From 7963c5d0000a9dc6fe895e0b321cd6f978168c34 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Fri, 8 Jul 2011 22:30:09 +1000 Subject: pacman-key: update man page Update man page to reflect current options. Also add a description on how to manually interact with the pacman keyring with gpg. Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 58 +++++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 30 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 892f14df..f961bc2e 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -12,65 +12,63 @@ pacman-key - manage pacman's list of trusted keys Synopsis -------- -'pacman-key' [options] [arguments] +'pacman-key' [options] Description ----------- -'pacman-key' is a script used to manage pacman's keyring, which is the collection -of GnuPG keys used to check signed packages. It provides the ability to import -and export keys, fetch keys from keyservers and update the key trust database. +'pacman-key' is a wrapper script for GnuPG used to manage pacman's keyring, which +is the collection of PGP keys used to check signed packages and databases. It +provides the ability to import and export keys, fetch keys from keyservers and +update the key trust database. - -Options -------- -*\--config* :: - Use an alternate config file instead of the +{sysconfdir}/pacman.conf+ - default. - -*\--gpgdir* :: - Set an alternate home directory for GnuPG. If unspecified, the value is - read from +{sysconfdir}/pacman.conf+. +More complex keyring management can be achieved using GnuPG directly combined with +the `--homedir` option pointing at the pacman keyring (located in ++{sysconfdir}/pacman.d/gnupg+ by default). -Commands +Options ------- -*-a, \--add* file ...:: +*-a, \--add* [file(s)]:: Add the key(s) contained in the specified file or files to pacman's keyring. If a key already exists, update it. -*\--adv* param ...:: - Use this option to issue particular GnuPG actions to pacman's keyring. This - option should be used with care as it can modify pacman's trust in - packages' signatures. +*\--config* :: + Use an alternate config file instead of the +{sysconfdir}/pacman.conf+ + default. -*-d, \--del* keyid ...:: - Remove the key(s) identified by the specified keyid or keyids from pacman's +*-d, \--delete* :: + Remove the key(s) identified by the specified keyid(s) from pacman's keyring. -*-e, \--export* [keyid ...]:: - Export key(s) identified by the specified keyid to 'stdout'. If no keyid is - specified, all keys will be exported. +*-e, \--export* [keyid(s)]:: + Export key(s) identified by the specified keyid(s) to 'stdout'. If no keyid + is specified, all keys will be exported. + +*\--edit-key * :: + Present a menu for key management task on the specified keyids. Useful for + adjusting a keys trust level. -*-f, \--finger* [keyid ...]:: +*-f, \--finger* [keyid(s)]:: List a fingerprint for each specified keyid, or for all known keys if no keyids are specified. +*\--gpgdir* :: + Set an alternate home directory for GnuPG. If unspecified, the value is + read from +{sysconfdir}/pacman.conf+. + *-h, \--help*:: Output syntax and command line options. *-l, \--list*:: Equivalent to --list-sigs from GnuPG. -*-r, \--receive* keyserver keyid ...:: +*-r, \--receive* :: Fetch the specified keyids from the specified key server URL. *\--reload*:: Reloads the keys from the keyring package. -*-t, \--trust* keyid:: - Set the trust level of the given key. - *-u, \--updatedb*:: Equivalent to \--check-trustdb in GnuPG. -- cgit v1.2.3-70-g09d2 From 0e85c4989b7a7a20978ba0dcc7b56f0f1853b974 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Sat, 9 Jul 2011 11:41:04 +1000 Subject: pacman-key: add --verify option Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 5 ++++- scripts/pacman-key.sh.in | 10 +++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index f961bc2e..2771ece4 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -72,7 +72,10 @@ Options *-u, \--updatedb*:: Equivalent to \--check-trustdb in GnuPG. -*-v, \--version*:: +* -v, \--verify* :: + Verify the given signature file. + +*-V, \--version*:: Displays the program version. diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 776fc0e9..937dcad5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -36,6 +36,7 @@ LIST=0 RECEIVE=0 RELOAD=0 UPDATEDB=0 +VERIFY=0 m4_include(library/output_format.sh) @@ -57,6 +58,7 @@ usage() { echo "$(gettext " -l, --list List keys")" echo "$(gettext " -r, --receive Fetch the specified keyids")" echo "$(gettext " -u, --updatedb Update the trustdb of pacman")" + echo "$(gettext " -v, --verify Verify the file specified by the signature")" echo "$(gettext " -V, --version Show program version")" echo "$(gettext " --config Use an alternate config file")" printf "$(gettext " (instead of '%s')")\n" "@sysconfdir@/pacman.conf" @@ -241,9 +243,9 @@ if ! type gettext &>/dev/null; then } fi -OPT_SHORT="a::d:e:f::hlr:uV" +OPT_SHORT="a::d:e:f::hlr:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" -OPT_LONG+=",help,list,receive:,reload,updatedb,version" +OPT_LONG+=",help,list,receive:,reload,updatedb,verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi @@ -268,6 +270,7 @@ while true; do -r|--receive) RECEIVE=1; shift; KEYSERVER="${1[0]}"; KEYIDS=("${1[@]:1}") ;; --reload) RELOAD=1 ;; -u|--updatedb) UPDATEDB=1 ;; + -v|--verify) VERIFY=1; shift; SIGNATURE=$1 ;; -h|--help) usage; exit 0 ;; -V|--version) version; exit 0 ;; @@ -309,7 +312,7 @@ PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-@sysconfdir@/pacman.d/gnupg} GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning" # check only a single operation has been given -numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + LIST + RECEIVE + RELOAD + UPDATEBD )) +numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY )) if (( ! numopt )); then error "$(gettext "No operations specified")" @@ -334,5 +337,6 @@ fi (( RECEIVE )) && receive_keys (( RELOAD )) && reload_keyring (( UPDATEDB )) && ${GPG_PACMAN} --batch --check-trustdb +(( VERIFY )) && ${GPG_PACMAN} --verify $SIGNATURE # vim: set ts=2 sw=2 noet: -- cgit v1.2.3-70-g09d2 From 0c9e86bab17691bf17c4251b2e16d65f517b88c8 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Sat, 9 Jul 2011 17:26:17 +1000 Subject: pacman-key: add --init option Add an --init option that ensures that the pacman keyring has all the necessary files and they have the correct permissions for being read as a user. Signed-off-by: Allan McRae --- doc/pacman-key.8.txt | 4 ++++ scripts/pacman-key.sh.in | 34 ++++++++++++++++++++++++++-------- 2 files changed, 30 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt index 2771ece4..cf72b83c 100644 --- a/doc/pacman-key.8.txt +++ b/doc/pacman-key.8.txt @@ -60,6 +60,10 @@ Options *-h, \--help*:: Output syntax and command line options. +*--init*:: + Ensure the keyring is properly initialized and has the required access + permissions. + *-l, \--list*:: Equivalent to --list-sigs from GnuPG. diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 79bf41a8..d7129e53 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -32,6 +32,7 @@ DELETE=0 EDITKEY=0 EXPORT=0 FINGER=0 +INIT=0 LIST=0 RECEIVE=0 RELOAD=0 @@ -65,6 +66,7 @@ usage() { echo "$(gettext " --edit-key Present a menu for key management task on keyids")" echo "$(gettext " --gpgdir Set an alternate directory for gnupg")" printf "$(gettext " (instead of '%s')")\n" "@sysconfdir@/pacman.d/gnupg" + echo "$(gettest " --init Ensure the keyring is properly initialized")" echo "$(gettext " --reload Reload the default keys")" } @@ -91,6 +93,25 @@ get_from() { return 1 } +initialize() { + # Check for simple existence rather than for a directory as someone + # may want to use a symlink here + [[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}" + + # keyring files + [[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg + [[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg + [[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || ${GPG_PACMAN} --update-trustdb + chmod 644 ${PACMAN_KEYRING_DIR}/{{pub,sec}ring,trustdb}.gpg + + # gpg.conf + [[ ! -f ${PACMAN_KEYRING_DIR}/gpg.conf ]] || touch ${PACMAN_KEYRING_DIR}/gpg.conf + chmod 644 ${PACMAN_KEYRING_DIR}/gpg.conf + if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then + echo "lock-never" >> ${PACMAN_KEYRING_DIR}/gpg.conf + fi +} + verify_keyring_input() { local ret=0; @@ -247,7 +268,7 @@ fi OPT_SHORT="a::d:e:f::hlr:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" -OPT_LONG+=",help,list,receive:,reload,updatedb,verify:,version" +OPT_LONG+=",help,init,list,receive:,reload,updatedb,verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi @@ -268,6 +289,7 @@ while true; do -e|--export) EXPORT=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; -f|--finger) FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; --gpgdir) shift; PACMAN_KEYRING_DIR=$1 ;; + --init) INIT=1 ;; -l|--list) LIST=1 ;; -r|--receive) RECEIVE=1; shift; KEYSERVER="${1[0]}"; KEYIDS=("${1[@]:1}") ;; --reload) RELOAD=1 ;; @@ -289,7 +311,7 @@ if ! type -p gpg >/dev/null; then exit 1 fi -if (( (ADD || DELETE || EDITKEY || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then +if (( (ADD || DELETE || EDITKEY || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key" exit 1 fi @@ -304,15 +326,10 @@ fi # file, falling back on a hard default PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" || echo "@sysconfdir@/pacman.d/gnupg")} -# Try to create $PACMAN_KEYRING_DIR if non-existent -# Check for simple existence rather than for a directory as someone may want -# to use a symlink here -[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}" - GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning" # check only a single operation has been given -numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY )) +numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + INIT + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY )) if (( ! numopt )); then error "$(gettext "No operations specified")" @@ -333,6 +350,7 @@ fi (( EDITKEY )) && edit_keys (( EXPORT )) && ${GPG_PACMAN} --armor --export "${KEYIDS[@]}" (( FINGER )) && ${GPG_PACMAN} --batch --fingerprint "${KEYIDS[@]}" +(( INIT )) && initialize (( LIST )) && ${GPG_PACMAN} --batch --list-sigs "${KEYIDS[@]}" (( RECEIVE )) && receive_keys (( RELOAD )) && reload_keyring -- cgit v1.2.3-70-g09d2