Export source PGPs from PKGBUILD on commit

Provide a tool to export keys listed in the PKGBUILDs validpgpkeys to
keys/pgp/$fingerprint.asc.

The presense of the "keys" directory alongside the PKGBUILD in trunk/
is tested during commitpkg.  If the directory is abscent, keys are
exported and added to the commit.  If the directory is present, a
check is made to ensure all valid PGP keys are provided.

Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>

.gitignore

@@ -7,6 +7,7 @@ bash_completion
 checkpkg
 commitpkg
 diffpkg
+export-pkgbuild-keys
 finddeps
 lddd
 makechrootpkg

Makefile

@@ -13,6 +13,7 @@ IN_PROGS = \
 	commitpkg \
 	crossrepomove\
 	diffpkg \
+	export-pkgbuild-keys \
 	finddeps \
 	find-libdeps \
 	lddd \
@@ -74,6 +75,7 @@ BASHCOMPLETION_LINKS = \
 MANS = \
 	doc/archbuild.1 \
 	doc/arch-nspawn.1 \
+	doc/export-pkgbuild-keys.1 \
 	doc/makechrootpkg.1 \
 	doc/lddd.1 \
 	doc/checkpkg.1 \

commitpkg.in

@@ -48,6 +48,21 @@ case "$cmd" in
 		;;
 esac
 
+
+if (( ${#validpgpkeys[@]} != 0 )); then
+	if [[ -d keys ]]; then
+		for key in "${validpgpkeys[@]}"; do
+			if [[ ! -f keys/pgp/$key.asc ]]; then
+				export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
+			fi
+		done
+	else
+		export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
+	fi
+
+	svn add --parents --force keys/pgp/*
+fi
+
 # find files which should be under source control
 needsversioning=()
 for s in "${source[@]}"; do
@@ -60,6 +75,9 @@ for i in 'changelog' 'install'; do
 		needsversioning+=("$file")
 	done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
 done
+for key in "${validpgpkeys[@]}"; do
+	needsversioning+=("keys/pgp/$key.asc")
+done
 
 # assert that they really are controlled by SVN
 if (( ${#needsversioning[*]} )); then

doc/export-pkgbuild-keys.asciidoc

@@ -0,0 +1,25 @@
+export-pkgbuild-keys(1)
+=======================
+
+Name
+----
+export-pkgbuild-keys - Export valid source signing keys from a PKGBUILD
+
+Synopsis
+--------
+export-pkgbuild-keys
+
+Description
+-----------
+
+Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
+subdirectory. Useful for distributing packager validated source signing
+keys alongside PKGBUILDs.
+
+Options
+-------
+
+*-h, --help*::
+	Show a help text.
+
+include::footer.asciidoc[]

export-pkgbuild-keys.in

@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+m4_include(lib/common.sh)
+
+usage() {
+	cat <<- _EOF_
+		Usage: ${BASH_SOURCE[0]##*/}
+
+		Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
+		subdirectory. Useful for distributing packager validated source signing
+		keys alongside PKGBUILDs.
+
+		OPTIONS
+		    -h, --help      Show this help text
+_EOF_
+}
+
+# option checking
+while (( $# )); do
+	case $1 in
+		-h|--help)
+			usage
+			exit 0
+			;;
+		*)
+			die "invalid argument: %s" "$1"
+			;;
+	esac
+done
+
+if [[ ! -f PKGBUILD ]]; then
+	die "This must be run a directory containing a PKGBUILD."
+fi
+
+mapfile -t validpgpkeys < <(
+	# shellcheck source=PKGBUILD.proto
+	. ./PKGBUILD
+	printf "%s\n" "${validpgpkeys[@]}"
+)
+
+if (( ${#validpgpkeys[@]} == 0 )); then
+	exit 0
+fi
+
+mkdir -p keys/pgp
+error=0
+
+for key in "${validpgpkeys[@]}"; do
+	gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null
+
+	# gpg does not give a non-zero return value if it fails to export...
+	if [[ -f keys/pgp/$key.asc.tmp ]]; then
+		mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc"
+	else
+		if [[ -f keys/pgp/$key.asc ]]; then
+			warning "Failed to update key: $key"
+		else
+			error "Key unavailable: $key"
+			error=1
+		fi
+	fi
+done
+
+if (( error )); then
+	die "Failed to export all \'validpgpkeys\' entries."
+fi