summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
Diffstat (limited to 'scripts')
-rw-r--r--scripts/.gitignore1
-rw-r--r--scripts/Makefile.am3
-rw-r--r--scripts/makepkg.sh.in72
-rw-r--r--scripts/pacman-key.sh.in330
-rw-r--r--scripts/repo-add.sh.in122
5 files changed, 500 insertions, 28 deletions
diff --git a/scripts/.gitignore b/scripts/.gitignore
index fe4616f2..927b14c8 100644
--- a/scripts/.gitignore
+++ b/scripts/.gitignore
@@ -5,3 +5,4 @@ rankmirrors
repo-add
repo-remove
pkgdelta
+pacman-key
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index ae6ce366..7c64e81c 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -8,6 +8,7 @@ bin_SCRIPTS = \
OURSCRIPTS = \
makepkg \
pacman-db-upgrade \
+ pacman-key \
pacman-optimize \
pkgdelta \
rankmirrors \
@@ -16,6 +17,7 @@ OURSCRIPTS = \
EXTRA_DIST = \
makepkg.sh.in \
pacman-db-upgrade.sh.in \
+ pacman-key.sh.in \
pacman-optimize.sh.in \
pkgdelta.sh.in \
rankmirrors.sh.in \
@@ -64,6 +66,7 @@ $(OURSCRIPTS): Makefile
makepkg: $(srcdir)/makepkg.sh.in
pacman-db-upgrade: $(srcdir)/pacman-db-upgrade.sh.in
+pacman-key: ${srcdir}/pacman-key.sh.in
pacman-optimize: $(srcdir)/pacman-optimize.sh.in
pkgdelta: $(srcdir)/pkgdelta.sh.in
rankmirrors: $(srcdir)/rankmirrors.sh.in
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 69922c99..3d5184ad 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -28,7 +28,7 @@
# makepkg uses quite a few external programs during its execution. You
# need to have at least the following installed for makepkg to function:
# awk, bsdtar (libarchive), bzip2, coreutils, fakeroot, file, find (findutils),
-# gettext, grep, gzip, openssl, sed, tput (ncurses), xz
+# gettext, gpg, grep, gzip, openssl, sed, tput (ncurses), xz
# gettext initialization
export TEXTDOMAIN='pacman'
@@ -75,6 +75,7 @@ CHECKFUNC=0
PKGFUNC=0
SPLITPKG=0
PKGLIST=()
+SIGNPKG=''
# Forces the pkgver of the current PKGBUILD. Used by the fakeroot call
# when dealing with svn/cvs/etc PKGBUILDs.
@@ -391,7 +392,7 @@ run_pacman() {
local cmd
printf -v cmd "%q " "$PACMAN" $PACMAN_OPTS "$@"
if (( ! ASROOT )) && [[ ! $1 =~ ^-(T|Qq)$ ]]; then
- if [ "$(type -p sudo)" ]; then
+ if type -p sudo >/dev/null; then
cmd="sudo $cmd"
else
cmd="su root -c '$cmd'"
@@ -1065,6 +1066,9 @@ create_package() {
local pkg_file="$PKGDEST/${nameofpkg}-${fullver}-${PKGARCH}${PKGEXT}"
local ret=0
+ [[ -f $pkg_file ]] && rm -f "$pkg_file"
+ [[ -f $pkg_file.sig ]] && rm -f "$pkg_file.sig"
+
# when fileglobbing, we want * in an empty directory to expand to
# the null string rather than itself
shopt -s nullglob
@@ -1086,9 +1090,12 @@ create_package() {
exit 1 # TODO: error code
fi
+ create_signature "$pkg_file"
+
if (( ! ret )) && [[ ! "$PKGDEST" -ef "${startdir}" ]]; then
ln -sf "${pkg_file}" "${pkg_file/$PKGDEST/$startdir}"
ret=$?
+ [[ -f $pkg_file.sig ]] && ln -sf "$pkg_file.sig" "${pkg_file/$PKGDEST/$startdir}.sig"
fi
if (( ret )); then
@@ -1096,6 +1103,33 @@ create_package() {
fi
}
+create_signature() {
+ if [[ $SIGNPKG != 'y' ]]; then
+ return
+ fi
+ local ret=0
+ local filename="$1"
+ msg "$(gettext "Signing package...")"
+ if ! type -p gpg >/dev/null; then
+ error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+ exit 1 # $E_MISSING_PROGRAM
+ fi
+
+ local SIGNWITHKEY=""
+ if [[ -n $GPGKEY ]]; then
+ SIGNWITHKEY="-u ${GPGKEY}"
+ fi
+ # The signature will be generated directly in ascii-friendly format
+ gpg --detach-sign --use-agent ${SIGNWITHKEY} "$filename" &>/dev/null || ret=$?
+
+
+ if (( ! ret )); then
+ msg2 "$(gettext "Created signature file %s.")" "$filename.sig"
+ else
+ warning "$(gettext "Failed to sign package file.")"
+ fi
+}
+
create_srcpackage() {
cd "$startdir"
@@ -1573,7 +1607,7 @@ usage() {
echo "$(gettext " -e, --noextract Do not extract source files (use existing src/ dir)")"
echo "$(gettext " -f, --force Overwrite existing package")"
echo "$(gettext " -g, --geninteg Generate integrity checks for source files")"
- echo "$(gettext " -h, --help This help")"
+ echo "$(gettext " -h, --help Show this help message and exit")"
echo "$(gettext " -i, --install Install package after successful build")"
echo "$(gettext " -L, --log Log package build process")"
echo "$(gettext " -m, --nocolor Disable colorized output messages")"
@@ -1587,8 +1621,11 @@ usage() {
printf "$(gettext " --check Run the check() function in the %s")\n" "$BUILDSCRIPT"
printf "$(gettext " --config <file> Use an alternate config file (instead of '%s')")\n" "$confdir/makepkg.conf"
printf "$(gettext " --holdver Prevent automatic version bumping for development %ss")\n" "$BUILDSCRIPT"
+ echo "$(gettext " --key <key> Specify a key to use for gpg signing instead of the default")"
printf "$(gettext " --nocheck Do not run the check() function in the %s")\n" "$BUILDSCRIPT"
+ echo "$(gettext " --nosign Do not create a signature for the package")"
echo "$(gettext " --pkg <list> Only build listed packages from a split package")"
+ echo "$(gettext " --sign Sign the resulting package with gpg")"
echo "$(gettext " --skipinteg Do not fail when integrity checks are missing")"
echo "$(gettext " --source Generate a source-only tarball without downloaded sources")"
echo
@@ -1625,8 +1662,8 @@ ARGLIST=("$@")
OPT_SHORT="AcCdefFghiLmop:rRsV"
OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps"
OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver"
-OPT_LONG+=",install,log,nocolor,nobuild,nocheck,pkg:,rmdeps"
-OPT_LONG+=",repackage,skipinteg,source,syncdeps,version,config:"
+OPT_LONG+=",install,key:,log,nocolor,nobuild,nocheck,nosign,pkg:,rmdeps"
+OPT_LONG+=",repackage,skipinteg,sign,source,syncdeps,version,config:"
# Pacman Options
OPT_LONG+=",noconfirm,noprogressbar"
OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS FAILED')"
@@ -1660,15 +1697,18 @@ while true; do
-g|--geninteg) GENINTEG=1 ;;
--holdver) HOLDVER=1 ;;
-i|--install) INSTALL=1 ;;
+ --key) shift; GPGKEY=$1 ;;
-L|--log) LOGGING=1 ;;
-m|--nocolor) USE_COLOR='n' ;;
--nocheck) RUN_CHECK='n' ;;
+ --nosign) SIGNPKG='n' ;;
-o|--nobuild) NOBUILD=1 ;;
-p) shift; BUILDFILE=$1 ;;
--pkg) shift; PKGLIST=($1) ;;
-r|--rmdeps) RMDEPS=1 ;;
-R|--repackage) REPKG=1 ;;
--skipinteg) SKIPINTEG=1 ;;
+ --sign) SIGNPKG='y' ;;
--source) SOURCEONLY=1 ;;
-s|--syncdeps) DEP_BIN=1 ;;
@@ -1685,6 +1725,9 @@ done
[[ -n ${PKGDEST} ]] && _PKGDEST=$(canonicalize_path ${PKGDEST})
[[ -n ${SRCDEST} ]] && _SRCDEST=$(canonicalize_path ${SRCDEST})
[[ -n ${SRCPKGDEST} ]] && _SRCPKGDEST=$(canonicalize_path ${SRCPKGDEST})
+[[ -n ${PKGEXT} ]] && _PKGEXT=${PKGEXT}
+[[ -n ${SRCEXT} ]] && _SRCEXT=${SRCEXT}
+[[ -n ${GPGKEY} ]] && _GPGKEY=${GPGKEY}
# default config is makepkg.conf
MAKEPKG_CONF=${MAKEPKG_CONF:-$confdir/makepkg.conf}
@@ -1748,6 +1791,9 @@ fi
SRCPKGDEST=${_SRCPKGDEST:-$SRCPKGDEST}
SRCPKGDEST=${SRCPKGDEST:-$startdir} #default to $startdir if undefined
+PKGEXT=${_PKGEXT:-$PKGEXT}
+SRCEXT=${_SRCEXT:-$SRCEXT}
+GPGKEY=${_GPGKEY:-$GPGKEY}
if (( HOLDVER )) && [[ -n $FORCE_VER ]]; then
# The '\\0' is here to prevent gettext from thinking --holdver is an option
@@ -1899,6 +1945,22 @@ if [[ -n "${PKGLIST[@]}" ]]; then
pkgname=("${PKGLIST[@]}")
fi
+# check if gpg signature is to be created and if signing key is valid
+if [[ -z "$SIGNPKG" && $(check_buildenv sign) == 'y' ]]; then
+ SIGNPKG='y'
+fi
+if [[ $SIGNPKG == 'y' ]]; then
+ if ! gpg --list-key ${GPGKEY} &>/dev/null; then
+ if [[ ! -z $GPGKEY ]]; then
+ error "$(gettext "The key ${GPGKEY} does not exist in your keyring.")"
+ else
+ error "$(gettext "There is no key in your keyring.")"
+ fi
+ exit 1
+ fi
+fi
+
+
if (( ! SPLITPKG )); then
fullver=$(get_full_version $epoch $pkgver $pkgrel)
if [[ -f $PKGDEST/${pkgname}-${fullver}-${CARCH}${PKGEXT} \
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
new file mode 100644
index 00000000..c0929897
--- /dev/null
+++ b/scripts/pacman-key.sh.in
@@ -0,0 +1,330 @@
+#!@BASH_SHELL@ -e
+#
+# pacman-key - manages pacman's keyring
+# Based on apt-key, from Debian
+# @configure_input@
+#
+# Copyright (c) 2010 - Pacman Development Team <pacman-dev@archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# gettext initialization
+export TEXTDOMAIN='pacman'
+export TEXTDOMAINDIR='@localedir@'
+
+myver="@PACKAGE_VERSION@"
+
+msg() {
+ local mesg=$1; shift
+ printf "==> ${mesg}\n" "$@" >&1
+}
+
+msg2() {
+ (( QUIET )) && return
+ local mesg=$1; shift
+ printf " -> ${mesg}\n" "$@" >&1
+}
+
+warning() {
+ local mesg=$1; shift
+ printf "==> $(gettext "WARNING:") ${mesg}\n" "$@" >&2
+}
+
+error() {
+ local mesg=$1; shift
+ printf "==> $(gettext "ERROR:") ${mesg}\n" "$@" >&2
+}
+
+usage() {
+ printf "pacman-key (pacman) %s\n" ${myver}
+ echo
+ printf "$(gettext "Usage: %s [options] <command> [arguments]")\n" $(basename $0)
+ echo
+ echo "$(gettext "Manage pacman's list of trusted keys")"
+ echo
+ echo "$(gettext "Options must be placed before commands. The available options are:")"
+ printf "$(gettext " --config <file> Use an alternate config file (instead of '%s')")\n" "$CONFIG"
+ echo "$(gettext " --gpgdir Set an alternate directory for gnupg")"
+ echo
+ echo "$(gettext "The available commands are:")"
+ echo "$(gettext " -a, --add [<file(s)>] Add the specified keys (empty for stdin)")"
+ echo "$(gettext " -d, --del <keyid(s)> Remove the specified keyids")"
+ echo "$(gettext " -e, --export <keyid(s)> Export the specified keyids")"
+ echo "$(gettext " -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")"
+ echo "$(gettext " -h, --help Show this help message and exit")"
+ echo "$(gettext " -l, --list List keys")"
+ echo "$(gettext " -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")"
+ echo "$(gettext " -t, --trust <keyid(s)> Set the trust level of the given keyids")"
+ echo "$(gettext " -u, --updatedb Update the trustdb of pacman")"
+ echo "$(gettext " -V, --version Show program version")"
+ echo "$(gettext " --adv <params> Use pacman's keyring with advanced gpg commands")"
+ printf "$(gettext " --reload Reload the default keys")"
+ echo
+}
+
+version() {
+ printf "pacman-key (pacman) %s\n" "${myver}"
+ printf "$(gettext "\
+Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>.\n\
+This is free software; see the source for copying conditions.\n\
+There is NO WARRANTY, to the extent permitted by law.\n")"
+}
+
+# Read provided file and search for values matching the given key
+# The contents of the file are expected to be in this format: key = value
+# 'key', 'equal sign' and 'value' can be surrounded by random whitespace
+# Usage: get_from "$file" "$key" # returns the value for the first matching key in the file
+get_from() {
+ while read key _ value; do
+ if [[ $key = $2 ]]; then
+ echo "$value"
+ break
+ fi
+ done < "$1"
+}
+
+reload_keyring() {
+ local PACMAN_SHARE_DIR='@prefix@/share/pacman'
+ local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}"
+
+ # Variable used for iterating on keyrings
+ local key
+ local key_id
+
+ # Keyring with keys to be added to the keyring
+ local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
+
+ # Keyring with keys that were deprecated and will eventually be deleted
+ local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"
+
+ # List of keys removed from the keyring. This file is not a keyring, unlike the others.
+ # It is a textual list of values that gpg recogniezes as identifiers for keys.
+ local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"
+
+ # Verify signatures of related files, if they exist
+ if [[ -r "${ADDED_KEYS}" ]]; then
+ msg "$(gettext "Verifying official keys file signature...")"
+ if ! ${GPG_PACMAN} --quiet --batch --verify "${ADDED_KEYS}.sig" 1>/dev/null; then
+ error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
+ exit 1
+ fi
+ fi
+
+ if [[ -r "${DEPRECATED_KEYS}" ]]; then
+ msg "$(gettext "Verifying deprecated keys file signature...")"
+ if ! ${GPG_PACMAN} --quiet --batch --verify "${DEPRECATED_KEYS}.sig" 1>/dev/null; then
+ error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
+ exit 1
+ fi
+ fi
+
+ if [[ -r "${REMOVED_KEYS}" ]]; then
+ msg "$(gettext "Verifying deleted keys file signature...")"
+ if ! ${GPG_PACMAN} --quiet --batch --verify "${REMOVED_KEYS}.sig"; then
+ error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
+ exit 1
+ fi
+ fi
+
+ # Read the key ids to an array. The conversion from whatever is inside the file
+ # to key ids is important, because key ids are the only guarantee of identification
+ # for the keys.
+ local -A removed_ids
+ if [[ -r "${REMOVED_KEYS}" ]]; then
+ while read key; do
+ local key_values name
+ key_values=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')
+ if [[ -n $key_values ]]; then
+ # The first word is the key_id
+ key_id=${key_values%% *}
+ # the rest if the name of the owner
+ name=${key_values#* }
+ if [[ -n ${key_id} ]]; then
+ # Mark this key to be deleted
+ removed_ids[$key_id]="$name"
+ fi
+ fi
+ done < "${REMOVED_KEYS}"
+ fi
+
+ # List of keys that must be kept installed, even if in the list of keys to be removed
+ local HOLD_KEYS=$(get_from "$CONFIG" "HoldKeys")
+
+ # Remove the keys that must be kept from the set of keys that should be removed
+ if [[ -n ${HOLD_KEYS} ]]; then
+ for key in ${HOLD_KEYS}; do
+ key_id=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)
+ if [[ -n "${removed_ids[$key_id]}" ]]; then
+ unset removed_ids[$key_id]
+ fi
+ done
+ fi
+
+ # Add keys from the current set of keys from pacman-keyring package. The web of trust will
+ # be updated automatically.
+ if [[ -r "${ADDED_KEYS}" ]]; then
+ msg "$(gettext "Appending official keys...")"
+ local add_keys=$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+ for key_id in ${add_keys}; do
+ # There is no point in adding a key that will be deleted right after
+ if [[ -z "${removed_ids[$key_id]}" ]]; then
+ ${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+ fi
+ done
+ fi
+
+ if [[ -r "${DEPRECATED_KEYS}" ]]; then
+ msg "$(gettext "Appending deprecated keys...")"
+ local add_keys=$(${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+ for key_id in ${add_keys}; do
+ # There is no point in adding a key that will be deleted right after
+ if [[ -z "${removed_ids[$key_id]}" ]]; then
+ ${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+ fi
+ done
+ fi
+
+ # Remove the keys not marked to keep
+ if (( ${#removed_ids[@]} > 0 )); then
+ msg "$(gettext "Removing deleted keys from keyring...")"
+ for key_id in "${!removed_ids[@]}"; do
+ echo " removing key $key_id - ${removed_ids[$key_id]}"
+ ${GPG_PACMAN} --quiet --batch --yes --delete-key "${key_id}"
+ done
+ fi
+
+ # Update trustdb, just to be sure
+ msg "$(gettext "Updating trust database...")"
+ ${GPG_PACMAN} --batch --check-trustdb
+}
+
+# PROGRAM START
+if ! type gettext &>/dev/null; then
+ gettext() {
+ echo "$@"
+ }
+fi
+
+if [[ $1 != "--version" && $1 != "-V" && $1 != "--help" && $1 != "-h" && $1 != "" ]]; then
+ if type -p gpg >/dev/null 2>&1 = 1; then
+ error "$(gettext "gnupg does not seem to be installed.")"
+ msg2 "$(gettext "pacman-key requires gnupg for most operations.")"
+ exit 1
+ elif (( EUID != 0 )); then
+ error "$(gettext "pacman-key needs to be run as root.")"
+ exit 1
+ fi
+fi
+
+# Parse global options
+CONFIG="@sysconfdir@/pacman.conf"
+PACMAN_KEYRING_DIR="@sysconfdir@/pacman.d/gnupg"
+while [[ $1 =~ ^--(config|gpgdir)$ ]]; do
+ case "$1" in
+ --config) shift; CONFIG="$1" ;;
+ --gpgdir) shift; PACMAN_KEYRING_DIR="$1" ;;
+ esac
+ shift
+done
+
+if [[ ! -r "${CONFIG}" ]]; then
+ error "$(gettext "%s not found.")" "$CONFIG"
+ exit 1
+fi
+
+# Read GPGDIR from $CONFIG.
+if [[ GPGDIR=$(get_from "$CONFIG" "GPGDir") == 0 ]]; then
+ PACMAN_KEYRING_DIR="${GPGDIR}"
+fi
+GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning"
+
+# Try to create $PACMAN_KEYRING_DIR if non-existent
+# Check for simple existence rather than for a directory as someone may want
+# to use a symlink here
+[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}"
+
+# Parse and execute command
+command="$1"
+if [[ -z "${command}" ]]; then
+ usage
+ exit 1
+fi
+shift
+
+case "${command}" in
+ -a|--add)
+ # If there is no extra parameter, gpg will read stdin
+ ${GPG_PACMAN} --quiet --batch --import "$@"
+ ;;
+ -d|--del)
+ if (( $# == 0 )); then
+ error "$(gettext "You need to specify at least one key identifier")"
+ exit 1
+ fi
+ ${GPG_PACMAN} --quiet --batch --delete-key --yes "$@"
+ ;;
+ -u|--updatedb)
+ ${GPG_PACMAN} --batch --check-trustdb
+ ;;
+ --reload)
+ reload_keyring
+ ;;
+ -l|--list)
+ ${GPG_PACMAN} --batch --list-sigs "$@"
+ ;;
+ -f|--finger)
+ ${GPG_PACMAN} --batch --fingerprint "$@"
+ ;;
+ -e|--export)
+ ${GPG_PACMAN} --armor --export "$@"
+ ;;
+ -r|--receive)
+ if (( $# < 2 )); then
+ error "$(gettext "You need to specify the keyserver and at least one key identifier")"
+ exit 1
+ fi
+ keyserver="$1"
+ shift
+ ${GPG_PACMAN} --keyserver "${keyserver}" --recv-keys "$@"
+ ;;
+ -t|--trust)
+ if (( $# == 0 )); then
+ error "$(gettext "You need to specify at least one key identifier")"
+ exit 1
+ fi
+ while (( $# > 0 )); do
+ # Verify if the key exists in pacman's keyring
+ if ${GPG_PACMAN} --list-keys "$1" > /dev/null 2>&1; then
+ ${GPG_PACMAN} --edit-key "$1"
+ else
+ error "$(gettext "The key identified by %s doesn't exist")" "$1"
+ exit 1
+ fi
+ shift
+ done
+ ;;
+ --adv)
+ msg "$(gettext "Executing: %s ")$*" "${GPG_PACMAN}"
+ ${GPG_PACMAN} "$@" || ret=$?
+ exit $ret
+ ;;
+ -h|--help)
+ usage; exit 0 ;;
+ -V|--version)
+ version; exit 0 ;;
+ *)
+ error "$(gettext "Unknown command:") $command"
+ usage; exit 1 ;;
+esac
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
index dfc93974..cb545f30 100644
--- a/scripts/repo-add.sh.in
+++ b/scripts/repo-add.sh.in
@@ -30,6 +30,8 @@ confdir='@sysconfdir@'
QUIET=0
DELTA=0
WITHFILES=0
+SIGN=0
+VERIFY=0
REPO_DB_FILE=
LOCKFILE=
CLEAN_LOCK=0
@@ -61,31 +63,39 @@ error() {
# print usage instructions
usage() {
- printf "repo-add, repo-remove (pacman) %s\n\n" "$myver"
- printf "$(gettext "Usage: repo-add [-d] [-f] [-q] <path-to-db> <package|delta> ...\n")"
- printf "$(gettext "Usage: repo-remove [-q] <path-to-db> <packagename|delta> ...\n\n")"
- printf "$(gettext "\
+ cmd="$(basename $0)"
+ printf "%s (pacman) %s\n\n" "$cmd" "$myver"
+ if [[ $cmd == "repo-add" ]] ; then
+ printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> ...\n")"
+ printf "$(gettext "\
repo-add will update a package database by reading a package file.\n\
Multiple packages to add can be specified on the command line.\n\n")"
- printf "$(gettext "\
+ printf "$(gettext "Options:\n")"
+ printf "$(gettext " -d, --delta generate and add delta for package update\n")"
+ printf "$(gettext " -f, --files update database's file list\n")"
+ elif [[ $cmd == "repo-remove" ]] ; then
+ printf "$(gettext "Usage: repo-remove [-q] [-s] [-v] <path-to-db> <packagename|delta> ...\n\n")"
+ printf "$(gettext "\
repo-remove will update a package database by removing the package name\n\
specified on the command line from the given repo database. Multiple\n\
packages to remove can be specified on the command line.\n\n")"
- printf "$(gettext "\
-Use the -q/--quiet flag to minimize output to basic messages, warnings,\n\
-and errors.\n\n")"
- printf "$(gettext "\
-Use the -d/--delta flag to automatically generate and add a delta file\n\
-between the old entry and the new one, if the old package file is found\n\
-next to the new one.\n\n")"
- printf "$(gettext "\
-Use the -f/--files flag to update a database including file entries.\n\n")"
- echo "$(gettext "Example: repo-add /path/to/repo.db.tar.gz pacman-3.0.0.pkg.tar.gz")"
- echo "$(gettext "Example: repo-remove /path/to/repo.db.tar.gz kernel26")"
+ printf "$(gettext "Options:\n")"
+ fi
+ printf "$(gettext " -q, --quiet minimize output\n")"
+ printf "$(gettext " -s, --sign sign database with GnuPG after update\n")"
+ printf "$(gettext " -v, --verify verify database's signature before update\n")"
+ printf "$(gettext "\n\
+See %s(8) for more details and descriptions of the available options.\n\n")" $cmd
+ if [[ $cmd == "repo-add" ]] ; then
+ echo "$(gettext "Example: repo-add /path/to/repo.db.tar.gz pacman-3.0.0.pkg.tar.gz")"
+ elif [[ $cmd == "repo-remove" ]] ; then
+ echo "$(gettext "Example: repo-remove /path/to/repo.db.tar.gz kernel26")"
+ fi
}
version() {
- printf "repo-add, repo-remove (pacman) %s\n\n" "$myver"
+ cmd="$(basename $0)"
+ printf "%s (pacman) %s\n\n" "$cmd" "$myver"
printf "$(gettext "\
Copyright (C) 2006-2008 Aaron Griffin <aaron@archlinux.org>.\n\
Copyright (c) 2007-2008 Dan McGee <dan@archlinux.org>.\n\n\
@@ -184,14 +194,56 @@ db_remove_delta()
return 1
} # end db_remove_delta
+# sign the package database once repackaged
+create_signature() {
+ (( ! SIGN )) && return
+ local dbfile="$1"
+ local ret=0
+ msg "$(gettext "Signing database...")"
+ if ! type -p gpg; then
+ error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+ exit 1 # $E_MISSING_PROGRAM
+ fi
+ gpg --detach-sign --use-agent "$dbfile" || ret=$?
+ if (( ! ret )); then
+ msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig"
+ else
+ warning "$(gettext "Failed to sign package database.")"
+ fi
+}
+
+# verify the existing package database signature
+verify_signature() {
+ (( ! VERIFY )) && return
+ local dbfile="$1"
+ local ret=0
+ msg "$(gettext "Verifying database signature...")"
+ if ! type -p gpg; then
+ error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+ exit 1 # $E_MISSING_PROGRAM
+ fi
+ if [[ ! -f $dbfile.sig ]]; then
+ warning "$(gettext "No existing signature found, skipping verification.")"
+ return
+ fi
+ gpg --verify "$dbfile.sig" || ret=$?
+ if (( ! ret )); then
+ msg2 "$(gettext "Database signature file verified.")"
+ else
+ error "$(gettext "Database signature was NOT valid!")"
+ exit 1
+ fi
+}
+
# write an entry to the pacman database
# arg1 - path to package
db_write_entry()
{
# blank out all variables
local pkgfile="$1"
- local pkgname pkgver pkgdesc csize size md5sum url arch builddate packager \
- _groups _licenses _replaces _depends _conflicts _provides _optdepends
+ local pkgname pkgver pkgdesc csize size url arch builddate packager \
+ _groups _licenses _replaces _depends _conflicts _provides _optdepends \
+ md5sum sha256sum pgpsig
local OLDIFS="$IFS"
# IFS (field separator) is only the newline character
@@ -219,10 +271,19 @@ db_write_entry()
IFS=$OLDIFS
- # get md5sum and compressed size of package
+ csize=$(@SIZECMD@ "$pkgfile")
+
+ # compute checksums
+ msg2 "$(gettext "Computing checksums...")"
md5sum="$(openssl dgst -md5 "$pkgfile")"
md5sum="${md5sum##* }"
- csize=$(@SIZECMD@ "$pkgfile")
+ sha256sum="$(openssl dgst -sha256 "$pkgfile")"
+ sha256sum="${sha256sum##* }"
+
+ # compute base64'd PGP signature
+ if [[ -f "$pkgfile.sig" ]]; then
+ pgpsig=$(openssl base64 -in "$pkgfile.sig" | tr -d '\n')
+ fi
# ensure $pkgname and $pkgver variables were found
if [[ -z $pkgname || -z $pkgver ]]; then
@@ -264,9 +325,12 @@ db_write_entry()
[[ -n $csize ]] && echo -e "%CSIZE%\n$csize\n" >>desc
[[ -n $size ]] && echo -e "%ISIZE%\n$size\n" >>desc
- # compute checksums
- msg2 "$(gettext "Computing md5 checksums...")"
+ # add checksums
echo -e "%MD5SUM%\n$md5sum\n" >>desc
+ echo -e "%SHA256SUM%\n$sha256sum\n" >>desc
+
+ # add PGP sig
+ [[ -n $pgpsig ]] && echo -e "%PGPSIG%\n$pgpsig\n" >>desc
[[ -n $url ]] && echo -e "%URL%\n$url\n" >>desc
write_list_entry "LICENSE" "$_licenses" "desc"
@@ -352,6 +416,7 @@ check_repo_db()
exit 1
fi
fi
+ verify_signature "$REPO_DB_FILE"
msg "$(gettext "Extracting database to a temporary location...")"
bsdtar -xf "$REPO_DB_FILE" -C "$tmpdir"
else
@@ -482,6 +547,8 @@ for arg in "$@"; do
-q|--quiet) QUIET=1;;
-d|--delta) DELTA=1;;
-f|--files) WITHFILES=1;;
+ -s|--sign) SIGN=1;;
+ -v|--verify) VERIFY=1;;
*)
if [[ -z $REPO_DB_FILE ]]; then
REPO_DB_FILE="$arg"
@@ -519,15 +586,24 @@ if (( success )); then
warning "$(gettext "No packages remain, creating empty database.")"
bsdtar -c${TAR_OPT}f "$filename" -T /dev/null
fi
+ create_signature "$filename"
+
popd >/dev/null
[[ -f $REPO_DB_FILE ]] && mv -f "$REPO_DB_FILE" "${REPO_DB_FILE}.old"
+ [[ -f $REPO_DB_FILE.sig ]] && rm -f "$REPO_DB_FILE.sig"
[[ -f $tmpdir/$filename ]] && mv "$tmpdir/$filename" "$REPO_DB_FILE"
+ [[ -f $tmpdir/$filename.sig ]] && mv "$tmpdir/$filename.sig" "$REPO_DB_FILE.sig"
dblink="${REPO_DB_FILE%.tar.*}"
target=${REPO_DB_FILE##*/}
ln -sf "$target" "$dblink" 2>/dev/null || \
ln -f "$target" "$dblink" 2>/dev/null || \
cp "$REPO_DB_FILE" "$dblink"
+ if [[ -f "$target.sig" ]]; then
+ ln -sf "$target.sig" "$dblink.sig" 2>/dev/null || \
+ ln -f "$target.sig" "$dblink.sig" 2>/dev/null || \
+ cp "$REPO_DB_FILE.sig" "$dblink.sig"
+ fi
else
msg "$(gettext "No packages modified, nothing to do.")"
exit 1