Export source PGPs from PKGBUILD on commit
Provide a tool to export keys listed in the PKGBUILDs validpgpkeys to keys/pgp/$fingerprint.asc. The presense of the "keys" directory alongside the PKGBUILD in trunk/ is tested during commitpkg. If the directory is abscent, keys are exported and added to the commit. If the directory is present, a check is made to ensure all valid PGP keys are provided. Signed-off-by: Allan McRae <allan@archlinux.org> Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
parent
5e98478344
commit
d00a28ea0e
|
@ -7,6 +7,7 @@ bash_completion
|
||||||
checkpkg
|
checkpkg
|
||||||
commitpkg
|
commitpkg
|
||||||
diffpkg
|
diffpkg
|
||||||
|
export-pkgbuild-keys
|
||||||
finddeps
|
finddeps
|
||||||
lddd
|
lddd
|
||||||
makechrootpkg
|
makechrootpkg
|
||||||
|
|
2
Makefile
2
Makefile
|
@ -13,6 +13,7 @@ IN_PROGS = \
|
||||||
commitpkg \
|
commitpkg \
|
||||||
crossrepomove\
|
crossrepomove\
|
||||||
diffpkg \
|
diffpkg \
|
||||||
|
export-pkgbuild-keys \
|
||||||
finddeps \
|
finddeps \
|
||||||
find-libdeps \
|
find-libdeps \
|
||||||
lddd \
|
lddd \
|
||||||
|
@ -74,6 +75,7 @@ BASHCOMPLETION_LINKS = \
|
||||||
MANS = \
|
MANS = \
|
||||||
doc/archbuild.1 \
|
doc/archbuild.1 \
|
||||||
doc/arch-nspawn.1 \
|
doc/arch-nspawn.1 \
|
||||||
|
doc/export-pkgbuild-keys.1 \
|
||||||
doc/makechrootpkg.1 \
|
doc/makechrootpkg.1 \
|
||||||
doc/lddd.1 \
|
doc/lddd.1 \
|
||||||
doc/checkpkg.1 \
|
doc/checkpkg.1 \
|
||||||
|
|
18
commitpkg.in
18
commitpkg.in
|
@ -48,6 +48,21 @@ case "$cmd" in
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
|
||||||
|
if (( ${#validpgpkeys[@]} != 0 )); then
|
||||||
|
if [[ -d keys ]]; then
|
||||||
|
for key in "${validpgpkeys[@]}"; do
|
||||||
|
if [[ ! -f keys/pgp/$key.asc ]]; then
|
||||||
|
export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
else
|
||||||
|
export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files'
|
||||||
|
fi
|
||||||
|
|
||||||
|
svn add --parents --force keys/pgp/*
|
||||||
|
fi
|
||||||
|
|
||||||
# find files which should be under source control
|
# find files which should be under source control
|
||||||
needsversioning=()
|
needsversioning=()
|
||||||
for s in "${source[@]}"; do
|
for s in "${source[@]}"; do
|
||||||
|
@ -60,6 +75,9 @@ for i in 'changelog' 'install'; do
|
||||||
needsversioning+=("$file")
|
needsversioning+=("$file")
|
||||||
done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
|
done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD)
|
||||||
done
|
done
|
||||||
|
for key in "${validpgpkeys[@]}"; do
|
||||||
|
needsversioning+=("keys/pgp/$key.asc")
|
||||||
|
done
|
||||||
|
|
||||||
# assert that they really are controlled by SVN
|
# assert that they really are controlled by SVN
|
||||||
if (( ${#needsversioning[*]} )); then
|
if (( ${#needsversioning[*]} )); then
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
export-pkgbuild-keys(1)
|
||||||
|
=======================
|
||||||
|
|
||||||
|
Name
|
||||||
|
----
|
||||||
|
export-pkgbuild-keys - Export valid source signing keys from a PKGBUILD
|
||||||
|
|
||||||
|
Synopsis
|
||||||
|
--------
|
||||||
|
export-pkgbuild-keys
|
||||||
|
|
||||||
|
Description
|
||||||
|
-----------
|
||||||
|
|
||||||
|
Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
|
||||||
|
subdirectory. Useful for distributing packager validated source signing
|
||||||
|
keys alongside PKGBUILDs.
|
||||||
|
|
||||||
|
Options
|
||||||
|
-------
|
||||||
|
|
||||||
|
*-h, --help*::
|
||||||
|
Show a help text.
|
||||||
|
|
||||||
|
include::footer.asciidoc[]
|
|
@ -0,0 +1,68 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||||
|
|
||||||
|
m4_include(lib/common.sh)
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
cat <<- _EOF_
|
||||||
|
Usage: ${BASH_SOURCE[0]##*/}
|
||||||
|
|
||||||
|
Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/
|
||||||
|
subdirectory. Useful for distributing packager validated source signing
|
||||||
|
keys alongside PKGBUILDs.
|
||||||
|
|
||||||
|
OPTIONS
|
||||||
|
-h, --help Show this help text
|
||||||
|
_EOF_
|
||||||
|
}
|
||||||
|
|
||||||
|
# option checking
|
||||||
|
while (( $# )); do
|
||||||
|
case $1 in
|
||||||
|
-h|--help)
|
||||||
|
usage
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
die "invalid argument: %s" "$1"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ ! -f PKGBUILD ]]; then
|
||||||
|
die "This must be run a directory containing a PKGBUILD."
|
||||||
|
fi
|
||||||
|
|
||||||
|
mapfile -t validpgpkeys < <(
|
||||||
|
# shellcheck source=PKGBUILD.proto
|
||||||
|
. ./PKGBUILD
|
||||||
|
printf "%s\n" "${validpgpkeys[@]}"
|
||||||
|
)
|
||||||
|
|
||||||
|
if (( ${#validpgpkeys[@]} == 0 )); then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p keys/pgp
|
||||||
|
error=0
|
||||||
|
|
||||||
|
for key in "${validpgpkeys[@]}"; do
|
||||||
|
gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null
|
||||||
|
|
||||||
|
# gpg does not give a non-zero return value if it fails to export...
|
||||||
|
if [[ -f keys/pgp/$key.asc.tmp ]]; then
|
||||||
|
mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc"
|
||||||
|
else
|
||||||
|
if [[ -f keys/pgp/$key.asc ]]; then
|
||||||
|
warning "Failed to update key: $key"
|
||||||
|
else
|
||||||
|
error "Key unavailable: $key"
|
||||||
|
error=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if (( error )); then
|
||||||
|
die "Failed to export all \'validpgpkeys\' entries."
|
||||||
|
fi
|
Loading…
Reference in New Issue