From d00a28ea0ed981d47634504c3eb67c5b8870bc62 Mon Sep 17 00:00:00 2001 From: Allan McRae Date: Tue, 29 Mar 2022 19:36:16 +1000 Subject: Export source PGPs from PKGBUILD on commit Provide a tool to export keys listed in the PKGBUILDs validpgpkeys to keys/pgp/$fingerprint.asc. The presense of the "keys" directory alongside the PKGBUILD in trunk/ is tested during commitpkg. If the directory is abscent, keys are exported and added to the commit. If the directory is present, a check is made to ensure all valid PGP keys are provided. Signed-off-by: Allan McRae Signed-off-by: Levente Polyak --- export-pkgbuild-keys.in | 68 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 export-pkgbuild-keys.in (limited to 'export-pkgbuild-keys.in') diff --git a/export-pkgbuild-keys.in b/export-pkgbuild-keys.in new file mode 100644 index 0000000..f392f4c --- /dev/null +++ b/export-pkgbuild-keys.in @@ -0,0 +1,68 @@ +#!/bin/bash +# +# SPDX-License-Identifier: GPL-3.0-or-later + +m4_include(lib/common.sh) + +usage() { + cat <<- _EOF_ + Usage: ${BASH_SOURCE[0]##*/} + + Export the PGP keys from a PKGBUILDs validpgpkeys array into the keys/pgp/ + subdirectory. Useful for distributing packager validated source signing + keys alongside PKGBUILDs. + + OPTIONS + -h, --help Show this help text +_EOF_ +} + +# option checking +while (( $# )); do + case $1 in + -h|--help) + usage + exit 0 + ;; + *) + die "invalid argument: %s" "$1" + ;; + esac +done + +if [[ ! -f PKGBUILD ]]; then + die "This must be run a directory containing a PKGBUILD." +fi + +mapfile -t validpgpkeys < <( + # shellcheck source=PKGBUILD.proto + . ./PKGBUILD + printf "%s\n" "${validpgpkeys[@]}" +) + +if (( ${#validpgpkeys[@]} == 0 )); then + exit 0 +fi + +mkdir -p keys/pgp +error=0 + +for key in "${validpgpkeys[@]}"; do + gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null + + # gpg does not give a non-zero return value if it fails to export... + if [[ -f keys/pgp/$key.asc.tmp ]]; then + mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc" + else + if [[ -f keys/pgp/$key.asc ]]; then + warning "Failed to update key: $key" + else + error "Key unavailable: $key" + error=1 + fi + fi +done + +if (( error )); then + die "Failed to export all \'validpgpkeys\' entries." +fi -- cgit v1.2.3-70-g09d2 From 8d4c46d3689c5b859587c54f2741555f75479db4 Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Thu, 9 Jun 2022 20:44:47 +0200 Subject: export-pkgbuild-keys: add simple success export messages Signed-off-by: Levente Polyak --- export-pkgbuild-keys.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'export-pkgbuild-keys.in') diff --git a/export-pkgbuild-keys.in b/export-pkgbuild-keys.in index f392f4c..b5b1240 100644 --- a/export-pkgbuild-keys.in +++ b/export-pkgbuild-keys.in @@ -40,6 +40,7 @@ mapfile -t validpgpkeys < <( printf "%s\n" "${validpgpkeys[@]}" ) +msg "Exporting ${#validpgpkeys[@]} PGP keys..." if (( ${#validpgpkeys[@]} == 0 )); then exit 0 fi @@ -52,6 +53,7 @@ for key in "${validpgpkeys[@]}"; do # gpg does not give a non-zero return value if it fails to export... if [[ -f keys/pgp/$key.asc.tmp ]]; then + msg2 "Exported $key" mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc" else if [[ -f keys/pgp/$key.asc ]]; then -- cgit v1.2.3-70-g09d2 From 01b6196883d0e44b9f8f17c7f4f28df27ab5ac14 Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Thu, 9 Jun 2022 21:02:56 +0200 Subject: export-pkgbuild-keys: use TEMPDIR while exporting key This avoids the possibility to pollute the keys directory with temporary files if the script is aborted in between. Signed-off-by: Levente Polyak --- export-pkgbuild-keys.in | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'export-pkgbuild-keys.in') diff --git a/export-pkgbuild-keys.in b/export-pkgbuild-keys.in index b5b1240..c10e4d1 100644 --- a/export-pkgbuild-keys.in +++ b/export-pkgbuild-keys.in @@ -45,16 +45,19 @@ if (( ${#validpgpkeys[@]} == 0 )); then exit 0 fi +trap 'rm -rf $TEMPDIR' EXIT INT TERM QUIT +TEMPDIR=$(mktemp -d --tmpdir export-pkgbuild-keys.XXXXXXXXXX) + mkdir -p keys/pgp error=0 for key in "${validpgpkeys[@]}"; do - gpg --output "keys/pgp/$key.asc.tmp" --armor --export --export-options export-minimal "$key" 2>/dev/null + gpg --output "$TEMPDIR/$key.asc" --armor --export --export-options export-minimal "$key" 2>/dev/null # gpg does not give a non-zero return value if it fails to export... - if [[ -f keys/pgp/$key.asc.tmp ]]; then + if [[ -f $TEMPDIR/$key.asc ]]; then msg2 "Exported $key" - mv "keys/pgp/$key.asc.tmp" "keys/pgp/$key.asc" + mv "$TEMPDIR/$key.asc" "keys/pgp/$key.asc" else if [[ -f keys/pgp/$key.asc ]]; then warning "Failed to update key: $key" -- cgit v1.2.3-70-g09d2 From f386c131426927cca3f771408dbc70a05602a44d Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Wed, 22 Jun 2022 00:51:22 +0200 Subject: export-pkgbuild-keys: fix export for packages without validpgpkeys In case the validpgpkeys array is empty or undefined, the empty printf line only included a single line break which lead to mapfile -t consuming it as an array with 1 element consisting of an empty string. Fix this by only calling the printf in case the validpgpkeys array is not empty. Without any output, the mapfile -t will simply produce an empty array. Signed-off-by: Levente Polyak --- export-pkgbuild-keys.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'export-pkgbuild-keys.in') diff --git a/export-pkgbuild-keys.in b/export-pkgbuild-keys.in index c10e4d1..8697b3d 100644 --- a/export-pkgbuild-keys.in +++ b/export-pkgbuild-keys.in @@ -37,7 +37,9 @@ fi mapfile -t validpgpkeys < <( # shellcheck source=PKGBUILD.proto . ./PKGBUILD - printf "%s\n" "${validpgpkeys[@]}" + if (( ${#validpgpkeys[@]} )); then + printf "%s\n" "${validpgpkeys[@]}" + fi ) msg "Exporting ${#validpgpkeys[@]} PGP keys..." -- cgit v1.2.3-70-g09d2