makepkg: add source signing PGP keys to package if available

Message ID 20220531094036.10838-1-allan@archlinux.org
State New
Headers show
Series makepkg: add source signing PGP keys to package if available | expand

Commit Message

Allan McRae May 31, 2022, 9:40 a.m. UTC
Arch Linux is adding source signing PGP keys to their package source
tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
PGP keyserver infrastructure is a mess, this helps other people validate
sources in a PKGBUILD.

Add the keys to source packages if found alongside the PKGBUILD.

Signed-off-by: Allan McRae <allan@archlinux.org>
---

I won't be committing this until the relevant Arch devtools patch is
accepted so that the keys/pgp/ path is finalised.

 scripts/makepkg.sh.in | 10 ++++++++++
 1 file changed, 10 insertions(+)

Comments

Emil Velikov June 1, 2022, 9:35 a.m. UTC | #1
On Tuesday, 31 May 2022, Allan McRae <allan@archlinux.org> wrote:

> Arch Linux is adding source signing PGP keys to their package source
> tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
> PGP keyserver infrastructure is a mess, this helps other people validate
> sources in a PKGBUILD.
>
> Add the keys to source packages if found alongside the PKGBUILD.
>
> Signed-off-by: Allan McRae <allan@archlinux.org>
> ---
>
> I won't be committing this until the relevant Arch devtools patch is
> accepted so that the keys/pgp/ path is finalised.
>
>  scripts/makepkg.sh.in | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 69757d03..bddcbe03 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -705,6 +705,16 @@ create_srcpackage() {
>         done
>         pkgname=(${pkgname_backup[@]})
>
> +       # add a copy of source PGP signing public keys if availabe in
> keys/pgp/<fingerprint>.asc
> +       local key
> +       for key in ${validpgpkeys[@]}; do
> +               if [[ -f keys/pgp/$key.asc ]]; then
> +                       mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
> +                       ln -s "${startdir}/keys/pgp/$key.asc"
> "${srclinks}/${pkgbase}/keys/pgp/"
> +               fi
> +       done
> +


Thanks for tackling the topic Allan - here and in devtools.

Would it make sense to error out if any key is missing? Be that now or in
the mid-to-long run.

Perhaps we can mandate it when devtools version X is detected, or as
makepkg.conf toggle Y is set?

-Emil
Allan McRae June 1, 2022, 12:02 p.m. UTC | #2
On 1/6/22 19:35, Emil Velikov wrote:
> On Tuesday, 31 May 2022, Allan McRae <allan@archlinux.org 
> <mailto:allan@archlinux.org>> wrote:
> 
>     Arch Linux is adding source signing PGP keys to their package source
>     tree alongside PKGBUILDs in the form keys/pgp/$fingerprint.asc. As the
>     PGP keyserver infrastructure is a mess, this helps other people validate
>     sources in a PKGBUILD.
> 
>     Add the keys to source packages if found alongside the PKGBUILD.
> 
>     Signed-off-by: Allan McRae <allan@archlinux.org
>     <mailto:allan@archlinux.org>>
>     ---
> 
>     I won't be committing this until the relevant Arch devtools patch is
>     accepted so that the keys/pgp/ path is finalised.
> 
>       scripts/makepkg.sh.in <http://makepkg.sh.in> | 10 ++++++++++
>       1 file changed, 10 insertions(+)
> 
>     diff --git a/scripts/makepkg.sh.in <http://makepkg.sh.in>
>     b/scripts/makepkg.sh.in <http://makepkg.sh.in>
>     index 69757d03..bddcbe03 100644
>     --- a/scripts/makepkg.sh.in <http://makepkg.sh.in>
>     +++ b/scripts/makepkg.sh.in <http://makepkg.sh.in>
>     @@ -705,6 +705,16 @@ create_srcpackage() {
>              done
>              pkgname=(${pkgname_backup[@]})
> 
>     +       # add a copy of source PGP signing public keys if availabe
>     in keys/pgp/<fingerprint>.asc
>     +       local key
>     +       for key in ${validpgpkeys[@]}; do
>     +               if [[ -f keys/pgp/$key.asc ]]; then
>     +                       mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
>     +                       ln -s "${startdir}/keys/pgp/$key.asc"
>     "${srclinks}/${pkgbase}/keys/pgp/"
>     +               fi
>     +       done
>     +
> 
> 
> Thanks for tackling the topic Allan - here and in devtools.
> 
> Would it make sense to error out if any key is missing? Be that now or 
> in the mid-to-long run.

devtools will, makepkg will not.

> Perhaps we can mandate it when devtools version X is detected, or as 
> makepkg.conf toggle Y is set?

I think this is a distro specific policy and not something to be 
enforced at the makepkg end.

Allan

Patch

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 69757d03..bddcbe03 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -705,6 +705,16 @@  create_srcpackage() {
 	done
 	pkgname=(${pkgname_backup[@]})
 
+	# add a copy of source PGP signing public keys if availabe in keys/pgp/<fingerprint>.asc
+	local key
+	for key in ${validpgpkeys[@]}; do
+		if [[ -f keys/pgp/$key.asc ]]; then
+			mkdir -p "${srclinks}/${pkgbase}/keys/pgp/"
+			ln -s "${startdir}/keys/pgp/$key.asc" "${srclinks}/${pkgbase}/keys/pgp/"
+		fi
+	done
+
+
 	local fullver=$(get_full_version)
 	local pkg_file="$SRCPKGDEST/${pkgbase}-${fullver}${SRCEXT}"