Export source PGPs from PKGBUILD on commit
Provide a tool to export keys listed in the PKGBUILDs validpgpkeys to keys/pgp/$fingerprint.asc. The presense of the "keys" directory alongside the PKGBUILD in trunk/ is tested during commitpkg. If the directory is abscent, keys are exported and added to the commit. If the directory is present, a check is made to ensure all valid PGP keys are provided. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
parent
5e98478344
commit
d00a28ea0e
|
@ -7,6 +7,7 @@ bash_completion
|
|||
checkpkg
|
||||
commitpkg
|
||||
diffpkg
|
||||
export-pkgbuild-keys
|
||||
finddeps
|
||||
lddd
|
||||
makechrootpkg
|
||||
|
|
2
Makefile
2
Makefile
|
@ -13,6 +13,7 @@ IN_PROGS = \
|
|||
commitpkg \
|
||||
crossrepomove\
|
||||
diffpkg \
|
||||
export-pkgbuild-keys \
|
||||
finddeps \
|
||||
find-libdeps \
|
||||
lddd \
|
||||
|
@ -74,6 +75,7 @@ BASHCOMPLETION_LINKS = \
|
|||
MANS = \
|
||||
doc/archbuild.1 \
|
||||
doc/arch-nspawn.1 \
|
||||
doc/export-pkgbuild-keys.1 \
|
||||
doc/makechrootpkg.1 \
|
||||
doc/lddd.1 \
|
||||
doc/checkpkg.1 \
|
||||
|
|
18
commitpkg.in
18
commitpkg.in
|
@ -48,6 +48,21 @@ case "$cmd" in
|
|||
;;
|
||||
esac
|
||||
|
||||
|
||||
if (( ${#validpgpkeys[@]} != 0 )); then
|
||||
if [[ -d keys ]]; then
|
||||
for key in "${validpgpkeys[@]}"; do
|
||||
if [[ ! -f keys/pgp/$key.asc ]]; then
|
||||
export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
|
||||
fi
|
||||
done
|
||||
else
|
||||
export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
|
||||
fi
|
||||
|
||||
svn add --parents --force keys/pgp/*
|
||||
fi
|
||||
|
||||
# find files which should be under source control
|
||||
needsversioning=()
|
||||
for s in "${source[@]}"; do
|
||||
|
@ -60,6 +75,9 @@ for i in 'changelog' 'install'; do
|
|||
needsversioning+=("$file")
|
||||
done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
|
||||
done
|
||||
for key in "${validpgpkeys[@]}"; do
|
||||
needsversioning+=("keys/pgp/$key.asc")
|
||||
done
|
||||
|
||||
# assert that they really are controlled by SVN
|
||||
if (( ${#needsversioning[*]} )); then
|
||||
|
|
|
@ -0,0 +1,25 @@
|
|||
export-pkgbuild-keys(1)
|
||||
=======================
|
||||
|
||||
Name
|
||||
----
|
||||
export-pkgbuild-keys - Export valid source signing keys from a PKGBUILD
|
||||
|
||||
Synopsis
|
||||
--------
|
||||
export-pkgbuild-keys
|
||||
|
||||
Description
|
||||
-----------
|
||||
|
||||
Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
|
||||
subdirectory. Useful for distributing packager validated source signing
|
||||
keys alongside PKGBUILDs.
|
||||
|
||||
Options
|
||||
-------
|
||||
|
||||
*-h, --help*::
|
||||
Show a help text.
|
||||
|
||||
include::footer.asciidoc[]
|
|
@ -0,0 +1,68 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
|
||||
m4_include(lib/common.sh)
|
||||
|
||||
usage() {
|
||||
cat <<- _EOF_
|
||||
Usage: ${BASH_SOURCE[0]##*/}
|
||||
|
||||
Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
|
||||
subdirectory. Useful for distributing packager validated source signing
|
||||
keys alongside PKGBUILDs.
|
||||
|
||||
OPTIONS
|
||||
-h, --help Show this help text
|
||||
_EOF_
|
||||
}
|
||||
|
||||
# option checking
|
||||
while (( $# )); do
|
||||
case $1 in
|
||||
-h|--help)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
die "invalid argument: %s" "$1"
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ ! -f PKGBUILD ]]; then
|
||||
die "This must be run a directory containing a PKGBUILD."
|
||||
fi
|
||||
|
||||
mapfile -t validpgpkeys < <(
|
||||
# shellcheck source=PKGBUILD.proto
|
||||
. ./PKGBUILD
|
||||
printf "%s\n" "${validpgpkeys[@]}"
|
||||
)
|
||||
|
||||
if (( ${#validpgpkeys[@]} == 0 )); then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
mkdir -p keys/pgp
|
||||
error=0
|
||||
|
||||
for key in "${validpgpkeys[@]}"; do
|
||||
gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null
|
||||
|
||||
# gpg does not give a non-zero return value if it fails to export...
|
||||
if [[ -f keys/pgp/$key.asc.tmp ]]; then
|
||||
mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc"
|
||||
else
|
||||
if [[ -f keys/pgp/$key.asc ]]; then
|
||||
warning "Failed to update key: $key"
|
||||
else
|
||||
error "Key unavailable: $key"
|
||||
error=1
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
if (( error )); then
|
||||
die "Failed to export all \'validpgpkeys\' entries."
|
||||
fi
|
Loading…
Reference in New Issue