On Sat, Mar 08, 2014 at 05:40:17PM +0100, Thomas Bächler wrote:
> If validpgpkeys is set in the PKGBUILD, signature checking fails if
> the fingerprint of the key used to create the signature is not listed
> in the array.
>
> The key's trust value is ignored.
> ---
> doc/PKGBUILD.5.txt | 7 +++++++
> scripts/makepkg.sh.in | 16 ++++++++++++++--
> 2 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
> index 50d8347..7a1e924 100644
> --- a/doc/PKGBUILD.5.txt
> +++ b/doc/PKGBUILD.5.txt
> @@ -128,6 +128,13 @@ Files in the source array with extensions `.sig`,
> `.sign` or, `.asc` are
> recognized by makepkg as PGP signatures and will be automatically used to
> verify
> the integrity of the corresponding source file.
>
> +*validpgpkeys (array)*::
> + An array of PGP fingerprints. If this array is non-empty, makepkg will
> + only accept signatures from the keys listed here and will ignore the
> + trust values from the keyring.
> ++
> +Fingerprints must be uppercase and must not contain whitespace characters.
> +
> *noextract (array)*::
> An array of file names corresponding to those from the source array.
> Files
> listed here will not be extracted with the rest of the source files.
> This
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 015bdd7..6eb6d11 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1244,6 +1244,15 @@ check_checksums() {
> fi
> }
>
> +is_valid_pgpkey() {
> + local pubkey
> +
> + pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG
> ([A-Z0-9]*) .*/\1/p;')
I think you just want:
pubkey=$(sed -n '/VALIDSIG/ s/.* VALIDSIG \([[:alnum:]]*\) .*/\1/p'
"$statusfile")
sed's -r flag isn't portable.
> + echo "$pubkey"
Don't you only want to echo this if the check that follows succeeds?
> + in_array "$pubkey" ${validpgpkeys[@]}
The array needs quoting.
> + return $?
Wholly redundant for this function in its current form.
> +}
> +
> check_pgpsigs() {
> (( SKIPPGPCHECK )) && return 0
> ! source_has_signatures && return 0
> @@ -1303,9 +1312,12 @@ check_pgpsigs() {
> if grep -q "REVKEYSIG" "$statusfile"; then
> printf '%s (%s)' "$(gettext "FAILED")"
> "$(gettext "the key has been revoked.")" >&2
> errors=1
> - elif grep -q -e "TRUST_UNDEFINED" -e "TRUST_NEVER"
> "$statusfile"; then
> + elif (( ${#validpgpkeys[@]} == 0 )) && grep -q -e
> "TRUST_UNDEFINED" -e "TRUST_NEVER" "$statusfile"; then
> printf '%s (%s)' "$(gettext "FAILED")"
> "$(gettext "the key is not trusted")" >&2
> errors=1
> + elif (( ${#validpgpkeys[@]} > 0 )) && !
> pubkey=$(is_valid_pgpkey "$statusfile"); then
> + printf "%s (%s $pubkey)" "$(gettext "FAILED")"
> "$(gettext "invalid key")"
> + errors=1
Is there a decent way to extract the real status from the file once and
then do string comparisons in bash, rather than forking to grep all the
time?
> else
> printf '%s' "$(gettext "Passed")" >&2
> if grep -q "EXPSIG" "$statusfile"; then
> @@ -2810,7 +2822,7 @@ fi
>
> unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides
> unset md5sums replaces depends conflicts backup source install changelog
> build
> -unset makedepends optdepends options noextract
> +unset makedepends optdepends options noextract validpgpkeys
>
> BUILDFILE=${BUILDFILE:-$BUILDSCRIPT}
> if [[ ! -f $BUILDFILE ]]; then
> --
> 1.9.0
>
>
