On 19/02/11 11:30, Denis A. Altoé Falqueto wrote:
Two new command line options were added:
-n, --sign: forces the generation of a signature for
the resulting package, even if not configured in makepkg.conf.
The command line has precedence over the option in
makepkg.conf. So, even if makepkg.conf has !sign in
BUILDENV, passing --sign to makepkg will make it
sign the package.
I think we should have a --nosign option to which would negate 'sign' in
makepkg.conf. See the --check/--nocheck pair to see how that is achieved.
--signwithkey<key>: there is a possibility of another key
being used, instead of the user's default. For exemple,
pacman-keyring package could be signed by a master key,
because it needs to be trusted explicitly by the user
before the installation of that package. So, this parameter
will be used to supply an id for a key to be used to sign
the package.
Signed-off-by: Denis A. Altoé Falqueto<[email protected]>
---
scripts/makepkg.sh.in | 28 +++++++++++++++++++++++-----
1 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 8381a78..dc71ffd 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -28,7 +28,7 @@
# makepkg uses quite a few external programs during its execution. You
# need to have at least the following installed for makepkg to function:
# awk, bsdtar (libarchive), bzip2, coreutils, fakeroot, file, find
(findutils),
-# gettext, grep, gzip, openssl, sed, tput (ncurses), xz
+# gettext, gpg, grep, gzip, openssl, sed, tput (ncurses), xz
# gettext initialization
export TEXTDOMAIN='pacman'
@@ -74,6 +74,8 @@ BUILDFUNC=0
CHECKFUNC=0
PKGFUNC=0
SPLITPKG=0
+SIGN=0
+SIGNKEY=""
PKGLIST=()
# Forces the pkgver of the current PKGBUILD. Used by the fakeroot call
@@ -1106,7 +1108,7 @@ create_package() {
}
create_signature() {
- if [[ $(check_buildenv sign) != "y" ]]; then
+ if [[ $(check_buildenv sign) != "y"&& $SIGN != 1 ]]; then
return
fi
local ret=0
@@ -1116,7 +1118,18 @@ create_signature() {
error "$(gettext "Cannot find the gpg binary! Is gnupg
installed?")"
exit 1 # $E_MISSING_PROGRAM
fi
- gpg --detach-sign --use-agent "$filename" || ret=$?
+
+ # Check if SIGNKEY is valid.
+ local SIGNWITHKEY=""
+ if [[ "${SIGNKEY}" ]]; then
+ if ! gpg --list-key "${SIGNKEY}" 1>/dev/null 2>&1; then
+ error "$(gettext "The key ${SIGNKEY} doesn\'t exist.")"
+ exit 1
+ fi
+ SIGNWITHKEY="-u ${SIGNKEY}"
+ fi
I wonder if this is checked too late. I suppose with a package()
function in a PKGBUILD, we can not rebuild by using "makepkg -R" but
this still seems quite late to abort.
+ # The signature will be generated directly in ascii-friendly format
+ gpg --detach-sign --quiet --batch --use-agent ${SIGNWITHKEY} "$filename"
1>/dev/null || ret=$?
--batch is bad here. It forces the use of a gpg-agent.
if (( ! ret )); then
msg2 "$(gettext "Created signature file %s.")" "$filename.sig"
else
@@ -1614,6 +1627,9 @@ usage() {
echo "$(gettext " --pkg<list> Only build listed packages from a split
package")"
echo "$(gettext " --skipinteg Do not fail when integrity checks are
missing")"
echo "$(gettext " --source Generate a source-only tarball without
downloaded sources")"
+ echo "$(gettext " -n, --sign Sign the resulting package with
gpg")"
+ printf "$(gettext " --signwithkey<key>\n\
+ Selects an specific key to use for signing, instead of user's
default")"
echo
echo "$(gettext "These options can be passed to pacman:")"
echo
@@ -1645,11 +1661,11 @@ fi
ARGLIST=("$@")
# Parse Command Line Options.
-OPT_SHORT="AcCdefFghiLmop:rRsV"
+OPT_SHORT="AcCdefFghiLmnop:rRsV"
OPT_LONG="allsource,asroot,ignorearch,check,clean,cleancache,nodeps"
OPT_LONG+=",noextract,force,forcever:,geninteg,help,holdver"
OPT_LONG+=",install,log,nocolor,nobuild,nocheck,pkg:,rmdeps"
-OPT_LONG+=",repackage,skipinteg,source,syncdeps,version,config:"
+OPT_LONG+=",repackage,sign,signwithkey:,skipinteg,source,syncdeps,version,config:"
# Pacman Options
OPT_LONG+=",noconfirm,noprogressbar"
OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@" || echo 'PARSE_OPTIONS
FAILED')"
@@ -1693,6 +1709,8 @@ while true; do
-R|--repackage) REPKG=1 ;;
--skipinteg) SKIPINTEG=1 ;;
--source) SOURCEONLY=1 ;;
+ --sign) SIGN=1 ;;
+ --signwithkey) shift; SIGNKEY=$1 ;;
-s|--syncdeps) DEP_BIN=1 ;;
-h|--help) usage; exit 0 ;; # E_OK
