On 1/6/22 19:35, Emil Velikov wrote:
On Tuesday, 31 May 2022, Allan McRae <[email protected]
<mailto:[email protected]>> wrote:
Arch Linux is adding source signing PGP keys to their package source
tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
PGP keyserver infrastructure is a mess, this helps other people validate
sources in a PKGBUILD.
Add the keys to source packages if found alongside the PKGBUILD.
Signed-off-by: Allan McRae <[email protected]
<mailto:[email protected]>>
---
I won't be committing this until the relevant Arch devtools patch is
accepted so that the keys/pgp/ path is finalised.
scripts/makepkg.sh.in <http://makepkg.sh.in> | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/scripts/makepkg.sh.in <http://makepkg.sh.in>
b/scripts/makepkg.sh.in <http://makepkg.sh.in>
index 69757d03..bddcbe03 100644
--- a/scripts/makepkg.sh.in <http://makepkg.sh.in>
+++ b/scripts/makepkg.sh.in <http://makepkg.sh.in>
@@ -705,6 +705,16 @@ create_srcpackage() {
done
pkgname=(${pkgname_backup[@]})
+ # add a copy of source PGP signing public keys if availabe
in keys/pgp/<fingerprint>.asc
+ local key
+ for key in ${validpgpkeys[@]}; do
+ if [[ -f keys/pgp/$key.asc ]]; then
+ mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
+ ln -s "${startdir}/keys/pgp/$key.asc"
"${srclinks}/${pkgbase}/keys/pgp/"
+ fi
+ done
+
Thanks for tackling the topic Allan - here and in devtools.
Would it make sense to error out if any key is missing? Be that now or
in the mid-to-long run.
devtools will, makepkg will not.
Perhaps we can mandate it when devtools version X is detected, or as
makepkg.conf toggle Y is set?
I think this is a distro specific policy and not something to be
enforced at the makepkg end.
Allan
