+	msg "$(gettext "Updating trust database...")"
+	"${GPG_PACMAN[@]}" --batch --check-trustdb
+}
+
+receive_keys() {
+	if [[ -z ${KEYIDS[@]} ]]; then
+		error "$(gettext "You need to specify the keyserver and at least one key identifier")"
+		exit 1
+	fi
+	"${GPG_PACMAN[@]}" --keyserver "$KEYSERVER" --recv-keys "${KEYIDS[@]}"
+}
+
+edit_keys() {
+	local errors=0;
+	for key in ${KEYIDS[@]}; do
+		# Verify if the key exists in pacman's keyring
+		if ! "${GPG_PACMAN[@]}" --list-keys "$key" &>/dev/null; then
+			error "$(gettext "The key identified by %s does not exist")" "$key"
+			errors=1;
+		fi
+	done
+	(( errors )) && exit 1;
+
+	for key in ${KEYIDS[@]}; do
+		"${GPG_PACMAN[@]}" --edit-key "$key"
+	done
+}
+
+import_trustdb() {
+	local importdir
+	local trustdb=$(mktemp)
+	"${GPG_PACMAN[@]}" --export-ownertrust > ${trustdb}
+
+	for importdir in "${IMPORT_DIRS[@]}"; do
+		if [[ -f "${importdir}/trustdb.gpg" ]]; then
+			gpg --homedir "${importdir}" --export-ownertrust >> ${trustdb}
+		fi
+	done
+
+	"${GPG_PACMAN[@]}" --import-ownertrust ${trustdb}
+	rm -f ${trustdb}
+}
+
+import() {
+	local importdir
+
+	# Imports public keys, then import trustdbs
+	for importdir in "${IMPORT_DIRS[@]}"; do
+		if [[ -f "${importdir}/pubring.gpg" ]]; then
+			"${GPG_PACMAN[@]}" --quiet --batch --import "${importdir}/pubring.gpg"
+		fi
+	done
+
+	import_trustdb
+}
+
+# PROGRAM START
+if ! type gettext &>/dev/null; then
+	gettext() {
+		echo "$@"
+	}
+fi
+
+OPT_SHORT="a::d:e:f::hl::r:uv:V"
+OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
+OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::,,receive:"
+OPT_LONG+=",reload,updatedb,verify:,version"
+if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
+	echo; usage; exit 1 # E_INVALID_OPTION;
+fi
+eval set -- "$OPT_TEMP"
+unset OPT_SHORT OPT_LONG OPT_TEMP
+
+if [[ $1 == "--" ]]; then
+	usage;
+	exit 0;
+fi
+
+while true; do
+	case "$1" in
+		-a|--add)         ADD=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYFILES=($1) ;;
+		--config)         shift; CONFIG=$1 ;;
+		-d|--delete)      DELETE=1; shift; KEYIDS=($1) ;;
+		--edit-key)       EDITKEY=1; shift; KEYIDS=($1) ;;
+		-e|--export)      EXPORT=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+		-f|--finger)      FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+		--gpgdir)         shift; PACMAN_KEYRING_DIR=$1 ;;
+		--import)         IMPORT=1; shift; IMPORT_DIRS=($1) ;;
+		--import-trustdb) IMPORT_TRUSTDB=1; shift; IMPORT_DIRS=($1) ;;
+		--init)           INIT=1 ;;
+		-l|--list-keys)   LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+		--list-sigs)      LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+		-r|--receive)     RECEIVE=1; shift; TMP=($1); KEYSERVER=${TMP[0]}; KEYIDS=(${TMP[@]:1}); unset TMP;;
+		--reload)         RELOAD=1 ;;
+		-u|--updatedb)    UPDATEDB=1 ;;
+		-v|--verify)      VERIFY=1; shift; SIGNATURE=$1 ;;
+
+		-h|--help)        usage; exit 0 ;;
+		-V|--version)     version; exit 0 ;;
+
+		--)               OPT_IND=0; shift; break;;
+		*)                usage; exit 1 ;;
+	esac
+	shift
+done
+
+
+if ! type -p gpg >/dev/null; then
+    error "$(gettext "Cannot find the %s binary required for all %s operations.")" "gpg" "pacman-key"
+	exit 1
+fi
+
+if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then
+	error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
+	exit 1
+fi
+
+CONFIG=${CONFIG:-@sysconfdir@/pacman.conf}
+if [[ ! -r "${CONFIG}" ]]; then
+	error "$(gettext "%s configuration file '%s' not found.")" "pacman" "$CONFIG"
+	exit 1
+fi
+
+# if PACMAN_KEYRING_DIR isn't assigned, try to get it from the config
+# file, falling back on a hard default
+PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" || echo "@sysconfdir@/pacman.d/gnupg")}
+
+GPG_PACMAN=(gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning)
+
+# check only a single operation has been given
+numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB +
+		INIT + LISTKEYS + LISTSIGS + RECEIVE + RELOAD + UPDATEDB + VERIFY ))
+
+case $numopt in
+	0)
+		error "$(gettext "no operation specified (use -h for help)")"
+		exit 1
+		;;
+	[!1])
+		error "$(gettext "Multiple operations specified")"
+		printf "$(gettext "Please run %s with each operation separately\n")" "pacman-key"
+		exit 1
+		;;
+esac
+
+(( ! INIT )) && check_keyring
+
+(( ADD )) && "${GPG_PACMAN[@]}" --quiet --batch --import "${KEYFILES[@]}"
+(( DELETE )) && "${GPG_PACMAN[@]}" --quiet --batch --delete-key --yes "${KEYIDS[@]}"
+(( EDITKEY )) && edit_keys
+(( EXPORT )) && "${GPG_PACMAN[@]}" --armor --export "${KEYIDS[@]}"
+(( FINGER )) && "${GPG_PACMAN[@]}" --batch --fingerprint "${KEYIDS[@]}"
+(( IMPORT )) && import
+(( IMPORT_TRUSTDB)) && import_trustdb
+(( INIT )) && initialize
+(( LISTKEYS )) && "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}"
+(( LISTSIGS )) && "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}"
+(( RECEIVE )) && receive_keys
+(( RELOAD )) && reload_keyring
+(( UPDATEDB )) && "${GPG_PACMAN[@]}" --batch --check-trustdb
+(( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE
+
+# vim: set ts=2 sw=2 noet: