Message ID | 20220531094036.10838-1-allan@archlinux.org |
---|---|
State | Accepted, archived |
Headers | show |
Series | makepkg: add source signing PGP keys to package if available | expand |
On Tuesday, 31 May 2022, Allan McRae <allan@archlinux.org> wrote: > Arch Linux is adding source signing PGP keys to their package source > tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the > PGP keyserver infrastructure is a mess, this helps other people validate > sources in a PKGBUILD. > > Add the keys to source packages if found alongside the PKGBUILD. > > Signed-off-by: Allan McRae <allan@archlinux.org> > --- > > I won't be committing this until the relevant Arch devtools patch is > accepted so that the keys/pgp/ path is finalised. > > scripts/makepkg.sh.in | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in > index 69757d03..bddcbe03 100644 > --- a/scripts/makepkg.sh.in > +++ b/scripts/makepkg.sh.in > @@ -705,6 +705,16 @@ create_srcpackage() { > done > pkgname=(${pkgname_backup[@]}) > > + # add a copy of source PGP signing public keys if availabe in > keys/pgp/<fingerprint>.asc > + local key > + for key in ${validpgpkeys[@]}; do > + if [[ -f keys/pgp/$key.asc ]]; then > + mkdir -p "${srclinks}/${pkgbase}/keys/pgp/" > + ln -s "${startdir}/keys/pgp/$key.asc" > "${srclinks}/${pkgbase}/keys/pgp/" > + fi > + done > + Thanks for tackling the topic Allan - here and in devtools. Would it make sense to error out if any key is missing? Be that now or in the mid-to-long run. Perhaps we can mandate it when devtools version X is detected, or as makepkg.conf toggle Y is set? -Emil
On 1/6/22 19:35, Emil Velikov wrote: > On Tuesday, 31 May 2022, Allan McRae <allan@archlinux.org > <mailto:allan@archlinux.org>> wrote: > > Arch Linux is adding source signing PGP keys to their package source > tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the > PGP keyserver infrastructure is a mess, this helps other people validate > sources in a PKGBUILD. > > Add the keys to source packages if found alongside the PKGBUILD. > > Signed-off-by: Allan McRae <allan@archlinux.org > <mailto:allan@archlinux.org>> > --- > > I won't be committing this until the relevant Arch devtools patch is > accepted so that the keys/pgp/ path is finalised. > > scripts/makepkg.sh.in <http://makepkg.sh.in> | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/scripts/makepkg.sh.in <http://makepkg.sh.in> > b/scripts/makepkg.sh.in <http://makepkg.sh.in> > index 69757d03..bddcbe03 100644 > --- a/scripts/makepkg.sh.in <http://makepkg.sh.in> > +++ b/scripts/makepkg.sh.in <http://makepkg.sh.in> > @@ -705,6 +705,16 @@ create_srcpackage() { > done > pkgname=(${pkgname_backup[@]}) > > + # add a copy of source PGP signing public keys if availabe > in keys/pgp/<fingerprint>.asc > + local key > + for key in ${validpgpkeys[@]}; do > + if [[ -f keys/pgp/$key.asc ]]; then > + mkdir -p "${srclinks}/${pkgbase}/keys/pgp/" > + ln -s "${startdir}/keys/pgp/$key.asc" > "${srclinks}/${pkgbase}/keys/pgp/" > + fi > + done > + > > > Thanks for tackling the topic Allan - here and in devtools. > > Would it make sense to error out if any key is missing? Be that now or > in the mid-to-long run. devtools will, makepkg will not. > Perhaps we can mandate it when devtools version X is detected, or as > makepkg.conf toggle Y is set? I think this is a distro specific policy and not something to be enforced at the makepkg end. Allan
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 69757d03..bddcbe03 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -705,6 +705,16 @@ create_srcpackage() { done pkgname=(${pkgname_backup[@]}) + # add a copy of source PGP signing public keys if availabe in keys/pgp/<fingerprint>.asc + local key + for key in ${validpgpkeys[@]}; do + if [[ -f keys/pgp/$key.asc ]]; then + mkdir -p "${srclinks}/${pkgbase}/keys/pgp/" + ln -s "${startdir}/keys/pgp/$key.asc" "${srclinks}/${pkgbase}/keys/pgp/" + fi + done + + local fullver=$(get_full_version) local pkg_file="$SRCPKGDEST/${pkgbase}-${fullver}${SRCEXT}"
Arch Linux is adding source signing PGP keys to their package source tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the PGP keyserver infrastructure is a mess, this helps other people validate sources in a PKGBUILD. Add the keys to source packages if found alongside the PKGBUILD. Signed-off-by: Allan McRae <allan@archlinux.org> --- I won't be committing this until the relevant Arch devtools patch is accepted so that the keys/pgp/ path is finalised. scripts/makepkg.sh.in | 10 ++++++++++ 1 file changed, 10 insertions(+)