On 07/03/14 05:05, Thomas Bächler wrote:
> If acceptkeys is set in the PKGBUILD, signature checking fails if
> the fingerprint of the key used to create the signature is not listed
> in the array. Failure to verify the signature due to a missing public
> key is also treated as an error instead of a warning.
> ---
> scripts/makepkg.sh.in | 36 ++++++++++++++++++++++++++----------
> 1 file changed, 26 insertions(+), 10 deletions(-)
>
Fine. Small comments below. Also needs documentation.
Just a small bikeshed... acceptkeys does not sound right. How about
sourcepgpkeys?
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index e230c15..40c5b48 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1250,7 +1250,7 @@ check_pgpsigs() {
>
> msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>
> - local file pubkey ext decompress found
> + local file pubkey ext decompress found success
> local warning=0
> local errors=0
> local statusfile=$(mktemp)
> @@ -1296,7 +1296,11 @@ check_pgpsigs() {
> printf '%s' "$(gettext "FAILED")" >&2
> if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }'
> "$statusfile"); then
> printf ' (%s)' "$(gettext "unknown public key")
> $pubkey" >&2
> - warnings=1
> + if (( ${#acceptkeys[@]} > 0 )); then
> + errors=1
> + else
> + warnings=1
> + fi
This seems strange from a user interface perspective - a missing key in
a keyring can be a warning or error depending on other aspects of the
PKGBUILD.
> else
> errors=1
> fi
> @@ -1306,13 +1310,25 @@ check_pgpsigs() {
> printf '%s (%s)' "$(gettext "FAILED")"
> "$(gettext "the key has been revoked.")" >&2
> errors=1
> else
> - printf '%s' "$(gettext "Passed")" >&2
> - if grep -q "EXPSIG" "$statusfile"; then
> - printf ' (%s)' "$(gettext "WARNING:")
> $(gettext "the signature has expired.")" >&2
> - warnings=1
> - elif grep -q "EXPKEYSIG" "$statusfile"; then
> - printf ' (%s)' "$(gettext "WARNING:")
> $(gettext "the key has expired.")" >&2
> - warnings=1
> + success=1
> + if (( ${#acceptkeys[@]} > 0 )); then
> + pubkey=$(grep VALIDSIG "$statusfile" |
> sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;' | awk '{print tolower($0)}')
tolower? I'd expect PGP keys to be given with capital letters. At
least have acceptkeys run through tolower too.
> + if ! in_array $pubkey ${acceptkeys[@]};
> then
So the PKGBUILD needs to specify the full fingerprint?
This allows acceptkeys to specify shorter values:
grep -f <(printf '%s$\n' "${acceptkeys[@]}") <(printf '%s\n' "$pubkey")
> + printf '%s' "$(gettext
> "FAILED")" >&2
> + printf " ($(gettext 'the
> fingerprint %s is not accepted.'))" "$pubkey" >&2
Maybe:
sources are not allowed to be signed by the PGP key %s
> + success=0
> + errors=1
> + fi
> + fi
> + if (( $success )); then
> + printf '%s' "$(gettext "Passed")" >&2
> + if grep -q "EXPSIG" "$statusfile"; then
> + printf ' (%s)' "$(gettext
> "WARNING:") $(gettext "the signature has expired.")" >&2
> + warnings=1
> + elif grep -q "EXPKEYSIG" "$statusfile";
> then
> + printf ' (%s)' "$(gettext
> "WARNING:") $(gettext "the key has expired.")" >&2
> + warnings=1
> + fi
> fi
> fi
> printf '\n' >&2
> @@ -2809,7 +2825,7 @@ fi
>
> unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
> unset md5sums replaces depends conflicts backup source install changelog
> build
> -unset makedepends optdepends options noextract
> +unset makedepends optdepends options noextract acceptkeys
>
> BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
> if [[ ! -f $BUILDFILE ]]; then
>
