# Whether to use gpg-agent to sign packages
SIGN_PACKAGES_WITH_GPG_AGENT="off"
+# Whether mkbuild should sign Manifests.
+SIGN_MANIFESTS="off"
+
+# GPG key id used for Manifest signature, leave blank to use default key.
+SIGN_MANIFESTS_KEYID=""
+
+# Whether to use gpg-agent to sign Manifests
+SIGN_MANIFESTS_WITH_GPG_AGENT="off"
+
#---------------------------------------------------------------------
# SIMPLARET SECTION
#---------------------------------------------------------------------
- new config parameters PACKAGES_REPOS_STYLE, MOVE_SLACK_REQUIRED, MKBUILDS_SVN_USER,
PACKAGES_SVN_USER, PACKAGES_SVN_GROUP, MKBUILDS_SVN_GROUP, PACKAGES_REPOS_NOARCH,
PACKAGES_SVN, CREATEPKG_AUTHOR, SIGN_PACKAGES, SIGN_PACKAGES_USER. SIGN_PACKAGES_KEYID,
- SIGN_PACKAGES_WITH_GPG_AGENT, SOURCE_DIR_USER, SOURCE_DIR_GROUP
+ SIGN_PACKAGES_WITH_GPG_AGENT, SOURCE_DIR_USER, SOURCE_DIR_GROUP, SIGN_MANIFESTS,
+ SIGN_MANIFESTS_KEYID, SIGN_MANIFESTS_WITH_GPG_AGENT
- cleaner -s option output
- lspkg: fix on package search routine
- jail-commit: using unified diff
function repo_gpg_key {
+ # adds or updates a repository keyring
# usage: repo_gpg_key <folder> [update]
local folder="$1" update="$2" tmp_gpg_folder
update=false
fi
- if [ $SIGN_PACKAGES -eq $on ]; then
+ if [ $SIGN -eq $on ]; then
if [ -f "$folder/GPG-KEY" ]; then
if $update || ! gpg --with-colons < $folder/GPG-KEY | cut -d : -f 5 | grep -q -e "$SIGN_KEYID$"; then
echo "Adding OpenPGP key id $SIGN_KEYID to $folder/GPG-KEY file..."
tmp_gpg_folder="`mktemp -d $TMP/tmp_gpg_folder.XXXXXX`"
tmp_gpg_pubkey="`mktemp -d $TMP/tmp_gpg_pubkey.XXXXXX`"
- if [ ! -z "$SIGN_PACKAGES_USER" ]; then
- chown $SIGN_PACKAGES_USER $tmp_gpg_folder
- chown $SIGN_PACKAGES_USER $tmp_gpg_pubkey
+ if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then
+ chown $SIGN_USER $tmp_gpg_folder
+ chown $SIGN_USER $tmp_gpg_pubkey
# merge pubkey information in a temporary keyring
- su $SIGN_PACKAGES_USER -c "gpg --export --armor $SIGN_KEYID > $tmp_gpg_pubkey/pubkey.asc"
- su $SIGN_PACKAGES_USER -c "gpg --homedir $tmp_gpg_folder --import < $folder/GPG-KEY"
- su $SIGN_PACKAGES_USER -c "gpg --homedir $tmp_gpg_folder --import < $tmp_gpg_pubkey/pubkey.asc"
+ su $SIGN_USER -c "gpg --export --armor $SIGN_KEYID > $tmp_gpg_pubkey/pubkey.asc"
+ su $SIGN_USER -c "gpg --homedir $tmp_gpg_folder --import < $folder/GPG-KEY"
+ su $SIGN_USER -c "gpg --homedir $tmp_gpg_folder --import < $tmp_gpg_pubkey/pubkey.asc"
# export temporary keyring to repository keyring
- su $SIGN_PACKAGES_USER -c "gpg --homedir $tmp_gpg_folder --export --armor" > $folder/GPG-KEY
+ su $SIGN_USER -c "gpg --homedir $tmp_gpg_folder --export --armor" > $folder/GPG-KEY
else
# merge pubkey information in a temporary keyring
gpg --export --armor $SIGN_KEYID > $tmp_gpg_pubkey/pubkey.asc
fi
else
echo "Adding OpenPGP key id $SIGN_KEYID to $folder/GPG-KEY file..."
- if [ ! -z "$SIGN_PACKAGES_USER" ]; then
- su $SIGN_PACKAGES_USER -c "gpg --export --armor $SIGN_KEYID" > $folder/GPG-KEY
+ if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then
+ su $SIGN_USER -c "gpg --export --armor $SIGN_KEYID" > $folder/GPG-KEY
else
gpg --export --armor $SIGN_KEYID > $folder/GPG-KEY
fi
}
-function get_sign_packages_user {
+function strip_gpg_signature {
+
+ # strip gpg signature from file
+ # usage: strip_gpg_signature <file>
+
+ local file="$1"
+
+ if [ -e "$file" ]; then
+ if grep -q -- "-----BEGIN PGP SIGNED MESSAGE-----" $file; then
+ sed -e '1,3d' -e '/^$/d' -e '/-----BEGIN PGP SIGNATURE-----/,/-----END PGP SIGNATURE-----/d' $file
+ else
+ cat $file
+ fi
+ fi
+
+}
+
+function get_sign_user {
# get sign package user
# usage: get_sign_package_user
- check_gnupg $SIGN_PACKAGES_USER
+ check_gnupg $SIGN_USER
- if [ ! -z "$SIGN_PACKAGES_KEYID" ]; then
- SIGN_KEYID="$SIGN_PACKAGES_KEYID"
- else
- if [ ! -z "$SIGN_PACKAGES_USER" ]; then
- SIGN_KEYID="`su $SIGN_PACKAGES_USER -c \
+ if [ -z "$SIGN_KEYID" ]; then
+ if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then
+ SIGN_KEYID="`su $SIGN_USER -c \
"gpg --list-secret-keys --with-colons | grep ^sec | head -n 1 | cut -d : -f 5 | sed 's/^.*\(.\{8\}\)$/\1/'"`"
else
SIGN_KEYID="`gpg --list-secret-keys --with-colons | grep ^sec | head -n 1 | cut -d : -f 5 | sed 's/^.*\(.\{8\}\)$/\1/'`"
GPG_AGENT_OPTION=""
fi
+ # For use at common.sh functions
+ SIGN="$SIGN_PACKAGES"
+ SIGN_KEYID="$SIGN_PACKAGES_KEYID"
+ SIGN_USER="$SIGN_PACKAGES_USER"
+
REMOVE_OLD_PACKAGE="`eval_boolean_parameter REMOVE_OLD_PACKAGE $off`"
MOVE_BIN_PACKAGE="`eval_boolean_parameter MOVE_BIN_PACKAGE $off`"
MOVE_SLACK_REQUIRED="`eval_boolean_parameter MOVE_SLACK_REQUIRED $off`"
exit $EXIT_CODE
;;
'--update-keyring')
- get_sign_packages_user
+ get_sign_user
repo_gpg_key $PACKAGES_DIR --update
if [ $PACKAGES_REPOS_NOARCH -eq $on ]; then
repo_gpg_key $NOARCH_DIR --update
echo "Signing package..."
- get_sign_packages_user
+ get_sign_user
- if [ ! -z "$SIGN_PACKAGES_USER" ]; then
+ if [ ! -z "$SIGN_PACKAGES_USER" ] && [ "`whoami`" != "$SIGN_PACKAGES_USER" ]; then
tmp_sign_folder="`mktemp -d $TMP/createpkg_sign.XXXXXX`"
chown $SIGN_PACKAGES_USER $tmp_sign_folder
su $SIGN_PACKAGES_USER -c "gpg $GPG_AGENT_OPTION --armor -sb -u $SIGN_KEYID -o $tmp_sign_folder/$PKG_NAME.asc $PACKAGES_DIR/$PKG_NAME"
;;
'--sync' )
# Synchronize mkbuilds repository
+ mkbuild_update_keyring
sync_repo $MKBUILDS_DIR $MKBUILDS_SVN
exit $?
;;
fi
done
+ if [ "$SIGN_MANIFESTS" -eq $on ]; then
+ repo_gpg_key $SLACKBUILDS_DIR
+ fi
+
cd $WORK
}
done
submit_cleanup
+
+ if [ "$SIGN_MANIFESTS" -eq $on ]; then
+ repo_gpg_key $MKBUILDS_DIR
+ fi
+
cd $WORK
}
COLOR_MODE="`eval_parameter COLOR_MODE none`"
TMP="`eval_parameter TMP /tmp`"
+ SIGN_MANIFESTS="`eval_boolean_parameter SIGN_MANIFESTS $off`"
+ SIGN_MANIFESTS_USER="`eval_parameter SIGN_MANIFESTS_USER`"
+ SIGN_MANIFESTS_KEYID="`eval_parameter SIGN_MANIFESTS_KEYID`"
+ SIGN_MANIFESTS_WITH_GPG_AGENT="`eval_boolean_parameter SIGN_MANIFESTS_WITH_GPG_AGENT $off`"
+
+ if [ ! -z "$SIGN_MANIFESTS_KEYID" ]; then
+ SIGN_MANIFESTS_KEYID="`echo $SIGN_MANIFESTS_KEYID | tr '[:lower:]' '[:upper:]'`"
+ fi
+
+ if [ "$SIGN_MANIFESTS_WITH_GPG_AGENT" -eq $on ]; then
+ GPG_AGENT_OPTION="--use-agent"
+ else
+ GPG_AGENT_OPTION=""
+ fi
+
+ # For use at common.sh functions
+ SIGN="$SIGN_MANIFESTS"
+ SIGN_KEYID="$SIGN_MANIFESTS_KEYID"
+ SIGN_USER="$SIGN_MANIFESTS_USER"
+
+ if [ "$SIGN_MANIFESTS" -eq $on ]; then
+ get_sign_user
+ fi
+
}
function file_metainfo {
fi
# Save Manifest changes
- sort $tmpfile > $WORK/Manifest
+ strip_gpg_signature $tmpfile | sort > $WORK/Manifest
rm -f $tmpfile
function edit_manifest {
+ # Check if existing Manifest is properly signed
+ if ! check_manifest_signature; then
+ echo "Invalid signature at $WORK/Manifest, aborting."
+ return 1
+ fi
+
# Update Manifest file
echo "Updating Manifest..."
fi
done
+ # Finally, sign the Manifest
+ sign_manifest
+
}
function get_file {
return
fi
+ # Check if existing Manifest is properly signed
+ if ! check_manifest_signature; then
+ echo "Invalid signature at $WORK/Manifest, aborting."
+ return 1
+ fi
+
echo "Updating DIST information at $MKBUILD_NAME Manifest..."
# Determine file location
echo "Can't get $DIST_SRC_NAME."
fi
+ # Finally, sign the Manifest
+ sign_manifest
+
}
function if_previous_error {
# Update Manifest file
edit_manifest
- # Commit SlackBuild
- [ $SUBMIT_SLACKBUILD -eq $on ] && submit_slackbuild
+ if [ "$?" == "0" ]; then
- # Commit mkbuild
- [ $SUBMIT_MKBUILD -eq $on ] && submit_mkbuild
+ # Commit SlackBuild
+ [ $SUBMIT_SLACKBUILD -eq $on ] && submit_slackbuild
+
+ # Commit mkbuild
+ [ $SUBMIT_MKBUILD -eq $on ] && submit_mkbuild
+ fi
}
# edit a mkbuild
# usage: edit_mkbuild
- local match
-
if [ -e "$MKBUILD_NAME" ]; then
if [ -z "$EDITOR" ]; then
EDITOR="vi"
}
+function mkbuild_update_keyring {
+
+ # Update keyring using GPG-KEY from
+ # mkbuild repository
+
+ local keyring keys key
+
+ keyring="$MKBUILDS_DIR/GPG-KEY"
+
+ if [ ! -e "$keyring" ]; then
+ repo_gpg_key $MKBUILDS_DIR
+ return
+ fi
+
+ keys="`gpg --with-colons $MKBUILDS_DIR/GPG-KEY | cut -d : -f 5 | sed -e '/^$/d'`"
+
+ for key in $keys; do
+ if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then
+ su $SIGN_USER -c "gpg --list-keys $key &> /dev/null"
+ if [ "$?" != "0" ]; then
+ echo "Updating keyring using $keyring..."
+ su $SIGN_USER -c "gpg --import $keyring"
+ break
+ fi
+ else
+ gpg --list-keys $key &> /dev/null
+ if [ "$?" != "0" ]; then
+ echo "Updating keyring using $keyring..."
+ gpg --import $keyring
+ break
+ fi
+ fi
+ done
+
+}
+
+function sign_manifest {
+
+ # sign manifest file
+ # usage: sign_manifest
+
+ if [ "$SIGN_MANIFESTS" -eq $on ]; then
+ echo "Signing Manifest..."
+ if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then
+ su $SIGN_USER -c "gpg $GPG_AGENT_OPTION --clearsign -u $SIGN_KEYID $WORK/Manifest"
+ mv $WORK/Manifest.asc $WORK/Manifest
+ else
+ gpg $GPG_AGENT_OPTION --clearsign -u $SIGN_KEYID $WORK/Manifest
+ mv $WORK/Manifest.asc $WORK/Manifest
+ fi
+ fi
+
+}
+
+function check_manifest_signature {
+
+ # check if a manifest signature is valid
+ # usage: check_manifest_signature
+
+ if [ -e "$WORK/Manifest" ]; then
+ if grep -q -- "-----BEGIN PGP SIGNED MESSAGE-----" $WORK/Manifest; then
+ echo "Checking existing Manifest signature..."
+ mkbuild_update_keyring
+ if [ ! -z "$SIGN_USER" ] && [ "`whoami`" != "$SIGN_USER" ]; then
+ su $SIGN_USER -c "gpg --verify $WORK/Manifest"
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ else
+ gpg --verify $WORK/Manifest
+ if [ "$?" != "0" ]; then
+ return 1
+ fi
+ fi
+ fi
+ fi
+
+}
+
function delete_mkbuilds {
# TODO
projects / simplepkg.git / commitdiff