diff options
author | Allan McRae <allan@archlinux.org> | 2022-03-29 19:36:16 +1000 |
---|---|---|
committer | Levente Polyak <anthraxx@archlinux.org> | 2022-06-09 20:41:18 +0200 |
commit | d00a28ea0ed981d47634504c3eb67c5b8870bc62 (patch) | |
tree | 9109795ee372700d48450a2c49ba3e1501511f77 | |
parent | 5e98478344fbdecd5f07eb92ef92ee43bc66e1a9 (diff) | |
download | devtools-d00a28ea0ed981d47634504c3eb67c5b8870bc62.tar.xz |
Export source PGPs from PKGBUILD on commit
Provide a tool to export keys listed in the PKGBUILDs validpgpkeys to
keys/pgp/$fingerprint.asc.
The presense of the "keys" directory alongside the PKGBUILD in trunk/
is tested during commitpkg. If the directory is abscent, keys are
exported and added to the commit. If the directory is present, a
check is made to ensure all valid PGP keys are provided.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Makefile | 2 | ||||
-rw-r--r-- | commitpkg.in | 18 | ||||
-rw-r--r-- | doc/export-pkgbuild-keys.asciidoc | 25 | ||||
-rw-r--r-- | export-pkgbuild-keys.in | 68 |
5 files changed, 114 insertions, 0 deletions
@@ -7,6 +7,7 @@ bash_completion checkpkg commitpkg diffpkg +export-pkgbuild-keys finddeps lddd makechrootpkg @@ -13,6 +13,7 @@ IN_PROGS = \ commitpkg \ crossrepomove\ diffpkg \ + export-pkgbuild-keys \ finddeps \ find-libdeps \ lddd \ @@ -74,6 +75,7 @@ BASHCOMPLETION_LINKS = \ MANS = \ doc/archbuild.1 \ doc/arch-nspawn.1 \ + doc/export-pkgbuild-keys.1 \ doc/makechrootpkg.1 \ doc/lddd.1 \ doc/checkpkg.1 \ diff --git a/commitpkg.in b/commitpkg.in index 928e638..e0da32d 100644 --- a/commitpkg.in +++ b/commitpkg.in @@ -48,6 +48,21 @@ case "$cmd" in ;; esac + +if (( ${#validpgpkeys[@]} != 0 )); then + if [[ -d keys ]]; then + for key in "${validpgpkeys[@]}"; do + if [[ ! -f keys/pgp/$key.asc ]]; then + export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files' + fi + done + else + export-pkgbuild-keys || die 'Failed to export valid PGP keys for source files' + fi + + svn add --parents --force keys/pgp/* +fi + # find files which should be under source control needsversioning=() for s in "${source[@]}"; do @@ -60,6 +75,9 @@ for i in 'changelog' 'install'; do needsversioning+=("$file") done < <(sed -n "s/^[[:space:]]*$i=//p" PKGBUILD) done +for key in "${validpgpkeys[@]}"; do + needsversioning+=("keys/pgp/$key.asc") +done # assert that they really are controlled by SVN if (( ${#needsversioning[*]} )); then diff --git a/doc/export-pkgbuild-keys.asciidoc b/doc/export-pkgbuild-keys.asciidoc new file mode 100644 index 0000000..9c47515 --- /dev/null +++ b/doc/export-pkgbuild-keys.asciidoc @@ -0,0 +1,25 @@ +export-pkgbuild-keys(1) +======================= + +Name +---- +export-pkgbuild-keys - Export valid source signing keys from a PKGBUILD + +Synopsis +-------- +export-pkgbuild-keys + +Description +----------- + +Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/ +subdirectory. Useful for distributing packager validated source signing +keys alongside PKGBUILDs. + +Options +------- + +*-h, --help*:: + Show a help text. + +include::footer.asciidoc[] diff --git a/export-pkgbuild-keys.in b/export-pkgbuild-keys.in new file mode 100644 index 0000000..f392f4c --- /dev/null +++ b/export-pkgbuild-keys.in @@ -0,0 +1,68 @@ +#!/bin/bash +# +# SPDX-License-Identifier: GPL-3.0-or-later + +m4_include(lib/common.sh) + +usage() { + cat <<- _EOF_ + Usage: ${BASH_SOURCE[0]##*/} + + Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/ + subdirectory. Useful for distributing packager validated source signing + keys alongside PKGBUILDs. + + OPTIONS + -h, --help Show this help text +_EOF_ +} + +# option checking +while (( $# )); do + case $1 in + -h|--help) + usage + exit 0 + ;; + *) + die "invalid argument: %s" "$1" + ;; + esac +done + +if [[ ! -f PKGBUILD ]]; then + die "This must be run a directory containing a PKGBUILD." +fi + +mapfile -t validpgpkeys < <( + # shellcheck source=PKGBUILD.proto + . ./PKGBUILD + printf "%s\n" "${validpgpkeys[@]}" +) + +if (( ${#validpgpkeys[@]} == 0 )); then + exit 0 +fi + +mkdir -p keys/pgp +error=0 + +for key in "${validpgpkeys[@]}"; do + gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null + + # gpg does not give a non-zero return value if it fails to export... + if [[ -f keys/pgp/$key.asc.tmp ]]; then + mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc" + else + if [[ -f keys/pgp/$key.asc ]]; then + warning "Failed to update key: $key" + else + error "Key unavailable: $key" + error=1 + fi + fi +done + +if (( error )); then + die "Failed to export all \'validpgpkeys\' entries." +fi |